[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail
L.P.H. van Belle
belle at bazuin.nl
Thu Apr 10 06:54:00 MDT 2014
yes, the solution ( aka worked for me on debian with sernet )
make use of usermap
add to smb.conf :
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
add in the file samba_usermapping
!root = DOMAINNAME\Administrator DOMAINNAME\administrator
restart samba
>-----Oorspronkelijk bericht-----
>Van: lorenzo.faleschini at nordestsystems.com
>[mailto:samba-bounces at lists.samba.org] Namens Lorenzo Faleschini
>Verzonden: donderdag 10 april 2014 11:20
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server
>winbind idmap fail
>
>Hi everybody,
>
>I've searched deeply into the samba wiki and the list for some working
>examples, but I cannot find my way out, I'm a kind of rough samba user
>(let's say almost newbie).. so asking help here:
>
>This is my setup:
>
>DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS
>6.5 with
>sernet-samba 4.1.6 started in "ad" mode
>(upgraded successfully from early 4.0.5, working fine with windows
>clients and servers, deployed with rfc2307, wbinfo and getent
>working fine)
>
>MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5
>with sernet-samba 4.1.6 started in "classic" mode
>(successfully joined with net ads join, dns updated correctly and host
>is able to resolv domain names, followed the howto on samba
>wiki, tried
>also by installing from source with parameters suggested in
>but with no
>luck)
>
>NOTE: disabled iptables and selinux in this test environment
>NOTE: created testuser and testgroup with windowsRSAT (AD
>users&computers) and filled the UNIX attributes tab.. so I suppose at
>least for that 2 user and group I have correctly set UID GID
>
>____________________config files_______________________________
>
>##############/etc/samba/smb.conf
>[global]
>
> workgroup = MY
> security = ADS
> realm = MY.DOMAIN.COM
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config MY:backend = ad
> idmap config MY:schema_mode = rfc2307
> idmap config MY:range = 500-40000
>
> winbind nss info = rfc2307
>
>[test]
> path = /condivisioni/test
> read only = no
>
>
>#################/etc/krb5.conf
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> default_realm = MY.DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
>[realms]
>MY.DOMAIN.COM = {
> kdc = samba.my.domain.com
> admin_server = samba.my.domain.com }
>
>[domain_realm]
> .my.domain.com = MY.DOMAIN.COM
>my.domain.com = MY.DOMAIN.COM
>
>#################/etc/nsswitch.conf (edited lines)
>passwd: files winbind
>group: files winbind
>
>________________________________________________________
>
>~> wbinfo -p
>~> wbinfo -u
>~> wbinfo -g
>~> wbinfo -n testuser
>
>return expected output
>
>~> getent passwd
>~> getent group
>
>return only local unix users and groups
>
>~> wbinfo -i testuser
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user testuser
>~> wbinfo --group-info testgroup
>failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for group testgroup
>
>
>on DC getent is working correctly and also wbinfo -i:
>~> wbinfo -i testuser
>MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
>~> wbinfo --group-info testgroup
>MY\testgroup:*:10000:
>~> wbinfo -i marco
>MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
>~> wbinfo --group-info "domain users"
>MY\Domain Users:*:100:
>
>
>... any suggestions?
>... I've searched the /vat/log/samba logs but can't find anythig
>relevant there about errors? should I look somewhere else?
>... would it be better do add this MEMBER as a DC with samba tool? any
>gotchas in doing so?
>... I read many times Steve and Rowland suggesting sssd over winbind..
>I've tried to configure it but without success either (quite
>frustrated :( )
>
>thanks
>
>--
>
>Lorenzo Faleschini
>IT Manager @ Nord Est Systems srl
>----------------------------------------
>m: +39 335 6055225 | skype: falegalizeit
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list