[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

L.P.H. van Belle belle at bazuin.nl
Thu Apr 10 06:54:00 MDT 2014


yes, the solution ( aka worked for me on debian with sernet ) 

make use of usermap 
add to smb.conf : 

  # user Administrator workaround, without it you are unable to set privileges
   username map = /etc/samba/samba_usermapping

add in the file samba_usermapping
!root = DOMAINNAME\Administrator DOMAINNAME\administrator

restart samba 


>-----Oorspronkelijk bericht-----
>Van: lorenzo.faleschini at nordestsystems.com 
>[mailto:samba-bounces at lists.samba.org] Namens Lorenzo Faleschini
>Verzonden: donderdag 10 april 2014 11:20
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] centos 6.5 sernet-samba 4.1.6 member server 
>winbind idmap fail
>
>Hi everybody,
>
>I've searched deeply into the samba wiki and the list for some working 
>examples, but I cannot find my way out, I'm a kind of rough samba user 
>(let's say almost newbie).. so asking help here:
>
>This is my setup:
>
>DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 
>6.5 with 
>sernet-samba 4.1.6 started in "ad" mode
>(upgraded successfully from early 4.0.5, working fine with windows 
>clients and servers, deployed with rfc2307, wbinfo and getent 
>working fine)
>
>MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5 
>with sernet-samba 4.1.6 started in "classic" mode
>(successfully joined with net ads join, dns updated correctly and host 
>is able to resolv domain names, followed the howto on samba 
>wiki, tried 
>also by installing from source with parameters suggested in 
>but with no 
>luck)
>
>NOTE: disabled iptables and selinux in this test environment
>NOTE: created testuser and testgroup with windowsRSAT (AD 
>users&computers) and filled the UNIX attributes tab.. so I suppose at 
>least for that 2 user and group I have correctly set UID GID
>
>____________________config files_______________________________
>
>##############/etc/samba/smb.conf
>[global]
>
>    workgroup = MY
>    security = ADS
>    realm = MY.DOMAIN.COM
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MY:backend = ad
>    idmap config MY:schema_mode = rfc2307
>    idmap config MY:range = 500-40000
>
>    winbind nss info = rfc2307
>
>[test]
>    path = /condivisioni/test
>    read only = no
>
>
>#################/etc/krb5.conf
>[logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
>  default_realm = MY.DOMAIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
>[realms]
>MY.DOMAIN.COM = {
>   kdc = samba.my.domain.com
>   admin_server = samba.my.domain.com }
>
>[domain_realm]
>  .my.domain.com = MY.DOMAIN.COM
>my.domain.com = MY.DOMAIN.COM
>
>#################/etc/nsswitch.conf (edited lines)
>passwd:     files winbind
>group:      files winbind
>
>________________________________________________________
>
>~> wbinfo -p
>~> wbinfo -u
>~> wbinfo -g
>~> wbinfo -n testuser
>
>return expected output
>
>~> getent passwd
>~> getent group
>
>return only local unix users and groups
>
>~> wbinfo -i testuser
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user testuser
>~> wbinfo --group-info testgroup
>failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for group testgroup
>
>
>on DC getent is working correctly and also wbinfo -i:
>~> wbinfo -i testuser
>MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
>~> wbinfo --group-info testgroup
>MY\testgroup:*:10000:
>~> wbinfo -i marco
>MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
>~> wbinfo --group-info "domain users"
>MY\Domain Users:*:100:
>
>
>... any suggestions?
>... I've searched the /vat/log/samba logs but can't find anythig 
>relevant there about errors? should I look somewhere else?
>... would it be better do add this MEMBER as a DC with samba tool? any 
>gotchas in doing so?
>... I read many times Steve and Rowland suggesting sssd over winbind.. 
>I've tried to configure it but without success either (quite 
>frustrated :( )
>
>thanks
>
>-- 
>
>Lorenzo Faleschini
>IT Manager @ Nord Est Systems srl
>----------------------------------------
>m: +39 335 6055225 | skype: falegalizeit
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list