[Samba] centos 6.5 sernet-samba 4.1.6 member server winbind idmap fail

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 10 09:55:34 MDT 2014


On 10/04/14 10:20, Lorenzo Faleschini wrote:
> Hi everybody,
>
> I've searched deeply into the samba wiki and the list for some working 
> examples, but I cannot find my way out, I'm a kind of rough samba user 
> (let's say almost newbie).. so asking help here:
>
> This is my setup:
>
> DC (samba.my.domain.com <http://samba.my.domain.com/>): CentOS 6.5 
> with sernet-samba 4.1.6 started in "ad" mode
> (upgraded successfully from early 4.0.5, working fine with windows 
> clients and servers, deployed with rfc2307, wbinfo and getent working 
> fine)
>
> MEMBER (files.my.domain.com <http://files.my.domain.com/>): Centos 6.5 
> with sernet-samba 4.1.6 started in "classic" mode
> (successfully joined with net ads join, dns updated correctly and host 
> is able to resolv domain names, followed the howto on samba wiki, 
> tried also by installing from source with parameters suggested in but 
> with no luck)
>
> NOTE: disabled iptables and selinux in this test environment
> NOTE: created testuser and testgroup with windowsRSAT (AD 
> users&computers) and filled the UNIX attributes tab.. so I suppose at 
> least for that 2 user and group I have correctly set UID GID
>
> ____________________config files_______________________________
>
> ##############/etc/samba/smb.conf
> [global]
>
>    workgroup = MY
>    security = ADS
>    realm = MY.DOMAIN.COM
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MY:backend = ad
>    idmap config MY:schema_mode = rfc2307
>    idmap config MY:range = 500-40000
>
>    winbind nss info = rfc2307
>
> [test]
>    path = /condivisioni/test
>    read only = no
>
>
> #################/etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MY.DOMAIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
> MY.DOMAIN.COM = {
>   kdc = samba.my.domain.com
>   admin_server = samba.my.domain.com }
>
> [domain_realm]
>  .my.domain.com = MY.DOMAIN.COM
> my.domain.com = MY.DOMAIN.COM
>
> #################/etc/nsswitch.conf (edited lines)
> passwd:     files winbind
> group:      files winbind
>
> ________________________________________________________
>
> ~> wbinfo -p
> ~> wbinfo -u
> ~> wbinfo -g
> ~> wbinfo -n testuser
>
> return expected output
>
> ~> getent passwd
> ~> getent group
>
> return only local unix users and groups
>
> ~> wbinfo -i testuser
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user testuser
> ~> wbinfo --group-info testgroup
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group testgroup
>
>
> on DC getent is working correctly and also wbinfo -i:
> ~> wbinfo -i testuser
> MY\testuser:*:10000:100:testuser:/home/MY/testuser:/bin/false
> ~> wbinfo --group-info testgroup
> MY\testgroup:*:10000:
> ~> wbinfo -i marco
> MY\marco:*:3000043:100:Marco:/home/MY/marco:/bin/false
> ~> wbinfo --group-info "domain users"
> MY\Domain Users:*:100:
>

Have you given 'Domain Users' a gidNumber and if so is that gidNumber 
'100' ?
If you are using '100' for your gidNumber, then it is below the range 
you set in smb.conf and winbind will not pass this to getent and 
therefore you get no domain users.
If you have not added a gidnumber, then the same applies, windbind will 
not pass this to getent and you get no domain users.

Rowland

>
> ... any suggestions?
> ... I've searched the /vat/log/samba logs but can't find anythig 
> relevant there about errors? should I look somewhere else?
> ... would it be better do add this MEMBER as a DC with samba tool? any 
> gotchas in doing so?
> ... I read many times Steve and Rowland suggesting sssd over winbind.. 
> I've tried to configure it but without success either (quite 
> frustrated :( )
>
> thanks
>



More information about the samba mailing list