[Samba] Winbind question

Ryan Ashley ryana at reachtechfp.com
Mon Aug 11 08:51:57 MDT 2014


THAT DID IT! I am now pulling the correct ID's! I spent weeks on this 
and kept thinking it was configuration files or a bug. Man, I owe you 
dinner if you're ever in the states!

On 08/11/2014 10:47 AM, Ryan Ashley wrote:
> My thoughts are the same. I am rebuilding Samba on my member server 
> now using the parameter you mentioned. I did a full rebuild from 
> scratch, but I will let you know if it works when it finishes. My 
> fingers are crossed!
>
> On 08/11/2014 10:45 AM, Bruno MACADRÉ wrote:
>> I think only members 'cause it's only on it we have the message 
>> 'can't load ad backend'
>>
>> Le 11/08/2014 16:37, Ryan Ashley a écrit :
>>> I have not seen that mentioned in my 121 posts about this issue. 
>>> Does that need to be enabled on the DC and members or just members?
>>>
>>> On 08/11/2014 10:35 AM, Bruno MACADRÉ wrote:
>>>> Nice clue,
>>>>
>>>> I quickly research in my tutorial and see that I forget an option 
>>>> on my configure line :
>>>>
>>>> --with-shared-modules=idmap_ad
>>>>
>>>> I recompile my samba and retry... I come back when finished
>>>>
>>>> Le 11/08/2014 16:30, Ryan Ashley a écrit :
>>>>> I forgot to tell you, if you are pulling from the TDB range, your 
>>>>> ID numbers will NOT be the same across member servers. That is 
>>>>> what I have been working on for a month now. I have two member 
>>>>> servers and they keep pulling from the TDB range, causing a user 
>>>>> to have an ID of 70001 on one member server but 70004 on the 
>>>>> other. Both servers claim they cannot probe the idmap ad module.
>>>>>
>>>>> On 08/11/2014 10:21 AM, Bruno MACADRÉ wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I successfully set up an AD DC, and now, I want to join a file 
>>>>>> server as member in this domain.
>>>>>>
>>>>>> I followed this tutorial : 
>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>>
>>>>>> All works fine, my server join my AD without problem, samba 
>>>>>> starts fine and winbind too. But when I look at my domain users, 
>>>>>> the uid/gid returned by winbind are in the TDB range instead of 
>>>>>> the AD range.....
>>>>>>
>>>>>> This is my smb.conf :
>>>>>> [global]
>>>>>>
>>>>>>    netbios name = filzen
>>>>>>    workgroup = SAMDOM
>>>>>>    security = ADS
>>>>>>    realm = SAMDOM.FR
>>>>>>    encrypt passwords = yes
>>>>>>
>>>>>>    log level = 10
>>>>>>
>>>>>>    template homedir = /home/%U
>>>>>>    template shell = /bin/bash
>>>>>>
>>>>>>    winbind use default domain = yes
>>>>>>    winbind enum users  = yes
>>>>>>    winbind enum groups = yes
>>>>>>
>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>    idmap config SAMDOM:range = 20001-70000
>>>>>>    idmap config SAMDOM:default = yes
>>>>>>    idmap config *:backend = tdb
>>>>>>    idmap config *:range = 70001-80000
>>>>>>
>>>>>> If I type :
>>>>>> # wbinfo -i administrator
>>>>>>
>>>>>> I get :
>>>>>> administrator:*:70001:70001::/home/administrator:/bin/bash
>>>>>>
>>>>>> If I create a user (foo) and trying to obtain his informations :
>>>>>> # wbinfo -i foo
>>>>>>
>>>>>> I get:
>>>>>> foo:*:70002:70001::/home/foo:/bin/bash
>>>>>>
>>>>>> Why winbind doen't use AD range instead of TBD range ? And even 
>>>>>> if I must use TDB range is there a certainty that this uid/gid 
>>>>>> are the same over all members ?
>>>>>>
>>>>>> Another clue : If I use SAMDOM:backend = rid the users receive a 
>>>>>> uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad 
>>>>>> backend ?)
>>>>>>
>>>>>> Thanks for any answers
>>>>>> Regards,
>>>>>> Bruno.
>>>>>>
>>>>>
>>>>
>>>
>>
>



More information about the samba mailing list