[Samba] Winbind question

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Mon Aug 11 09:02:44 MDT 2014


I've just recompiled so I didn't change anything.... I think i made a 
mistake in configuration

I will try to rejoin

Le 11/08/2014 17:00, Ryan Ashley a écrit :
> Have you edited "/etc/nsswith.conf" and set passwd and group to use 
> winbind? Mine is below. Also, have you joined the member server with 
> "net ads join -U<domain admin name>"?
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> On 08/11/2014 10:57 AM, Bruno MACADRÉ wrote:
>> wbinfo -u works but not wbinfo -i....
>>
>> Le 11/08/2014 16:55, Ryan Ashley a écrit :
>>> Did you start the winbind, nmbd, and smbd services? If winbindd is 
>>> not running, you cannot use wbinfo.
>>>
>>> On 08/11/2014 10:54 AM, Bruno MACADRÉ wrote:
>>>> Nice, for me it's not so cool.... ad beckend works and winbind list 
>>>> users but if I want infos about it I get a 
>>>> 'WBC_ERR_DOMAIN_NOT_FOUND' error..... I must search again.....
>>>>
>>>>
>>>> Le 11/08/2014 16:51, Ryan Ashley a écrit :
>>>>> THAT DID IT! I am now pulling the correct ID's! I spent weeks on 
>>>>> this and kept thinking it was configuration files or a bug. Man, I 
>>>>> owe you dinner if you're ever in the states!
>>>>>
>>>>> On 08/11/2014 10:47 AM, Ryan Ashley wrote:
>>>>>> My thoughts are the same. I am rebuilding Samba on my member 
>>>>>> server now using the parameter you mentioned. I did a full 
>>>>>> rebuild from scratch, but I will let you know if it works when it 
>>>>>> finishes. My fingers are crossed!
>>>>>>
>>>>>> On 08/11/2014 10:45 AM, Bruno MACADRÉ wrote:
>>>>>>> I think only members 'cause it's only on it we have the message 
>>>>>>> 'can't load ad backend'
>>>>>>>
>>>>>>> Le 11/08/2014 16:37, Ryan Ashley a écrit :
>>>>>>>> I have not seen that mentioned in my 121 posts about this 
>>>>>>>> issue. Does that need to be enabled on the DC and members or 
>>>>>>>> just members?
>>>>>>>>
>>>>>>>> On 08/11/2014 10:35 AM, Bruno MACADRÉ wrote:
>>>>>>>>> Nice clue,
>>>>>>>>>
>>>>>>>>> I quickly research in my tutorial and see that I forget an 
>>>>>>>>> option on my configure line :
>>>>>>>>>
>>>>>>>>> --with-shared-modules=idmap_ad
>>>>>>>>>
>>>>>>>>> I recompile my samba and retry... I come back when finished
>>>>>>>>>
>>>>>>>>> Le 11/08/2014 16:30, Ryan Ashley a écrit :
>>>>>>>>>> I forgot to tell you, if you are pulling from the TDB range, 
>>>>>>>>>> your ID numbers will NOT be the same across member servers. 
>>>>>>>>>> That is what I have been working on for a month now. I have 
>>>>>>>>>> two member servers and they keep pulling from the TDB range, 
>>>>>>>>>> causing a user to have an ID of 70001 on one member server 
>>>>>>>>>> but 70004 on the other. Both servers claim they cannot probe 
>>>>>>>>>> the idmap ad module.
>>>>>>>>>>
>>>>>>>>>> On 08/11/2014 10:21 AM, Bruno MACADRÉ wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I successfully set up an AD DC, and now, I want to join a 
>>>>>>>>>>> file server as member in this domain.
>>>>>>>>>>>
>>>>>>>>>>> I followed this tutorial : 
>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>>>>>>>
>>>>>>>>>>> All works fine, my server join my AD without problem, samba 
>>>>>>>>>>> starts fine and winbind too. But when I look at my domain 
>>>>>>>>>>> users, the uid/gid returned by winbind are in the TDB range 
>>>>>>>>>>> instead of the AD range.....
>>>>>>>>>>>
>>>>>>>>>>> This is my smb.conf :
>>>>>>>>>>> [global]
>>>>>>>>>>>
>>>>>>>>>>>    netbios name = filzen
>>>>>>>>>>>    workgroup = SAMDOM
>>>>>>>>>>>    security = ADS
>>>>>>>>>>>    realm = SAMDOM.FR
>>>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>>>
>>>>>>>>>>>    log level = 10
>>>>>>>>>>>
>>>>>>>>>>>    template homedir = /home/%U
>>>>>>>>>>>    template shell = /bin/bash
>>>>>>>>>>>
>>>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>>>    winbind enum users  = yes
>>>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>>>
>>>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>>>    idmap config SAMDOM:range = 20001-70000
>>>>>>>>>>>    idmap config SAMDOM:default = yes
>>>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>>>
>>>>>>>>>>> If I type :
>>>>>>>>>>> # wbinfo -i administrator
>>>>>>>>>>>
>>>>>>>>>>> I get :
>>>>>>>>>>> administrator:*:70001:70001::/home/administrator:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>> If I create a user (foo) and trying to obtain his 
>>>>>>>>>>> informations :
>>>>>>>>>>> # wbinfo -i foo
>>>>>>>>>>>
>>>>>>>>>>> I get:
>>>>>>>>>>> foo:*:70002:70001::/home/foo:/bin/bash
>>>>>>>>>>>
>>>>>>>>>>> Why winbind doen't use AD range instead of TBD range ? And 
>>>>>>>>>>> even if I must use TDB range is there a certainty that this 
>>>>>>>>>>> uid/gid are the same over all members ?
>>>>>>>>>>>
>>>>>>>>>>> Another clue : If I use SAMDOM:backend = rid the users 
>>>>>>>>>>> receive a uid/gid in SAMDOM range and not in TDB range 
>>>>>>>>>>> (maybe a bug in ad backend ?)
>>>>>>>>>>>
>>>>>>>>>>> Thanks for any answers
>>>>>>>>>>> Regards,
>>>>>>>>>>> Bruno.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------



More information about the samba mailing list