[Samba] Winbind question

Bruno MACADRÉ bruno.macadre at univ-rouen.fr
Mon Aug 11 09:26:20 MDT 2014 

I didn't find the issue....

wbinfo -u => works
wbinfo -g => works
wbinfo -m => works and list SAMDOM
wbinfo -n foo => works and give his SID
wbinfo -s FOO_SID => works and return SAMDOM\foo 1
wbinfo -S FOO_SID => Failed with WBC_ERR_DOMAIN_NOT_FOUND 'cause it 
can't convert sid to uid !!!! Why ?

I'm tired... I think that my users must have rfc2307 information to do a 
SID->UID convertion.... but I can't specify all POSIX attributes with 
ADUC over about 5000 users by hand....

I will fallback to rid idmap backend... it works fine

Le 11/08/2014 17:10, Ryan Ashley a écrit :
> I just rebuilt my second member server and it finally has the exact 
> same ID's as the other one. That configuration parameter was the key. 
> I owe you big-time. Now let's get your other issue fixed!
>
> On 08/11/2014 11:02 AM, Bruno MACADRÉ wrote:
>> I've just recompiled so I didn't change anything.... I think i made a 
>> mistake in configuration
>>
>> I will try to rejoin
>>
>> Le 11/08/2014 17:00, Ryan Ashley a écrit :
>>> Have you edited "/etc/nsswith.conf" and set passwd and group to use 
>>> winbind? Mine is below. Also, have you joined the member server with 
>>> "net ads join -U<domain admin name>"?
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat
>>>
>>> On 08/11/2014 10:57 AM, Bruno MACADRÉ wrote:
>>>> wbinfo -u works but not wbinfo -i....
>>>>
>>>> Le 11/08/2014 16:55, Ryan Ashley a écrit :
>>>>> Did you start the winbind, nmbd, and smbd services? If winbindd is 
>>>>> not running, you cannot use wbinfo.
>>>>>
>>>>> On 08/11/2014 10:54 AM, Bruno MACADRÉ wrote:
>>>>>> Nice, for me it's not so cool.... ad beckend works and winbind 
>>>>>> list users but if I want infos about it I get a 
>>>>>> 'WBC_ERR_DOMAIN_NOT_FOUND' error..... I must search again.....
>>>>>>
>>>>>>
>>>>>> Le 11/08/2014 16:51, Ryan Ashley a écrit :
>>>>>>> THAT DID IT! I am now pulling the correct ID's! I spent weeks on 
>>>>>>> this and kept thinking it was configuration files or a bug. Man, 
>>>>>>> I owe you dinner if you're ever in the states!
>>>>>>>
>>>>>>> On 08/11/2014 10:47 AM, Ryan Ashley wrote:
>>>>>>>> My thoughts are the same. I am rebuilding Samba on my member 
>>>>>>>> server now using the parameter you mentioned. I did a full 
>>>>>>>> rebuild from scratch, but I will let you know if it works when 
>>>>>>>> it finishes. My fingers are crossed!
>>>>>>>>
>>>>>>>> On 08/11/2014 10:45 AM, Bruno MACADRÉ wrote:
>>>>>>>>> I think only members 'cause it's only on it we have the 
>>>>>>>>> message 'can't load ad backend'
>>>>>>>>>
>>>>>>>>> Le 11/08/2014 16:37, Ryan Ashley a écrit :
>>>>>>>>>> I have not seen that mentioned in my 121 posts about this 
>>>>>>>>>> issue. Does that need to be enabled on the DC and members or 
>>>>>>>>>> just members?
>>>>>>>>>>
>>>>>>>>>> On 08/11/2014 10:35 AM, Bruno MACADRÉ wrote:
>>>>>>>>>>> Nice clue,
>>>>>>>>>>>
>>>>>>>>>>> I quickly research in my tutorial and see that I forget an 
>>>>>>>>>>> option on my configure line :
>>>>>>>>>>>
>>>>>>>>>>> --with-shared-modules=idmap_ad
>>>>>>>>>>>
>>>>>>>>>>> I recompile my samba and retry... I come back when finished
>>>>>>>>>>>
>>>>>>>>>>> Le 11/08/2014 16:30, Ryan Ashley a écrit :
>>>>>>>>>>>> I forgot to tell you, if you are pulling from the TDB 
>>>>>>>>>>>> range, your ID numbers will NOT be the same across member 
>>>>>>>>>>>> servers. That is what I have been working on for a month 
>>>>>>>>>>>> now. I have two member servers and they keep pulling from 
>>>>>>>>>>>> the TDB range, causing a user to have an ID of 70001 on one 
>>>>>>>>>>>> member server but 70004 on the other. Both servers claim 
>>>>>>>>>>>> they cannot probe the idmap ad module.
>>>>>>>>>>>>
>>>>>>>>>>>> On 08/11/2014 10:21 AM, Bruno MACADRÉ wrote:
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I successfully set up an AD DC, and now, I want to join a 
>>>>>>>>>>>>> file server as member in this domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I followed this tutorial : 
>>>>>>>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> All works fine, my server join my AD without problem, 
>>>>>>>>>>>>> samba starts fine and winbind too. But when I look at my 
>>>>>>>>>>>>> domain users, the uid/gid returned by winbind are in the 
>>>>>>>>>>>>> TDB range instead of the AD range.....
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is my smb.conf :
>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>
>>>>>>>>>>>>>    netbios name = filzen
>>>>>>>>>>>>>    workgroup = SAMDOM
>>>>>>>>>>>>>    security = ADS
>>>>>>>>>>>>>    realm = SAMDOM.FR
>>>>>>>>>>>>>    encrypt passwords = yes
>>>>>>>>>>>>>
>>>>>>>>>>>>>    log level = 10
>>>>>>>>>>>>>
>>>>>>>>>>>>>    template homedir = /home/%U
>>>>>>>>>>>>>    template shell = /bin/bash
>>>>>>>>>>>>>
>>>>>>>>>>>>>    winbind use default domain = yes
>>>>>>>>>>>>>    winbind enum users  = yes
>>>>>>>>>>>>>    winbind enum groups = yes
>>>>>>>>>>>>>
>>>>>>>>>>>>>    idmap config SAMDOM:backend = ad
>>>>>>>>>>>>>    idmap config SAMDOM:range = 20001-70000
>>>>>>>>>>>>>    idmap config SAMDOM:default = yes
>>>>>>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>>>>>>    idmap config *:range = 70001-80000
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I type :
>>>>>>>>>>>>> # wbinfo -i administrator
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get :
>>>>>>>>>>>>> administrator:*:70001:70001::/home/administrator:/bin/bash
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I create a user (foo) and trying to obtain his 
>>>>>>>>>>>>> informations :
>>>>>>>>>>>>> # wbinfo -i foo
>>>>>>>>>>>>>
>>>>>>>>>>>>> I get:
>>>>>>>>>>>>> foo:*:70002:70001::/home/foo:/bin/bash
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why winbind doen't use AD range instead of TBD range ? And 
>>>>>>>>>>>>> even if I must use TDB range is there a certainty that 
>>>>>>>>>>>>> this uid/gid are the same over all members ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Another clue : If I use SAMDOM:backend = rid the users 
>>>>>>>>>>>>> receive a uid/gid in SAMDOM range and not in TDB range 
>>>>>>>>>>>>> (maybe a bug in ad backend ?)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for any answers
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Bruno.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

-- 

Bruno MACADRE
-------------------------------------------------------------------
  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
  Département Informatique         | Department of computer science
  Responsable Info SER             | SER IT Manager
  Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université
	CS 70012
	76801 St Etienne du Rouvray CEDEX
	FRANCE

	Tél : +33 (0)2-32-95-51-86
	Mob : +33 (0)6-74-71-45-64
-------------------------------------------------------------------

More information about the samba mailing list