[Samba] Setup_a_Samba_AD_Member_Server can get the id of user.

江志 jz at hejiangmould.com
Thu Dec 4 01:22:06 MST 2014


Rowland Penny,您好:
When I run wbinfo -i TEST\\test
I got the log:
 [2014/12/04 15:39:50.169934,  3] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
[2014/12/04 15:39:50.171240,  3] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2014/12/04 15:39:50.188252,  3] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 05 Dec 2014 01:39:51 CST
[2014/12/04 15:39:50.296664,  1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
  Could not get unix ID for SID S-1-5-21-1425680026-858952690-2224761852-1107
[2014/12/04 15:40:34.583374,  1] ../source3/winbindd/idmap.c:201(idmap_init_domain)
  idmap range not specified for domain SWAP10

SID S-1-5-21-1425680026-858952690-2224761852-1107 is the sid of test
------------------				 
江志
2014-12-04

-------------------------------------------------------------
发件人:Rowland Penny
发送日期:2014-12-01 17:14:56
收件人:江志
抄送:samba
主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.

On 01/12/14 00:08, 江志 wrote:
> Rowland Penny,您好:
>       I test id Administrator as the wiki.
> 	I run
> chown Administrator(or other DomainUser) file I got
> invalid User :Administrator
>
> ------------------				
> 江志
> 2014-12-01
>
> -------------------------------------------------------------
> 发件人:Rowland Penny
> 发送日期:2014-11-28 17:59:18
> 收件人:江志
> 抄送:samba
> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>
> On 28/11/14 01:33, 江志 wrote:
>> Rowland Penny,您好:
>>      I had test to setup
>> username map = /etc/samba/smbmap
>> and I got the same error
>>
>> winbindd -V
>> Version 4.1.11-Ubuntu
>>
>>
>> ------------------				
>> 江志
>> 2014-11-28
>>
>> -------------------------------------------------------------
>> 发件人:Rowland Penny
>> 发送日期:2014-11-25 17:51:13
>> 收件人:samba
>> 抄送:
>> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>>
>> On 25/11/14 03:47, 江志 wrote:
>>> samba,您好:
>>>         I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems:
>>> net ads join -U adminsitrator is OK except the DNS update.
>>> run the command:
>>> wbinfo -u
>>> show the user list as follow:
>>> SWAP10\jz
>>> SWAP10\root
>>> TEST\administrator
>>> TEST\krbtgt
>>> TEST\guest
>>> TEST\root
>>> TEST\jz
>>>
>>> When run the command:
>>> id administrator
>>> show
>>> id: administrator: no such user
>>> When run the command:
>>> id 'TEST\administrator'
>>> show
>>> id: TEST\administrator: no such user
>>>
>>> Run chown and chgrp also get error.
>>>
>>> Here is my smb.conf
>>>
>>> [global]
>>> 	netbios name = swap10
>>> 	workgroup = TEST
>>> 	security = ADS
>>> 	realm = TEST.TESTDOMAIN.COM
>>> 	encrypt passwords = yes
>>>
>>> 	kerberos method = secrets only
>>>
>>> 	idmap config *:backend = tdb
>>> 	idmap config *:range = 70001-80000
>>> 	idmap config TEST:backend = ad
>>> 	idmap config TEST:schema_mode = rfc2307
>>> 	idmap config TEST:range = 500-40000
>>>
>>> 	winbind nss info = rfc2307
>>> 	winbind trusted domains only = no
>>> 	winbind use default domain = false
>>> 	winbind enum users = yes
>>> 	winbind enum groups = yes
>>> 	winbind offline logon = false
>>> 	template shell = /sbin/nologin
>>>
>>> 	vfs objects = acl_xattr
>>> 	map acl inherit = yes
>>> 	store dos attributes = yes
>>> 	auth methods = winbind
>>> 	log level = 3
>>> [demo]
>>> 	path = /home/samba/demo
>>> 	read only = no
>>> [install$]
>>> 	path = /home/samba/install
>>> 	read only = no
>>> 	guest ok = no
>>>
>>> Any suggestions
>>> Sorry for my poor english.
>>>
>>> Regards
>>> Jiangzhi
>>> --------------
>>> 2014-11-25
>> OK, you are using the winbind 'ad' backend, this will only pull users
>> from AD that have a uidNumber that is between (in your case) 500-40000.
>> Administrator does not have a uidNumber and before you rush off to give
>> Administrator a uidNumber, don't , this is not recommended, it just
>> turns Administrator into a normal user on Unix.
>>
>> I take it that you have only one Samba4 AD DC, it is recommended that
>> you use this for authentication only and use a separate file or member
>> server, if you do this, you can then map Administrator to root by adding
>> a line to smb.conf:
>>
>>             username map = /etc/samba/smbmap
>>
>> And then creating the smbmap file
>>
>> !root = EXAMPLE\Administrator Administrator administrator
>>
>> Where EXAMPLE is your netbios/workgroup name.
>>
>> I would you suggest you have a read through the samba wiki:
>>
>> https://wiki.samba.org/index.php/Main_Page
>>
>> Rowland
>>
> Why do want Administrator to login? Administrator is the **WINDOWS**
> admin user, you use 'root' on Unix.
>
> Rowland
>
OK, Administrator is a 'SPECIAL' windows user and as such, does not and 
should not exist on Unix. You can map Administrator to the Unix root 
user, this will allow Administrator to do the things that need doing 
from windows, change ACL's etc.

It actually says 'chown DomainUser:DomainGroup file' on the wiki and if 
this is not working, then there is something wrong with your setup!.

This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine.

Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ?

Rowland




More information about the samba mailing list