[Samba] Setup_a_Samba_AD_Member_Server can get the id of user.

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 4 03:25:16 MST 2014 

On 04/12/14 08:22, 江志 wrote:
> Rowland Penny,您好:
> When I run wbinfo -i TEST\\test
> I got the log:
>   [2014/12/04 15:39:50.169934,  3] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind)
>    ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore
> [2014/12/04 15:39:50.171240,  3] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req)
>    ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> [2014/12/04 15:39:50.188252,  3] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>    ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 05 Dec 2014 01:39:51 CST
> [2014/12/04 15:39:50.296664,  1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
>    Could not get unix ID for SID S-1-5-21-1425680026-858952690-2224761852-1107
> [2014/12/04 15:40:34.583374,  1] ../source3/winbindd/idmap.c:201(idmap_init_domain)
>    idmap range not specified for domain SWAP10
>
> SID S-1-5-21-1425680026-858952690-2224761852-1107 is the sid of test
> ------------------				
> 江志
> 2014-12-04
>
> -------------------------------------------------------------
> 发件人:Rowland Penny
> 发送日期:2014-12-01 17:14:56
> 收件人:江志
> 抄送:samba
> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>
> On 01/12/14 00:08, 江志 wrote:
>> Rowland Penny,您好:
>>        I test id Administrator as the wiki.
>> 	I run
>> chown Administrator(or other DomainUser) file I got
>> invalid User :Administrator
>>
>> ------------------				
>> 江志
>> 2014-12-01
>>
>> -------------------------------------------------------------
>> 发件人:Rowland Penny
>> 发送日期:2014-11-28 17:59:18
>> 收件人:江志
>> 抄送:samba
>> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>>
>> On 28/11/14 01:33, 江志 wrote:
>>> Rowland Penny,您好:
>>>       I had test to setup
>>> username map = /etc/samba/smbmap
>>> and I got the same error
>>>
>>> winbindd -V
>>> Version 4.1.11-Ubuntu
>>>
>>>
>>> ------------------				
>>> 江志
>>> 2014-11-28
>>>
>>> -------------------------------------------------------------
>>> 发件人:Rowland Penny
>>> 发送日期:2014-11-25 17:51:13
>>> 收件人:samba
>>> 抄送:
>>> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>>>
>>> On 25/11/14 03:47, 江志 wrote:
>>>> samba,您好:
>>>>          I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems:
>>>> net ads join -U adminsitrator is OK except the DNS update.
>>>> run the command:
>>>> wbinfo -u
>>>> show the user list as follow:
>>>> SWAP10\jz
>>>> SWAP10\root
>>>> TEST\administrator
>>>> TEST\krbtgt
>>>> TEST\guest
>>>> TEST\root
>>>> TEST\jz
>>>>
>>>> When run the command:
>>>> id administrator
>>>> show
>>>> id: administrator: no such user
>>>> When run the command:
>>>> id 'TEST\administrator'
>>>> show
>>>> id: TEST\administrator: no such user
>>>>
>>>> Run chown and chgrp also get error.
>>>>
>>>> Here is my smb.conf
>>>>
>>>> [global]
>>>> 	netbios name = swap10
>>>> 	workgroup = TEST
>>>> 	security = ADS
>>>> 	realm = TEST.TESTDOMAIN.COM
>>>> 	encrypt passwords = yes
>>>>
>>>> 	kerberos method = secrets only
>>>>
>>>> 	idmap config *:backend = tdb
>>>> 	idmap config *:range = 70001-80000
>>>> 	idmap config TEST:backend = ad
>>>> 	idmap config TEST:schema_mode = rfc2307
>>>> 	idmap config TEST:range = 500-40000
>>>>
>>>> 	winbind nss info = rfc2307
>>>> 	winbind trusted domains only = no
>>>> 	winbind use default domain = false
>>>> 	winbind enum users = yes
>>>> 	winbind enum groups = yes
>>>> 	winbind offline logon = false
>>>> 	template shell = /sbin/nologin
>>>>
>>>> 	vfs objects = acl_xattr
>>>> 	map acl inherit = yes
>>>> 	store dos attributes = yes
>>>> 	auth methods = winbind
>>>> 	log level = 3
>>>> [demo]
>>>> 	path = /home/samba/demo
>>>> 	read only = no
>>>> [install$]
>>>> 	path = /home/samba/install
>>>> 	read only = no
>>>> 	guest ok = no
>>>>
>>>> Any suggestions
>>>> Sorry for my poor english.
>>>>
>>>> Regards
>>>> Jiangzhi
>>>> --------------
>>>> 2014-11-25
>>> OK, you are using the winbind 'ad' backend, this will only pull users
>>> from AD that have a uidNumber that is between (in your case) 500-40000.
>>> Administrator does not have a uidNumber and before you rush off to give
>>> Administrator a uidNumber, don't , this is not recommended, it just
>>> turns Administrator into a normal user on Unix.
>>>
>>> I take it that you have only one Samba4 AD DC, it is recommended that
>>> you use this for authentication only and use a separate file or member
>>> server, if you do this, you can then map Administrator to root by adding
>>> a line to smb.conf:
>>>
>>>              username map = /etc/samba/smbmap
>>>
>>> And then creating the smbmap file
>>>
>>> !root = EXAMPLE\Administrator Administrator administrator
>>>
>>> Where EXAMPLE is your netbios/workgroup name.
>>>
>>> I would you suggest you have a read through the samba wiki:
>>>
>>> https://wiki.samba.org/index.php/Main_Page
>>>
>>> Rowland
>>>
>> Why do want Administrator to login? Administrator is the **WINDOWS**
>> admin user, you use 'root' on Unix.
>>
>> Rowland
>>
> OK, Administrator is a 'SPECIAL' windows user and as such, does not and
> should not exist on Unix. You can map Administrator to the Unix root
> user, this will allow Administrator to do the things that need doing
> from windows, change ACL's etc.
>
> It actually says 'chown DomainUser:DomainGroup file' on the wiki and if
> this is not working, then there is something wrong with your setup!.
>
> This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine.
>
> Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ?
>
> Rowland
>
>

I repeat, have you given **ANY** of your users a 'uidNumber' ????

Rowland

More information about the samba mailing list