[Samba] Samba 4.1.4 and winbind

Stéphane PURNELLE stephane.purnelle at corman.be
Mon Feb 3 01:35:00 MST 2014


Awesome, you have found the same problem than me.

See my post "getent passwd and winbind not work"



-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 01/02/2014 10:35:14:

> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : sambalist <samba at lists.samba.org>, 
> Date : 01/02/2014 10:35
> Objet : [Samba] Samba 4.1.4 and winbind
> Envoyé par : samba-bounces at lists.samba.org
> 
> 
> After the 'you should use winbind saga', I decide that I needed to learn 

> about using winbind with samba 4 clients.
> 
> So I created a VM running ubuntu 12.04 server and installed and compiled 

> samba 4 to use as a test client.
> 
> created /usr/local/samba/etc/smb.conf
> 
> [global]
>      workgroup = EXAMPLE
>      security = ADS
>      realm = EXAMPLE.COM
>      encrypt passwords = yes
>      server string = %h server (Samba)
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>      idmap config EXAMPLE:backend = ad
>      idmap config EXAMPLE:schema_mode = rfc2307
>      idmap config EXAMPLE:range = 1000-40000
> 
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> 
>      domain master = no
>      local master = no
>      preferred master = no
>      os level = 20
>      map to guest = bad user
> 
> Set up pam etc and started the three samba daemons, checked they were 
> running via 'ps ax'
> 
> My domain users uidNumber's start at 10000, so they are within 
1000-40000
> 
> BUT, getent passwd & group did not return anything, although wbinfo -u & 

> -g did return the domain users & groups.
> 
> Gave it a bit of thought, now I gave Domain Users the gidNumber of '100' 

> i.e. 'users' on my linux box, so I altered 'idmap config EXAMPLE:range = 

> 1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and restarted the 
> daemons.
> 
> Winbind now works, so from this, I summise that a user needs both a 
> uidNumber & gidNumber before the ad backend will extract them from AD 
> and both need to be inside the range supplied.
> 
> This sort of begs the question, if you are using the ad backend and 
> presumably have already given your users & groups a uidNumber &/or a 
> gidNumber, why does winbind need the range line at all for the domain? 
> Shouldn't winbind just extract any and all records, where the object has 

> the required RFC2307 attributes?
> 
> There is still one problem though, 'getent group' still does not return 
> anything, but 'getent group <a group name>' does.
> 
> And you wonder why I tell everybody to use that package I cannot name! 
> it just works.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list