[Samba] Samba 4.1.4 and winbind
Stéphane PURNELLE
stephane.purnelle at corman.be
Mon Feb 3 01:35:00 MST 2014
Awesome, you have found the same problem than me.
See my post "getent passwd and winbind not work"
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
samba-bounces at lists.samba.org wrote on 01/02/2014 10:35:14:
> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : sambalist <samba at lists.samba.org>,
> Date : 01/02/2014 10:35
> Objet : [Samba] Samba 4.1.4 and winbind
> Envoyé par : samba-bounces at lists.samba.org
>
>
> After the 'you should use winbind saga', I decide that I needed to learn
> about using winbind with samba 4 clients.
>
> So I created a VM running ubuntu 12.04 server and installed and compiled
> samba 4 to use as a test client.
>
> created /usr/local/samba/etc/smb.conf
>
> [global]
> workgroup = EXAMPLE
> security = ADS
> realm = EXAMPLE.COM
> encrypt passwords = yes
> server string = %h server (Samba)
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 1000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
>
> Set up pam etc and started the three samba daemons, checked they were
> running via 'ps ax'
>
> My domain users uidNumber's start at 10000, so they are within
1000-40000
>
> BUT, getent passwd & group did not return anything, although wbinfo -u &
> -g did return the domain users & groups.
>
> Gave it a bit of thought, now I gave Domain Users the gidNumber of '100'
> i.e. 'users' on my linux box, so I altered 'idmap config EXAMPLE:range =
> 1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and restarted the
> daemons.
>
> Winbind now works, so from this, I summise that a user needs both a
> uidNumber & gidNumber before the ad backend will extract them from AD
> and both need to be inside the range supplied.
>
> This sort of begs the question, if you are using the ad backend and
> presumably have already given your users & groups a uidNumber &/or a
> gidNumber, why does winbind need the range line at all for the domain?
> Shouldn't winbind just extract any and all records, where the object has
> the required RFC2307 attributes?
>
> There is still one problem though, 'getent group' still does not return
> anything, but 'getent group <a group name>' does.
>
> And you wonder why I tell everybody to use that package I cannot name!
> it just works.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list