[Samba] Samba 4.1.4 and winbind
steve at steve-ss.com
Mon Feb 3 05:24:18 MST 2014
On Mon, 2014-02-03 at 10:11 +0000, Rowland Penny wrote:
> On 03/02/14 08:35, Stéphane PURNELLE wrote:
> > Awesome, you have found the same problem than me.
> > See my post "getent passwd and winbind not work"
> > -----------------------------------
> > Stéphane PURNELLE Admin. Systèmes et Réseaux
> > Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
> > samba-bounces at lists.samba.org wrote on 01/02/2014 10:35:14:
> >> De : Rowland Penny <rowlandpenny at googlemail.com>
> >> A : sambalist <samba at lists.samba.org>,
> >> Date : 01/02/2014 10:35
> >> Objet : [Samba] Samba 4.1.4 and winbind
> >> Envoyé par : samba-bounces at lists.samba.org
> >> After the 'you should use winbind saga', I decide that I needed to learn
> >> about using winbind with samba 4 clients.
> >> So I created a VM running ubuntu 12.04 server and installed and compiled
> >> samba 4 to use as a test client.
> >> created /usr/local/samba/etc/smb.conf
> >> [global]
> >> workgroup = EXAMPLE
> >> security = ADS
> >> realm = EXAMPLE.COM
> >> encrypt passwords = yes
> >> server string = %h server (Samba)
> >> idmap config *:backend = tdb
> >> idmap config *:range = 70001-80000
> >> idmap config EXAMPLE:backend = ad
> >> idmap config EXAMPLE:schema_mode = rfc2307
> >> idmap config EXAMPLE:range = 1000-40000
> >> winbind nss info = rfc2307
> >> winbind trusted domains only = no
> >> winbind use default domain = yes
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> domain master = no
> >> local master = no
> >> preferred master = no
> >> os level = 20
> >> map to guest = bad user
> >> Set up pam etc and started the three samba daemons, checked they were
> >> running via 'ps ax'
> >> My domain users uidNumber's start at 10000, so they are within
> > 1000-40000
> >> BUT, getent passwd & group did not return anything, although wbinfo -u &
> >> -g did return the domain users & groups.
> >> Gave it a bit of thought, now I gave Domain Users the gidNumber of '100'
> >> i.e. 'users' on my linux box, so I altered 'idmap config EXAMPLE:range =
> >> 1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and restarted the
> >> daemons.
> >> Winbind now works, so from this, I summise that a user needs both a
> >> uidNumber & gidNumber before the ad backend will extract them from AD
> >> and both need to be inside the range supplied.
> >> This sort of begs the question, if you are using the ad backend and
> >> presumably have already given your users & groups a uidNumber &/or a
> >> gidNumber, why does winbind need the range line at all for the domain?
> >> Shouldn't winbind just extract any and all records, where the object has
> >> the required RFC2307 attributes?
> >> There is still one problem though, 'getent group' still does not return
> >> anything, but 'getent group <a group name>' does.
> >> And you wonder why I tell everybody to use that package I cannot name!
> >> it just works.
> >> Rowland
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> Hi, since I posted, I have re-run my tests a few times, now it might
> just be me, but I get a different result every time.
> My thoughts on winbind are:
> If samba4 was to totally follow the microsoft SFU and start user &
> groups id numbers at 10000 this would leave a large enough range to set
> the builtin users & groups to a fixed id's, there aren't that many.
> This would then do away the range lines that users have to set.
> Why are there two lines for enumeration? nobody is going to one on (or
> off) without doing the same for the other.
Just to clarify and as many of us have already observed, it makes no
difference if you turn on enumeration for groups. Even if you do:
still returns only local groups.
Maybe the documentation should include this? Or simply remove the option
for group enumeration from smb.conf? I feel sure it has been the cause
of many a 'winbind doesn't work' type thread on the list.
> Why, if you are using the 'ad' backend, do you need the 'winbind nss
> info' line, shouldn't this be set automatically
More information about the samba