[Samba] getent passwd and winbind not work

Chan Min Wai dcmwai at gmail.com
Tue Feb 4 14:37:37 MST 2014 

Maybe it is a little late on this topis.

But groups does run...
Just that winbind have a small bugs on getent group

to proof it

try

getent group anySambaLinuxGroupName
You should get the group name with member.

This issue was somehow discover on Aug 2012.
But it was overlook I believes...

https://lists.samba.org/archive/samba/2012-August/168680.html

as usual...
Patch welcome :)


On Sat, Feb 1, 2014 at 12:07 AM, Stéphane PURNELLE <
stephane.purnelle at corman.be> wrote:

> Hi,
>
> I found the source of the problem.
>
> We use samba since long time (samba 2.2.8 -> samba 3.x.x -> samba 3.5.12)
> Backend ldap, we always try to respect the recommandation of samba (using
> howto like:
> https://www.samba.org/samba/docs/man/Samba-Guide/happy.html#id2571048)
>
> On this howto, we can see:
>
> root#  getent group | grep Domain
> Domain Admins:x:512:root
> Domain Users:x:513:
> Domain Guests:x:514:
> Domain Computers:x:553:
>
>
> gidNumber are 512, 513, 514, 533 for Domain groups
>
>
> Now: in the howto for samba4 like :
> https://wiki.samba.org/index.php/Samba/Domain_Member
>
>   idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>
>    idmap config SHORTDOMAINNAME:backend = ad
>    idmap config SHORTDOMAINNAME:schema_mode = rfc2307
>    idmap config SHORTDOMAINNAME:range = 500-40000
>
> If I understand this example, a user with a uid or a gid >= 500 and <=
> 4000 will be get from AD and replace a local user with the same uid or gid
> ?
>
> YES or NO (it's a question)
>
> My configuration of samba say :
>
> idmap config XXXXXX:range = 1000-40000
> that mean that all uid or gid in my AD < 1000 will not be useable by
> winbind on my file-server.
>
> What can I do ?
>
> changing gidNumber in my AD will impact all ACL in my file-server
> Change the range to 200 to 40000 will impact configuration on my SLES
> (/etc/passwd)
>
> For testing I change the gidNumber of Domain Admins and Domain Users and
> getent passwd run fine, but my ACL is corrupted
>
> -----------------------------------
>
> I have a other possibility : use nslcd...
>
> if anyone have an idea ?
>
> have a nice day
>
>
>         Stéphane Purnelle
>
>
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>
>
>
> De :    Stéphane PURNELLE <stephane.purnelle at corman.be>
> A :     samba at lists.samba.org,
> Date :  30/01/2014 09:40
> Objet : Re: [Samba] getent passwd and winbind not work
> Envoyé par :    samba-bounces at lists.samba.org
>
>
>
> I set in smb.conf :
>
> winbind nss info = rfc2307
>
> And yes, all user from classicupgrade and I set Unix attribute from ADUC.
>
>
>
> -----------------------------------
> Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467
>
> samba-bounces at lists.samba.org wrote on 30/01/2014 08:38:53:
>
> > De : Sven Schwedas <sven.schwedas at tao.at>
> > A : samba at lists.samba.org,
> > Date : 30/01/2014 08:39
> > Objet : Re: [Samba] getent passwd and winbind not work
> > Envoyé par : samba-bounces at lists.samba.org
> >
> > Are the required RFC2307 attributes for posixUser/posixGroup entries set
> > (cf. winbind manpages)?
> >
> > On 2014-01-29 17:47, Stéphane PURNELLE wrote:
> > > Hi,
> > >
> > > I test (replacement of nslcd ) winbind in member server.
> > >
> > > I used Samba4/Winbind howto and howto for member server.
> > >
> > > wbinfo -u and wbinfo -g work fine but getent passwd not work (getent
> not
> > > list user from AD)
> > >
> > > Why ?
> > > Anyone have a idea ?
> > >
> > > thx
> > >
> > >         Stéphane
> > >
> > > -----------------------------------
> > > Stéphane PURNELLE                         Admin. Systèmes et Réseaux
> > > Service Informatique       Corman S.A.           Tel : 00 32
> (0)87/342467
> > >
> >
> > --
> > Mit freundlichen Grüßen, / Best Regards,
> > Sven Schwedas
> > Systemadministrator
> > TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
> > Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
> > http://software.tao.at
> >
> > [attachment "signature.asc" deleted by Stéphane PURNELLE/COR/SOPARIND]
> --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list