[Samba] AD share not accessible

Benjamin Budts ben at zentrix.be
Mon Jan 20 02:15:26 MST 2014 

Gents,

Could this be the reason I get a timeout while trying to run getent ? the AD
server +500 users and 100's of groups...

winbind enum users and groups should be used with caution in active
directories greater than 200 users or groups, as enumeration is an expensive
process and likely to timeout and cause login failures. during login, the
full passwd and group will be "enumerated" every time from your active
directory server. enumeration is not required for a successful login.

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Benjamin Budts
Sent: maandag 20 januari 2014 0:16
To: samba at lists.samba.org
Subject: Re: [Samba] AD share not accessible


Hi,

Thx Steve for pointing out the overlapping range issue I had in my conf.

I changed the config, but still no success gentent passwd or getent groups
is only showing local users/groups after showing the local users, there
seems to be a timeout of 5 seconds and then back to shell.

Accessing my share with a group that is situated in the group Valid Users
isn't working either. No errors in smb or winbind log. (Although I get an
error output if I make a mistake in my users's password on purpose I see an
errorlog being created. as stated in my first post to the mailinglist) so
there seems to be some form of authentication although I can't find out how
to debug it

My /share has been remounted with ACL too

Any ideas ? 

My new config
----

[global]
	workgroup = INTRANET
	realm = ISPPC.BE
	server string = %h
	security = ADS
	ntlm auth = No
	kerberos method = system keytab
	log file = /var/log/samba/log.%m
	max log size = 1024
	client signing = required
	server signing = required
	client use spnego = No
	load printers = No
	lm announce = No
	dns proxy = No
	ldap ssl = no
	template homedir = /dev/null
	template shell = /bin/true
	winbind separator = +
	winbind cache time = 5
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	winbind normalize names = Yes
	idmap config * : range = 1000000-1999999
	idmap config INTRANET:base_rid = 0
	idmap config INTRANET:range = 50000-59999
	idmap config INTRANET:read only = yes
	idmap config INTRANET:backend = rid
	idmap config * : backend = tdb
	invalid users = root
	cups options = raw

[glims_share]
	comment = Glims Cluster Share
	path = /share
	valid users = @INTRANET+GRP_GLIMS_RDS_USERS
	read only = No


Cheers,



-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of steve
Sent: donderdag 16 januari 2014 19:02
To: samba at lists.samba.org
Subject: Re: [Samba] samba linux share vs AD

On Thu, 2014-01-16 at 17:30 +0100, Benjamin Budts wrote:
>  

> 
> .         #getent passwd  only shows local users it seems to wait 5
seconds
> after printing the local users and then times out to shell without an
error.
> 
>  

Your ranges overlap.
  idmap config * : range = 1000000-1999999
  idmap config INTRANET:range = 60000-50000000

Go for something like * 50000-59999
HTH
Steve


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list