[Samba] AD share not accessible
Dale Schroeder
dale at BriannasSaladDressing.com
Mon Jan 20 12:11:38 MST 2014
What version of Samba are you using? For quite some time, the RID
backend was broken, although it has since been patched. See Samba bugs
9615 and 9899.
https://bugzilla.samba.org/show_bug.cgi?id=9615
https://bugzilla.samba.org/show_bug.cgi?id=9899
Dale
On 01/20/2014 3:15 AM, Benjamin Budts wrote:
> Gents,
>
> Could this be the reason I get a timeout while trying to run getent ? the AD
> server +500 users and 100's of groups...
>
> winbind enum users and groups should be used with caution in active
> directories greater than 200 users or groups, as enumeration is an expensive
> process and likely to timeout and cause login failures. during login, the
> full passwd and group will be "enumerated" every time from your active
> directory server. enumeration is not required for a successful login.
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Benjamin Budts
> Sent: maandag 20 januari 2014 0:16
> To: samba at lists.samba.org
> Subject: Re: [Samba] AD share not accessible
>
>
> Hi,
>
> Thx Steve for pointing out the overlapping range issue I had in my conf.
>
> I changed the config, but still no success gentent passwd or getent groups
> is only showing local users/groups after showing the local users, there
> seems to be a timeout of 5 seconds and then back to shell.
>
> Accessing my share with a group that is situated in the group Valid Users
> isn't working either. No errors in smb or winbind log. (Although I get an
> error output if I make a mistake in my users's password on purpose I see an
> errorlog being created. as stated in my first post to the mailinglist) so
> there seems to be some form of authentication although I can't find out how
> to debug it
>
> My /share has been remounted with ACL too
>
> Any ideas ?
>
> My new config
> ----
>
> [global]
> workgroup = INTRANET
> realm = ISPPC.BE
> server string = %h
> security = ADS
> ntlm auth = No
> kerberos method = system keytab
> log file = /var/log/samba/log.%m
> max log size = 1024
> client signing = required
> server signing = required
> client use spnego = No
> load printers = No
> lm announce = No
> dns proxy = No
> ldap ssl = no
> template homedir = /dev/null
> template shell = /bin/true
> winbind separator = +
> winbind cache time = 5
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> winbind normalize names = Yes
> idmap config * : range = 1000000-1999999
> idmap config INTRANET:base_rid = 0
> idmap config INTRANET:range = 50000-59999
> idmap config INTRANET:read only = yes
> idmap config INTRANET:backend = rid
> idmap config * : backend = tdb
> invalid users = root
> cups options = raw
>
> [glims_share]
> comment = Glims Cluster Share
> path = /share
> valid users = @INTRANET+GRP_GLIMS_RDS_USERS
> read only = No
>
>
> Cheers,
>
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of steve
> Sent: donderdag 16 januari 2014 19:02
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba linux share vs AD
>
> On Thu, 2014-01-16 at 17:30 +0100, Benjamin Budts wrote:
>>
>> . #getent passwd only shows local users it seems to wait 5
> seconds
>> after printing the local users and then times out to shell without an
> error.
>>
> Your ranges overlap.
> idmap config * : range = 1000000-1999999
> idmap config INTRANET:range = 60000-50000000
>
> Go for something like * 50000-59999
> HTH
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list