[Samba] getent passwd and winbind not work

Stéphane PURNELLE stephane.purnelle at corman.be
Fri Jan 31 09:07:57 MST 2014


Hi,

I found the source of the problem.

We use samba since long time (samba 2.2.8 -> samba 3.x.x -> samba 3.5.12)
Backend ldap, we always try to respect the recommandation of samba (using 
howto like: 
https://www.samba.org/samba/docs/man/Samba-Guide/happy.html#id2571048) 

On this howto, we can see:

root#  getent group | grep Domain
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:553:


gidNumber are 512, 513, 514, 533 for Domain groups


Now: in the howto for samba4 like : 
https://wiki.samba.org/index.php/Samba/Domain_Member

  idmap config *:backend = tdb
   idmap config *:range = 70001-80000

   idmap config SHORTDOMAINNAME:backend = ad
   idmap config SHORTDOMAINNAME:schema_mode = rfc2307
   idmap config SHORTDOMAINNAME:range = 500-40000

If I understand this example, a user with a uid or a gid >= 500 and <= 
4000 will be get from AD and replace a local user with the same uid or gid 
?

YES or NO (it's a question)

My configuration of samba say : 

idmap config XXXXXX:range = 1000-40000
that mean that all uid or gid in my AD < 1000 will not be useable by 
winbind on my file-server.

What can I do ?

changing gidNumber in my AD will impact all ACL in my file-server
Change the range to 200 to 40000 will impact configuration on my SLES 
(/etc/passwd)

For testing I change the gidNumber of Domain Admins and Domain Users and 
getent passwd run fine, but my ACL is corrupted

-----------------------------------

I have a other possibility : use nslcd...

if anyone have an idea ?

have a nice day


        Stéphane Purnelle


-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467



De :    Stéphane PURNELLE <stephane.purnelle at corman.be>
A :     samba at lists.samba.org, 
Date :  30/01/2014 09:40
Objet : Re: [Samba] getent passwd and winbind not work
Envoyé par :    samba-bounces at lists.samba.org



I set in smb.conf : 

winbind nss info = rfc2307

And yes, all user from classicupgrade and I set Unix attribute from ADUC.



-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 30/01/2014 08:38:53:

> De : Sven Schwedas <sven.schwedas at tao.at>
> A : samba at lists.samba.org, 
> Date : 30/01/2014 08:39
> Objet : Re: [Samba] getent passwd and winbind not work
> Envoyé par : samba-bounces at lists.samba.org
> 
> Are the required RFC2307 attributes for posixUser/posixGroup entries set
> (cf. winbind manpages)?
> 
> On 2014-01-29 17:47, Stéphane PURNELLE wrote:
> > Hi,
> > 
> > I test (replacement of nslcd ) winbind in member server.
> > 
> > I used Samba4/Winbind howto and howto for member server.
> > 
> > wbinfo -u and wbinfo -g work fine but getent passwd not work (getent 
not 
> > list user from AD)
> > 
> > Why ? 
> > Anyone have a idea ?
> > 
> > thx
> > 
> >         Stéphane 
> > 
> > -----------------------------------
> > Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
> > Service Informatique       Corman S.A.           Tel : 00 32 
(0)87/342467
> > 
> 
> -- 
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas
> Systemadministrator
> TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
> Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
> http://software.tao.at
> 
> [attachment "signature.asc" deleted by Stéphane PURNELLE/COR/SOPARIND] 
-- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list