[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users

George jorgito1412 at gmail.com
Tue Jul 22 12:42:18 MDT 2014

Minimal smb.conf on the member server goes as follows:


   netbios name = MEMBERSERVER
   workgroup = MYDOMAIN
   security = ADS
   realm = MYDOMAIN.COM
   encrypt passwords = yes

# This is needed!
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000

# This range has to match the one that sssd has
# assigned to your domain. Leave it like this if
# you set the default domain SID on sssd.conf
   idmap config MYDOMAIN:backend = nss
   idmap config MYDOMAIN:range = 200000-399999

   winbind nss info = rfc2307
   winbind use default domain = yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

Also, sssd.conf goes as follows:
services = nss, pam
config_file_version = 2
domains = mydomain.com



id_provider = ad
access_provider = ad

# The following is needed on Debian/Ubuntu systems because the hostname
# is not returned as an FQDN by default. sssd comes from the Red Hat
# world where it expects to be returned as an FQDN (logs
# are spammed with errors otherwise)
ad_hostname = memberserver.mydomain.com

# The following allocates the first slice to this domain. This forces the
# ID mappings to occur within the 200000-399999 range
ldap_idmap_default_domain_sid = YOUR_DOMAIN_SID_HERE

Still, not sure if your original problem is caused by a
misconfiguration here, though...

Best regards!


On Tue, Jul 22, 2014 at 1:14 PM, Elias Probst <mail at eliasprobst.eu> wrote:
> On 07/22/2014 03:42 AM, George wrote:
>> My setup is exactly like what you are trying to achieve. I use sssd to
>> keep the Unix mapping consistent on every server (works great, getent
>> passwd is consistent everywhere). Still, on member servers I had to
>> configure winbind nss idmap properly, otherwise I was not able to
>> properly set permissions on the shares.
> Could you provide your winbind config or even your whole [global] section?
> I tried it now _with_ winbind but was still running into the "Failed to
> map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)" error,
> so having a working config to use as "template" would be very helpful.
> Besides that, I was also experimenting with SSSD 1.12.0 which has now
> support for SID mapping via libcifsidmap (cifs-utils) according to its
> changelog: https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0
> As I ran into some build issues on Ubuntu 14.04 I might have to postpone
> this experiments for now...
> - Elias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list