[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users
George
jorgito1412 at gmail.com
Tue Jul 22 12:42:18 MDT 2014
Minimal smb.conf on the member server goes as follows:
---------------------------
[global]
netbios name = MEMBERSERVER
workgroup = MYDOMAIN
security = ADS
realm = MYDOMAIN.COM
encrypt passwords = yes
# This is needed!
idmap config *:backend = tdb
idmap config *:range = 70001-80000
# This range has to match the one that sssd has
# assigned to your domain. Leave it like this if
# you set the default domain SID on sssd.conf
idmap config MYDOMAIN:backend = nss
idmap config MYDOMAIN:range = 200000-399999
winbind nss info = rfc2307
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
---------------------------
Also, sssd.conf goes as follows:
---------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains = mydomain.com
[nss]
[pam]
[domain/mydomain.com]
id_provider = ad
access_provider = ad
# The following is needed on Debian/Ubuntu systems because the hostname
# is not returned as an FQDN by default. sssd comes from the Red Hat
# world where it expects to be returned as an FQDN (logs
# are spammed with errors otherwise)
ad_hostname = memberserver.mydomain.com
# The following allocates the first slice to this domain. This forces the
# ID mappings to occur within the 200000-399999 range
ldap_idmap_default_domain_sid = YOUR_DOMAIN_SID_HERE
---------------------------
Still, not sure if your original problem is caused by a
misconfiguration here, though...
Best regards!
George
On Tue, Jul 22, 2014 at 1:14 PM, Elias Probst <mail at eliasprobst.eu> wrote:
> On 07/22/2014 03:42 AM, George wrote:
>> My setup is exactly like what you are trying to achieve. I use sssd to
>> keep the Unix mapping consistent on every server (works great, getent
>> passwd is consistent everywhere). Still, on member servers I had to
>> configure winbind nss idmap properly, otherwise I was not able to
>> properly set permissions on the shares.
>
> Could you provide your winbind config or even your whole [global] section?
> I tried it now _with_ winbind but was still running into the "Failed to
> map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)" error,
> so having a working config to use as "template" would be very helpful.
>
> Besides that, I was also experimenting with SSSD 1.12.0 which has now
> support for SID mapping via libcifsidmap (cifs-utils) according to its
> changelog: https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.0
> As I ran into some build issues on Ubuntu 14.04 I might have to postpone
> this experiments for now...
>
> - Elias
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list