[Samba] Winbind does not read uidNumber
Lars Hanke
debian at lhanke.de
Mon Jun 30 12:39:44 MDT 2014
Hi steve,
the checklist is a great tool ... I tuned quite some things. Most of
them didn't seem to change the behavior in any way.
>> 3. Database check:
>> no gidNumber here, add gidNumber: 10000
>> retried on the client, still no users
> No. This is not within your domain range.
Okay, that probably was the culprit. After changing the client's
smb.conf to extend the range the user appeared, while Administrator is
still missing. This is what Rowland's usermap is for, I guess.
Since there is nothing in the logs about this rejection, it may be the
first thing to check if 'wbinfo -u' has the users, but 'getent passwd'
does not have them.
>> 4. check for local user
>>
>> getent passwd | grep -i mgr has no hits on either machine. But to check
>> for local entries probably
>>
>> grep -i user /etc/passwd
>>
>> is more appropriate.
> However you wish. Just make sure there is a unique domain user.
The differece is that getent will report the non local users as well,
i.e. it will report the user, if winbind happens to work properly and
may therefore confuse people working with your checklist.
>> 5. keytab (double numbering!)
>>
>> klist -k doesn't work, since Heimdal klist has no option -k. This is MIT
>> syntax, if I recall correctly.
> OK. Remove the keytab and recreate it.
The Heimdal syntax is 'ktutil -k /path/to/keytab list'. This worked fine
on /srv/files/private/secrets.keytab. I linked that to /etc/krb5.keytab,
i.e. didn't recreate anything. Don't know if that was necessary, since
we found kerberos working in earlier discussions.
I walked through the other items as well and corrected /etc/hostname of
the server. For some reason Debian 'hostname' returns 'hostname -s'. So
probably just state the results of the fully qualified commands in the
checklist.
I learned a lot in the recent discussion with Rowland and you.
Great work - thanks,
- lars.
More information about the samba
mailing list