[Samba] Winbind does not read uidNumber

steve steve at steve-ss.com
Mon Jun 30 16:30:52 MDT 2014


On Mon, 2014-06-30 at 20:39 +0200, Lars Hanke wrote:
> Hi steve,
> 
> the checklist is a great tool ... I tuned quite some things. Most of 
> them didn't seem to change the behavior in any way.
> 
>  >> 3. Database check:
> >> no gidNumber here, add gidNumber: 10000
> >> retried on the client, still no users
> > No. This is not within your domain range.
> 
> Okay, that probably was the culprit. After changing the client's 
> smb.conf to extend the range the user appeared, while Administrator is 
> still missing. This is what Rowland's usermap is for, I guess.
> 
> Since there is nothing in the logs about this rejection, it may be the 
> first thing to check if 'wbinfo -u' has the users, but 'getent passwd' 
> does not have them.
> 
> >> 4. check for local user
> >>
> >> getent passwd | grep -i mgr has no hits on either machine. But to check
> >> for local entries probably
> >>
> >> grep -i user /etc/passwd
> >>
> >> is more appropriate.
> > However you wish. Just make sure there is a unique domain user.
> 
> The differece is that getent will report the non local users as well, 
> i.e. it will report the user, if winbind happens to work properly and 
> may therefore confuse people working with your checklist.
OK. I'll reword it. But remember, the check-list is because winbind
_isn't_ working!
> 
> >> 5. keytab (double numbering!)
> >>
> >> klist -k doesn't work, since Heimdal klist has no option -k. This is MIT
> >> syntax, if I recall correctly.
> > OK. Remove the keytab and recreate it.
> 
> The Heimdal syntax is 'ktutil -k /path/to/keytab list'. This worked fine 
> on /srv/files/private/secrets.keytab. I linked that to /etc/krb5.keytab, 
> i.e. didn't recreate anything. Don't know if that was necessary, since 
> we found kerberos working in earlier discussions.
> 
> I walked through the other items as well and corrected /etc/hostname of 
> the server. For some reason Debian 'hostname' returns 'hostname -s'. So 
> probably just state the results of the fully qualified commands in the 
> checklist.
> 
> I learned a lot in the recent discussion with Rowland and you.
> 
> Great work - thanks,
>   - lars.
Thanks to you too for working through it and making suggestions.
OpenSource at its best.
M




More information about the samba mailing list