[Samba] Samba as AD member can not validate domain user
jd at ionica.lv
jd at ionica.lv
Mon Apr 6 12:49:22 MDT 2015
Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>> CFG files from fileserver:
>> ============
>> krb5.conf
>> [libdefaults]
>> default = INTERNAL.DOMAIN.LV
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> ===========
>> nsswitch.conf
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat files
>>
>> hosts: files dns
>> networks: files
>>
>> services: files
>> protocols: files
>> rpc: files
>> ethers: files
>> netmasks: files
>> netgroup: files
>> bootparams: files
>>
>> automount: files
>> aliases: files nisplus
>> publickey: nisplus
>> =============
>> SMB.conf on fileserver
>> [global]
>> security = ADS
>> workgroup = INTERNAL
>> acl group control = yes
>> inherit acls = Yes
>> map acl inherit = Yes
>> realm = INTERNAL.DOMAIN.LV
>> kerberos method = secrets and keytab
>> idmap config internal:backend = ad
>> idmap config internal:range = 10000-3001000
>> idmap config internal:schema_mode = rfc2307
>> idmap config *:range = 2000-9999
>> idmap config *:backend = tdb
>> dedicated keytab file = /etc/krb5.keytab
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind separator = \
>> winbind refresh tickets = Yes
>> winbind nss info = rfc2307
>> winbind use default domain = yes
>> winbind trusted domains only = yes
>> utmp = yes
>> wins server = sambadc.DOMAIN.lv
>> wins support = yes
>> dns proxy = no
>> wins proxy = no
>> wtmp directory = /var/log/wtmp
>> preferred master = no
>> log level = 4
>> bind interfaces only = Yes
>> interfaces = lo, eth1
>> netbios name = FS2
>> os level = 33
>> ======================
> Firstly, please put the smb.conf on the AD DC back to what it was
> just after the provision. You do not need the extra lines you have
> added.
now smb.conf is rather short:
[global]
workgroup = INTERNAL
realm = INTERNAL.DOMAIN.LV
netbios name = SAMBADC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
log level = 4
[netlogon]
path = /var/lib/samba/sysvol/internal.domain.lv/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
> You have posted what is probably your problem:
>
> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID
> gidNumber
> gives onlyObjectSID without gidNumber;
>
> You are using the winbind 'ad' backend on the member server, for
> this to work, your users need a 'uidNumber' attribute and 'Domain
> Users' (at least) *NEEDS* a 'gidNumber'
after assigning UNIX attributes to users and domain groups all of them have
uidNUmbers and gidNumbers starting from 10000,
ldbsearch gives:
dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
objectSid: S-1-5-21-216404829-505555237-127066545-513
gidNumber: 10000
> If you use the 'ad' backend, then giving your users a 'uidNumber' is
> not enough, you must give their primarygroup (Domain Users) a
> 'gidNumber' attribute.
all of the AD users are members of the Domain Users group now.
Now on DC getent passwd gives just list of local users;
getent passwd INTERNAL\\username gives domain user info with uid/gid
100xx:10000
still no changes on fileserver, getent passwd INTERNAL\\username
finishes without any msg;
in log.winbindd there is notion:
2015/04/06 21:42:37.714639, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam INTERNAL\username
joining to the AD DC ends with joined server and such messages:
DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed: NT_STATUS_UNSUCCESSFUL
(mail.domain.lv being the hostname of the server where samba
fileserver with netbios name FS2 resides)
I do not see anything in capital letters in the logs
Janis
More information about the samba
mailing list