[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
john_s
lists.john at gmail.com
Tue Apr 21 12:53:02 MDT 2015
On 04/20/2015 02:01 PM, Rowland Penny wrote:
>
> I would suggest you try it on a test set up in a VM and if it works, go
> to production.
>
> Rowland
>
Hi Rowland,
Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't
seem to get Samba 4 to work from backports.
My sticking point right now is that winbind is mapping the wrong UID to
my test user. I've setup the NIS domain in AD to correspond to my
smb.conf file and I've *think* i've correctly specified that UIDs should
start at 10000, however when I id a domain user, the mapping starts at
2000. I assume this means that winbind thinks that the user doesn't
exist in the domain. Wbinfo -u and wbinfo -g work as expected
wbinfo -n flyboy
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
root at debian-tester:~# id flyboy
uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users)
groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)
root at debian-tester:~# getent passwd flyboy
flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh
getent group "domain users"
domain_users:x:2006:gcallison
Here's my smb.conf file
[global]
workgroup = VANGUARD
security = ADS
realm = VANGUARD.MYDOMAIN.ORG
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config VANGUARD:backend = ad
idmap config VANGUARD:schema_mode = rfc2307
idmap config VANGUARD:range = 10000-99999
log level = 1 idmap:10
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind expand groups = 4
winbind normalize names = Yes
domain master = no
local master = no
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[ALLSTUDENTS]
path = /home/ALLSTUDENTS
# valid users = %S
readonly = no
writable = yes
printable = no
create mode = 0700
directory mode = 0700
I turned up the logs for idmap, here's what I see:
log.winbindd-idmap: idmap range not specified for domain DEBIAN-TESTER
log.winbindd-idmap: gid [0] not mapped
log.winbindd-idmap: idmap backend ad not found
log.winbindd-idmap: gid [65534] not mapped
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap: Record
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap: uid [0] not mapped
Thanks for all of your help!
John
More information about the samba
mailing list