[Samba] userid shows 4294967295
Nico De Ranter
nico.deranter at esaturnus.com
Mon Dec 7 14:18:47 UTC 2015
I am using rfc2307 unix properties in AD. So I would expect winbind to use
the uid and gid from rfc2307.
Hmm, I just noticed that 'wbinfo -i test' actually gives me different
results on my first AD, second AD and client. Only the first AD shows the
result that I'm actually expecting. Somehow the others are ignoring the
rfc2307 info.
Nico
On Mon, Dec 7, 2015 at 2:10 PM, mathias dufresne <infractory at gmail.com>
wrote:
> I expect the difference comes from the fact you are using ID mapping
> because, according to what I believe I understood, ID map generates UID
> (the map) and gives these generated UID to users. So one system give one
> UID to your teset users, another system gives him another UID.
>
> You can configure into AD uidNumber and gidNumber to give your AD users
> definitive UID/GID.
> Adding that information to AD is not enough as on UNIX/Linux system you use
> something to build users using information grab in AD. So you have to use a
> tool which will use GIDs and UIDs you defined in AD.
>
> According to my own opinion Winbind is meant to build UNIX system users for
> Samba file sharing as Winbind rely mostly on MS Windows stuff to build
> users. This has sense: Samba host files for Windows systems, ACLs must be
> consistent, so on Samba file servers AD users should be built using MS
> information from AD.
>
> To use AD as a database to build UNIX/Linux systems users you should have a
> look on SSSD or nslcd, they are more flexible, more designed to build UNIX
> users from AD.
>
> Cheers,
>
> mathias
>
> 2015-12-07 13:52 GMT+01:00 Nico De Ranter <nico.deranter at esaturnus.com>:
>
> > Hello again,
> >
> > I'm getting close to a working setup but still run into glitches here and
> > there.
> >
> > I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with
> > winbind configured. I've setup a number of accounts with Unix
> > properties. I've been primarily testing with my own account which works
> > just fine. I've now assigned Unix properties to another account. When I
> > run 'wbinfo -i' on the AD server I see the correct info:
> >
> > root at dc1:~# wbinfo -i test
> > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false
> >
> > When I try the same thing on the client I get:
> >
> > root at testpc2:~# wbinfo -i test
> > test:*:4294967295:4294967295::/home/test:/bin/bash
> >
> > I also tried some other accounts and got the same result. The only
> account
> > that seems to work fine is my own account (and no it is not in
> /etc/passwd
> > :-)
> >
> > Any idea what might be wrong?
> >
> > smb.conf on the client:
> >
> > [global]
> > security = ADS
> > workgroup = OFFICE
> > realm = WIN.OFFICE
> >
> > log file = /var/log/samba/%m.log
> > log level = 1
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > winbind refresh tickets = yes
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind offline logon = yes
> >
> > client signing = yes
> > client use spnego = yes
> >
> > idmap config = ad
> > winbind nss info = rfc2307
> >
> > # Default idmap config used for BUILTIN and local accounts/groups
> > idmap backend = tdb
> > idmap range = 100-499
> >
> > # idmap config for domain OFFICE
> > idmap config OFFICE : backend = ad
> > idmap config OFFICE : schema_mode = rfc2307
> > idmap config OFFICE : range = 500-29999
> >
> > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000,
> > 9999, 10000
> >
> >
>
--
Nico De Ranter
Operations Engineer
T. +32 16 40 12 82
M. +32 497 91 53 78
<http://www.esaturnus.com>
<http://www.esaturnus.com>
<http://www.esaturnus.com/company/news/313>
<http://www.esaturnus.com/>
More information about the samba
mailing list