[Samba] userid shows 4294967295
Rowland penny
rpenny at samba.org
Mon Dec 7 16:27:50 UTC 2015
On 07/12/15 16:08, Nico De Ranter wrote:
>
> I'm coming from a Debian system so my system accounts are below 1000,
> regular accounts start at 1000. For some historical reason somebody
> gave our main group id 500 so therefor I want my usable range to start
> at 500.
Bad idea, you will probably need at least one local Unix user, where are
you going to put it. My advice would be to follow the Samba wiki and use
the numbers you will find there.
>
> Do I need both idmap config *:range and idmap config SAMDOM:range? I
> also tried with only 'idmap config *:range' but that didn't seem to
> help. I'll try again tomorrow.
Yes you do, the first is for the builtin user & group mappings and the
second is for your AD users & groups.
>
> I also noticed that my second AD didn't have rfc2307 enabled so that
> may also have introduced some issues.
Not really, all the info should be in AD, you probably just need to add
'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC.
Rowland
>
> @Stefan Kania, thanks for the 'net cache flush', I didn't know that.
>
> Nico
>
>
> On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 07/12/15 12:52, Nico De Ranter wrote:
>
> Hello again,
>
> I'm getting close to a working setup but still run into
> glitches here and
> there.
>
> I have 2 Ubuntu servers working as AD server, one Ubuntu
> desktop with
> winbind configured. I've setup a number of accounts with Unix
> properties. I've been primarily testing with my own account
> which works
> just fine. I've now assigned Unix properties to another
> account. When I
> run 'wbinfo -i' on the AD server I see the correct info:
>
> root at dc1:~# wbinfo -i test
> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false
>
> When I try the same thing on the client I get:
>
> root at testpc2:~# wbinfo -i test
> test:*:4294967295:4294967295::/home/test:/bin/bash
>
> I also tried some other accounts and got the same result. The
> only account
> that seems to work fine is my own account (and no it is not in
> /etc/passwd
> :-)
>
> Any idea what might be wrong?
>
> smb.conf on the client:
>
> [global]
> security = ADS
> workgroup = OFFICE
> realm = WIN.OFFICE
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind offline logon = yes
>
> client signing = yes
> client use spnego = yes
>
> idmap config = ad
> winbind nss info = rfc2307
>
> # Default idmap config used for BUILTIN and local
> accounts/groups
> idmap backend = tdb
> idmap range = 100-499
>
> # idmap config for domain OFFICE
> idmap config OFFICE : backend = ad
> idmap config OFFICE : schema_mode = rfc2307
> idmap config OFFICE : range = 500-29999
>
>
> Your 'idmap config' block really should look like this:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
>
> Also why are you using such strange ID numbers?
>
> Rowland
>
> It worked for the user with uid 1048, it doesn't work for uid
> 1059, 1000,
> 9999, 10000
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> --
> Nico De Ranter
>
> Operations Engineer
>
> T. +32 16 40 12 82
>
> M. +32 497 91 53 78
>
>
> <http://www.esaturnus.com>
>
>
>
> <http://www.esaturnus.com>
>
>
>
>
> **
>
> *
> * <http://www.esaturnus.com/company/news/313>
>
>
> <http://www.esaturnus.com/>
More information about the samba
mailing list