[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 27 07:48:13 MST 2015 

On 27/02/15 14:28, Markert, Martin wrote:
> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com>
> :
>
>> On 27/02/15 14:04, Markert, Martin wrote:
>>> Hi,
>>> I've successfully configure idmap_rid to read id mappings from our AD servers:
>>>
>>>          winbind enum users = Yes
>>>          winbind enum groups = Yes
>>>          winbind use default domain = Yes
>>>          winbind nested groups = Yes
>>>          winbind separator = +
>>>          winbind offline logon = false
>>>          idmap config *:backend = rid
>>>          idmap config *:range = 50000-99999
>>>          idmap config *:schema_mode = rfc2307
>>>
>>> But when I configure idmap_ad  I'm not able to get the uidNumber and gidNumber from the AD servers:
>>>
>>>          winbind enum users = Yes
>>>          winbind enum groups = Yes
>>>          winbind use default domain = Yes
>>>          winbind nested groups = Yes
>>>          winbind separator = +
>>>          winbind offline logon = false
>>>          idmap config ARRI:backend = ad
>>>          idmap config ARRI:range = 1000-999999
>>>          idmap config ARRI:schema_mode = rfc2307
>>>
>>> [root at supermdc ~]# id schafha
>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>
>>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help:
>>>
>>> [root at supermdc ~]# id schafha
>>> id: markert1: No such user
>>>
>>> Setup:
>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>
>>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem?
>>>
>>> Kind regards,
>>> Martin
>>>
>>>
>>> Martin Markert
>>> Systems Integrator
>>>   
>>> Tuerkenstr. 89, 80799 München / Germany
>>> Phone +49 89 3809-1848
>>>
>>> EMail MMarkert at arri.de
>>>
>>>    Visit us on Facebook!________________________________
>>>   [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>
>>>
>>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>
>>> ARRI Film & TV Services GmbH
>>> Sitz: München - Registergericht: Amtsgericht München
>>> Handelsregisternummer: HRB 69396
>>> Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger
>> OK, try this:
>>
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-9999
>>    idmap config ARRI : backend = ad
>>    idmap config ARRI : schema_mode = rfc2307
>>    idmap config ARRI : range = 10000-99999
> Thank you for your answer, Roland.
> I've changed the configuration but it doesn't help:
>
> [root at supermdc ~]# id schafha
> id: schafha: No such user
>
> [root at supermdc ~]# winbindd -i -d9
> ...
> accepted socket 21
> [19077]: request interface version
> [19077]: request location of privileged pipe
> accepted socket 23
> closing socket 21, client exited
> getpwnam schafha
> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED
> closing socket 23, client exited
>
>> also are you using sssd on the AD member ?
> No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it.
>
> Martin
>
>
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

Does 'getent passwd schafha' show anything ?

has 'Domain Users' got a 'gidNumber' ?

Rowland

More information about the samba mailing list