[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
Markert, Martin
MMarkert at arri.de
Fri Feb 27 07:59:18 MST 2015
Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at googlemail.com>
:
> On 27/02/15 14:28, Markert, Martin wrote:
>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com>
>> :
>>
>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>> Hi,
>>>> I've successfully configure idmap_rid to read id mappings from our AD servers:
>>>>
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind nested groups = Yes
>>>> winbind separator = +
>>>> winbind offline logon = false
>>>> idmap config *:backend = rid
>>>> idmap config *:range = 50000-99999
>>>> idmap config *:schema_mode = rfc2307
>>>>
>>>> But when I configure idmap_ad I'm not able to get the uidNumber and gidNumber from the AD servers:
>>>>
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind nested groups = Yes
>>>> winbind separator = +
>>>> winbind offline logon = false
>>>> idmap config ARRI:backend = ad
>>>> idmap config ARRI:range = 1000-999999
>>>> idmap config ARRI:schema_mode = rfc2307
>>>>
>>>> [root at supermdc ~]# id schafha
>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>>
>>>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help:
>>>>
>>>> [root at supermdc ~]# id schafha
>>>> id: markert1: No such user
>>>>
>>>> Setup:
>>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>>
>>>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem?
>>>>
>>>> Kind regards,
>>>> Martin
>>>>
>>>>
>>>> Martin Markert
>>>> Systems Integrator
>>>> Tuerkenstr. 89, 80799 München / Germany
>>>> Phone +49 89 3809-1848
>>>>
>>>> EMail MMarkert at arri.de
>>>>
>>>> Visit us on Facebook!________________________________
>>>> [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>
>>>>
>>>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>>
>>>> ARRI Film & TV Services GmbH
>>>> Sitz: München - Registergericht: Amtsgericht München
>>>> Handelsregisternummer: HRB 69396
>>>> Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger
>>> OK, try this:
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config ARRI : backend = ad
>>> idmap config ARRI : schema_mode = rfc2307
>>> idmap config ARRI : range = 10000-99999
>> Thank you for your answer, Roland.
>> I've changed the configuration but it doesn't help:
>>
>> [root at supermdc ~]# id schafha
>> id: schafha: No such user
>>
>> [root at supermdc ~]# winbindd -i -d9
>> ...
>> accepted socket 21
>> [19077]: request interface version
>> [19077]: request location of privileged pipe
>> accepted socket 23
>> closing socket 21, client exited
>> getpwnam schafha
>> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED
>> closing socket 23, client exited
>>
>>> also are you using sssd on the AD member ?
>> No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it.
>>
>> Martin
>>
>>
>>> Rowland
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>
> Does 'getent passwd schafha' show anything ?
No, it shows nothing.
idmap_ad:
[root at supermdc ~]# getent passwd schafha
[root at supermdc ~]# getent passwd schafha
Idmap_rid:
[root at supermdc ~]# getent passwd schafha
schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false
> has 'Domain Users' got a 'gidNumber' ?
No, it does nat have a gidNumber.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list