[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Markert, Martin MMarkert at arri.de
Fri Feb 27 08:39:13 MST 2015 

Am 27.02.2015 um 16:06 schrieb Rowland Penny <rowlandpenny at googlemail.com>:

> On 27/02/15 14:59, Markert, Martin wrote:
>> Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at googlemail.com>
>> :
>> 
>>> On 27/02/15 14:28, Markert, Martin wrote:
>>>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com>
>>>> :
>>>> 
>>>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>>>> Hi,
>>>>>> I've successfully configure idmap_rid to read id mappings from our AD servers:
>>>>>> 
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind separator = +
>>>>>>         winbind offline logon = false
>>>>>>         idmap config *:backend = rid
>>>>>>         idmap config *:range = 50000-99999
>>>>>>         idmap config *:schema_mode = rfc2307
>>>>>> 
>>>>>> But when I configure idmap_ad  I'm not able to get the uidNumber and gidNumber from the AD servers:
>>>>>> 
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind separator = +
>>>>>>         winbind offline logon = false
>>>>>>         idmap config ARRI:backend = ad
>>>>>>         idmap config ARRI:range = 1000-999999
>>>>>>         idmap config ARRI:schema_mode = rfc2307
>>>>>> 
>>>>>> [root at supermdc ~]# id schafha
>>>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>>>> 
>>>>>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help:
>>>>>> 
>>>>>> [root at supermdc ~]# id schafha
>>>>>> id: markert1: No such user
>>>>>> 
>>>>>> Setup:
>>>>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>>>> 
>>>>>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem?
>>>>>> 
>>>>>> Kind regards,
>>>>>> Martin
>>>>>> 
>>>>>> 
>>>>>> Martin Markert
>>>>>> Systems Integrator
>>>>>>  Tuerkenstr. 89, 80799 München / Germany
>>>>>> Phone +49 89 3809-1848
>>>>>> 
>>>>>> EMail MMarkert at arri.de
>>>>>> 
>>>>>>   Visit us on Facebook!________________________________
>>>>>>  [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>
>>>>>> 
>>>>>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>>>> 
>>>>>> ARRI Film & TV Services GmbH
>>>>>> Sitz: München - Registergericht: Amtsgericht München
>>>>>> Handelsregisternummer: HRB 69396
>>>>>> Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger
>>>>> OK, try this:
>>>>> 
>>>>>   idmap config * : backend = tdb
>>>>>   idmap config * : range = 2000-9999
>>>>>   idmap config ARRI : backend = ad
>>>>>   idmap config ARRI : schema_mode = rfc2307
>>>>>   idmap config ARRI : range = 10000-99999
>>>> Thank you for your answer, Roland.
>>>> I've changed the configuration but it doesn't help:
>>>> 
>>>> [root at supermdc ~]# id schafha
>>>> id: schafha: No such user
>>>> 
>>>> [root at supermdc ~]# winbindd -i -d9
>>>> ...
>>>> accepted socket 21
>>>> [19077]: request interface version
>>>> [19077]: request location of privileged pipe
>>>> accepted socket 23
>>>> closing socket 21, client exited
>>>> getpwnam schafha
>>>> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED
>>>> closing socket 23, client exited
>>>> 
>>>>> also are you using sssd on the AD member ?
>>>> No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it.
>>>> 
>>>> Martin
>>>> 
>>>> 
>>>>> Rowland
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> Does 'getent passwd schafha' show anything ?
>> No, it shows nothing.
>> 
>> idmap_ad:
>> [root at supermdc ~]# getent passwd schafha
>> [root at supermdc ~]# getent passwd schafha
>> 
>> Idmap_rid:
>> [root at supermdc ~]# getent passwd schafha
>> schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false
>> 
>>> has 'Domain Users' got a 'gidNumber' ?
>> No, it does nat have a gidNumber.
>> 
>>> Rowland
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> ok, 'Domain Users' not having a 'gidNumber' could well be your problem :-)
> 
> Try giving 'Domain Users' a 'gidNumber' with ADUC and then try 'getent passwd schafha' again.

Ahh, okay! I will give it a try. Our domain administrator has to add this. After that I will report.

Thank you, Rowland.

> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list