[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Markert, Martin MMarkert at arri.de
Fri Feb 27 09:24:42 MST 2015 

Am 27.02.2015 um 16:39 schrieb Martin Markert <mmarkert at arri.de>:

> 
> Am 27.02.2015 um 16:06 schrieb Rowland Penny <rowlandpenny at googlemail.com>:
> 
>> On 27/02/15 14:59, Markert, Martin wrote:
>>> Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at googlemail.com>
>>> :
>>> 
>>>> On 27/02/15 14:28, Markert, Martin wrote:
>>>>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com>
>>>>> :
>>>>> 
>>>>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>>>>> Hi,
>>>>>>> I've successfully configure idmap_rid to read id mappings from our AD servers:
>>>>>>> 
>>>>>>>        winbind enum users = Yes
>>>>>>>        winbind enum groups = Yes
>>>>>>>        winbind use default domain = Yes
>>>>>>>        winbind nested groups = Yes
>>>>>>>        winbind separator = +
>>>>>>>        winbind offline logon = false
>>>>>>>        idmap config *:backend = rid
>>>>>>>        idmap config *:range = 50000-99999
>>>>>>>        idmap config *:schema_mode = rfc2307
>>>>>>> 
>>>>>>> But when I configure idmap_ad  I'm not able to get the uidNumber and gidNumber from the AD servers:
>>>>>>> 
>>>>>>>        winbind enum users = Yes
>>>>>>>        winbind enum groups = Yes
>>>>>>>        winbind use default domain = Yes
>>>>>>>        winbind nested groups = Yes
>>>>>>>        winbind separator = +
>>>>>>>        winbind offline logon = false
>>>>>>>        idmap config ARRI:backend = ad
>>>>>>>        idmap config ARRI:range = 1000-999999
>>>>>>>        idmap config ARRI:schema_mode = rfc2307
>>>>>>> 
>>>>>>> [root at supermdc ~]# id schafha
>>>>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>>>>> 
>>>>>>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help:
>>>>>>> 
>>>>>>> [root at supermdc ~]# id schafha
>>>>>>> id: markert1: No such user
>>>>>>> 
>>>>>>> Setup:
>>>>>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>>>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>>>>> 
>>>>>>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem?
>>>>>>> 
>>>>>>> Kind regards,
>>>>>>> Martin
>>>>>>> 
>>>>>>> 
>>>>>>> Martin Markert
>>>>>>> Systems Integrator
>>>>>>> Tuerkenstr. 89, 80799 München / Germany
>>>>>>> Phone +49 89 3809-1848
>>>>>>> 
>>>>>>> EMail MMarkert at arri.de
>>>>>>> 
>>>>>>>  Visit us on Facebook!________________________________
>>>>>>> [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>
>>>>>>> 
>>>>>>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>>>>> 
>>>>>>> ARRI Film & TV Services GmbH
>>>>>>> Sitz: München - Registergericht: Amtsgericht München
>>>>>>> Handelsregisternummer: HRB 69396
>>>>>>> Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger
>>>>>> OK, try this:
>>>>>> 
>>>>>>  idmap config * : backend = tdb
>>>>>>  idmap config * : range = 2000-9999
>>>>>>  idmap config ARRI : backend = ad
>>>>>>  idmap config ARRI : schema_mode = rfc2307
>>>>>>  idmap config ARRI : range = 10000-99999
>>>>> Thank you for your answer, Roland.
>>>>> I've changed the configuration but it doesn't help:
>>>>> 
>>>>> [root at supermdc ~]# id schafha
>>>>> id: schafha: No such user
>>>>> 
>>>>> [root at supermdc ~]# winbindd -i -d9
>>>>> ...
>>>>> accepted socket 21
>>>>> [19077]: request interface version
>>>>> [19077]: request location of privileged pipe
>>>>> accepted socket 23
>>>>> closing socket 21, client exited
>>>>> getpwnam schafha
>>>>> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED
>>>>> closing socket 23, client exited
>>>>> 
>>>>>> also are you using sssd on the AD member ?
>>>>> No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it.
>>>>> 
>>>>> Martin
>>>>> 
>>>>> 
>>>>>> Rowland
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>> Does 'getent passwd schafha' show anything ?
>>> No, it shows nothing.
>>> 
>>> idmap_ad:
>>> [root at supermdc ~]# getent passwd schafha
>>> [root at supermdc ~]# getent passwd schafha
>>> 
>>> Idmap_rid:
>>> [root at supermdc ~]# getent passwd schafha
>>> schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false
>>> 
>>>> has 'Domain Users' got a 'gidNumber' ?
>>> No, it does nat have a gidNumber.
>>> 
>>>> Rowland
>>>> 
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> ok, 'Domain Users' not having a 'gidNumber' could well be your problem :-)
>> 
>> Try giving 'Domain Users' a 'gidNumber' with ADUC and then try 'getent passwd schafha' again.
> 
> Ahh, okay! I will give it a try. Our domain administrator has to add this. After that I will report.
> 
> Thank you, Rowland.

Here we go:

[root at supermdc ~]# getent passwd schafha
schafha:*:10000:11111:Schafhauser, Florian:/home/ARRI/schafha:/bin/false

It's working.

Thank you for your help.

> 
>> 
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list