[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
a.braml at buerger-energie-berlin.de
a.braml at buerger-energie-berlin.de
Wed Jan 28 15:25:11 MST 2015
Hi!
Am 28.01.2015 21:21, schrieb Rowland Penny:
> On 28/01/15 19:56, "Andreas Braml (BürgerEnergie Berlin)" wrote:
>> [...]
>>
>> But when I take the "known good" smb.conf to a fresh FreeBSD client
>> installed from scratch, adjusting the netbios name and then doing the
>> join, the behavior stays the same: backend rid works, ad does not.
>
> Very strange, but just one thing, you don't actually have to set the
> netbios name in smb.conf.
In the known good smb.conf I left it out already. Maybe amend the Wiki
page
accordingly, i.e. put in a note that you can leave out some parameters,
as
they are defaults anyway (winbind trusted domains only = no is even
deprecated/ignored?)
> It might help if you post your smb.conf.
Here goes:
[global]
workgroup = TEST
security = ADS
realm = TEST.BUERGER-ENERGIE-BERLIN.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70000-99999
idmap config TEST:backend = ad
idmap config TEST:schema_mode = rfc2307
idmap config TEST:range = 100000-2000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
[demoshare]
path = /usr/local/share/test
read only = no
>
>>
>> There seems to be a problem with FreeBSD as a member server after all.
>
> Possibly
>
>>
>> And I will check with Ubuntu 12.04 again.
Which might take a while, figuring our where to put compiled binaries
etc.
The stock packages are too old (no libnss-winbind for starters) and I
don't
feel like registering at SerNet.
But I have a hunch that this was why it didn't work back then - me too
stupid,
not putting libs in the right directory or something like that.
> [...]
>> At one point I thought that this might be the problem - so long as
>> there's only even one single group/user that doesn't have a
>> [gu]idNumber
>> set, it wouldn't work. That assumption was wrong, obviously. But it
>> didn't hurt either with the hunt for the problem at hand.
>
> If you use the 'ad' backend, winbind will only pull users & groups
> that have a uidNumber or gidNumber, these numbers need to be inside
> the range set in smb.conf, any other users are ignored.
Like it say in the manpage. But as I said, at one point I thought that
this might
be a "all or nothing" which the documentation failes to mention.
Fortunately this
is not the case, works as advertised.
>> The highest uid in use on the BSD is for the 'nobody' user (65534). It
>> might be a while before the AD user/group count gets to that, but I
>> wanted to play it safe here and started beyond that.
>> msSFU30MaxUidNumber
>> and msSFU30MaxGidNumber are set accordingly.
>
> Yes, I noticed that about 'nobody' (there was probably a reason for
> this) so my adduser script jumps around 65534.
But tools like ADUC don't respect that (?) I plan to delegate some of
the user/group
administration. The delegees will most likely use the MS tools.
>>> I think your problem is that you have given your users/groups
>>> numbers that are outside the ranges you have set in AD.
>> No, it's not. (Since it works on Ubuntu now.)
>
> Well it was just a thought, I know I had problems when I first started
> using winbind, I could only get the RID backend to work, until it just
> seemed to click and now I have no problems. :-)
Seems like history repeats itself once more :D
Cheers,
Andreas
More information about the samba
mailing list