[Samba] Samba 3 AD Member Server Strangeness
Brian.Huffman at dupont.com
Brian.Huffman at dupont.com
Fri Jun 19 14:39:06 MDT 2015
All,
I'm trying to configure a Samba 3 AD member server including winbind. I'm on RHEL 6.6, so I'm using Samba version 3.6.23.
Here's my configuration:
[global]
log level = 3 winbind:10
workgroup = ABC
server string = LV37
netbios name = LV37
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config ABC:backend = rid
idmap config ABC:range = 10000-199999
winbind use default domain = true
winbind enum users = no
winbind enum groups = no
winbind refresh tickets = yes
template homedir = /
template shell = /sbin/nologin
realm = ABC.NET
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
allow trusted domains = no
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
map to guest = Bad User
In general I followed the guide at https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
We have been able to do a wbinfo -u and all users come back. Unfortunately not all users are getting mapped to uids:
[root at eslv37 samba]# wbinfo -u |egrep 'jx2354| nj3586
jx2354
nj3586
[root at eslv37 samba]# wbinfo -i nj3586
nj3586:*:11813:10513:USER NAME:/:/sbin/nologin
[root at eslv37 samba]# wbinfo -i jx2354
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user jx2354
For a user that works, I see this in the winbind logs:
[2015/06/19 16:28:56.608328, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam nj3586
[2015/06/19 16:28:56.608388, 10] winbindd/winbindd_dual.c:1370(fork_domain_child)
fork_domain_child called for domain 'ABC'
[2015/06/19 16:28:56.608817, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
Child process 5713
[2015/06/19 16:28:56.720068, 10] winbindd/winbindd_cm.c:377(winbind_msg_domain_online)
Domain DUPONTNET is marked as online now.
[2015/06/19 16:28:56.746994, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
idmap_cache_find_sid2uid found 11813
[2015/06/19 16:28:56.747036, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-513)
[2015/06/19 16:28:56.747065, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
calling find_our_domain
[2015/06/19 16:28:56.749758, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found 10513
[2015/06/19 16:28:56.749811, 10] winbindd/winbindd.c:707(wb_request_done)
wb_request_done[5712:GETPWNAM]: NT_STATUS_OK
[2015/06/19 16:28:56.749854, 10] winbindd/winbindd.c:768(winbind_client_response_written)
winbind_client_response_written[5712:GETPWNAM]: delivered response to client
[2015/06/19 16:28:56.750538, 6] winbindd/winbindd.c:870(winbind_client_request_read)
closing socket 27, client exited
For a user that doesn't, I see this:
getpwnam jx2354
[2015/06/19 16:29:32.187469, 10] winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-369997941-647960827-447208795-732503)
[2015/06/19 16:29:32.187510, 10] winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
calling find_our_domain
[2015/06/19 16:29:32.188077, 10] winbindd/winbindd_dual.c:1372(fork_domain_child)
fork_domain_child called without domain.
[2015/06/19 16:29:32.188445, 10] winbindd/winbindd_dual.c:1426(fork_domain_child)
Child process 5718
[2015/06/19 16:29:32.215807, 5] winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-369997941-647960827-447208795-732503: NT_STATUS_NONE_MAPPED
[2015/06/19 16:29:32.215861, 10] winbindd/winbindd.c:707(wb_request_done)
wb_request_done[5717:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2015/06/19 16:29:32.215903, 10] winbindd/winbindd.c:768(winbind_client_response_written)
winbind_client_response_written[5717:GETPWNAM]: delivered response to client
[2015/06/19 16:29:32.216636, 6] winbindd/winbindd.c:870(winbind_client_request_read)
closing socket 27, client exited
I can't figure out what I'm doing wrong.
Any ideas?
Thanks!
Brian
This communication is for use by the intended recipient and contains
information that may be Privileged, confidential or copyrighted under
applicable law. If you are not the intended recipient, you are hereby
formally notified that any use, copying or distribution of this e-mail,
in whole or in part, is strictly prohibited. Please notify the sender by
return e-mail and delete this e-mail from your system. Unless explicitly
and conspicuously designated as "E-Contract Intended", this e-mail does
not constitute a contract offer, a contract amendment, or an acceptance
of a contract offer. This e-mail does not constitute a consent to the
use of sender's contact information for direct marketing purposes or for
transfers of data to third parties.
The dupont.com http://dupont.com web address may be used for a limited period of time by the following
divested businesses that are no longer affiliated in any way with DuPont:
Borealis Polymers NV
Jacob Holm & Sonner Holding A/S (Jacob Holm)
Kuraray Co., Ltd
DuPont accepts no liability or responsibility for the content or use of communications
sent or received on behalf of such divested businesses or for the consequences of
any actions taken on the basis of such communications.
Francais Deutsch Italiano Espanol Portugues Japanese Chinese Korean
http://www.DuPont.com/corp/email_disclaimer.html
More information about the samba
mailing list