[Samba] Winbindd Strangeness
David Minard
david at scem.uws.edu.au
Tue Jun 23 19:55:06 MDT 2015
On 23/06/15 13:32, David Minard wrote:
> I've Set up a DC and a Member Server for a file server. Both are running on Centos7 and samba version 4.2.2. The Member Server is running smbd and winbindd.
>
> I've followed the wiki and for the most part it's working. However, after stuffing up the ranges, then fixing them up, when I create new accounts, adding all the Unix attributes, the UID_Number is not showing the correct value for new accounts. Existing ones are okay.
>
> Member_Server Config:
>
> [global]
>
> netbios name = MS1
> workgroup = AD
> security = ADS
> realm = SAMBADOM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 30000000-40000000
> idmap config SAMBADOM:backend = ad
> idmap config SAMBADOM:schema_mode = rfc2307
> idmap config SAMBADOM:range = 600-29999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
>
>
> Existing Account:
> getent passwd fred
>
> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>
> New Account:
>
> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>
> Fred1 was set up with --uid-number='5004'
>
> I've tried clearing winbindd caches as per some post I read:
>
> systemctl stop winbindd
> rm /usr/local/samba/var/locks/group_mapping.tdb* /usr/local/samba/var/locks/winbindd_idmap.tdb* /usr/local/samba/var/locks/winbindd_cache.tdb*
> systemctl start winbindd
>
> But no change.
>
> I've also noticed that the default group that all users are in used to be "domain users", now for some reason they are all in "BUILTIN\administrators" !
>
> Am I doing something wrong? If so, what. If not, how do I track down why this is happening?
>
>
> Cheers,
> David Minard.
> Ph: 0247 360 155
> Fax: 0247 360 770
>
> School of Computing, Engineering, and Mathematics
> Building Y - Penrith Campus (Kingswood)
> Locked bag 1797
> Penrith South DC
> NSW 1797
>
> [Sometimes waking up just isn't worth the insult of the day to come.]
>
>
Yes, you do appear to doing things wrong workgroup = AD but: idmap
config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
be 'AD' You have 'realm = SAMBADOM' , it really should be something
like 'realm = SAMBADOM.COM' Rowland
Thanks for the quick reply Roland. The change didn't make any difference. I remember having it the way you suggested in the first place, but was still getting strangeness. I have put it back to the right way as suggested. I now have a config of:
[global]
netbios name = MS1
workgroup = AD
security = ADS
realm = SAMDOM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 30000000-40000000
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 600-29999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
SAMDOM is as you say, a domain name for the AD.
I noticed that the UIDNumber of new accounts are overlapping with system accounts.
fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list