[Samba] Winbindd Strangeness
David Minard
david at scem.uws.edu.au
Thu Jun 25 06:44:04 MDT 2015
>
> On 24/06/15 02:55, David Minard wrote:
>> On 23/06/15 13:32, David Minard wrote:
>>
>>> I've Set up a DC and a Member Server for a file server. Both are
>>> running on Centos7 and samba version 4.2.2. The Member Server is
>>> running smbd and winbindd.
>>>
>>> I've followed the wiki and for the most part it's working.
>>> However, after stuffing up the ranges, then fixing them up, when I
>>> create new accounts, adding all the Unix attributes, the UID_Number
>>> is not showing the correct value for new accounts. Existing ones are
>>> okay.
>>>
>>> Member_Server Config:
>>>
>>> [global]
>>>
>>> netbios name = MS1
>>> workgroup = AD
>>> security = ADS
>>> realm = SAMBADOM
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 30000000-40000000
>>> idmap config SAMBADOM:backend = ad
>>> idmap config SAMBADOM:schema_mode = rfc2307
>>> idmap config SAMBADOM:range = 600-29999999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>>
>>>
>>>
>>> Existing Account:
>>> getent passwd fred
>>>
>>> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh
>>>
>>> New Account:
>>>
>>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>>>
>>> Fred1 was set up with --uid-number='5004'
>>>
>>> I've tried clearing winbindd caches as per some post I read:
>>>
>>> systemctl stop winbindd
>>> rm /usr/local/samba/var/locks/group_mapping.tdb*
>>> /usr/local/samba/var/locks/winbindd_idmap.tdb*
>>> /usr/local/samba/var/locks/winbindd_cache.tdb*
>>> systemctl start winbindd
>>>
>>> But no change.
>>>
>>> I've also noticed that the default group that all users are in
>>> used to be "domain users", now for some reason they are all in
>>> "BUILTIN\administrators" !
>>> Am I doing something wrong? If so, what. If not, how do
>>> I track down why this is happening?
>>>
>>> Cheers,
>>> David Minard.
>>> Ph: 0247 360 155
>>> Fax: 0247 360 770
>>>
>>> School of Computing, Engineering, and Mathematics
>>> Building Y - Penrith Campus (Kingswood)
>>> Locked bag 1797
>>> Penrith South DC
>>> NSW 1797
>>>
>>> [Sometimes waking up just isn't worth the insult of the day to
>>> come.]
>>>
>>>
>> Yes, you do appear to doing things wrong workgroup = AD but: idmap
>> config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode =
>> rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should
>> be 'AD' You have 'realm = SAMBADOM' , it really should be something
>> like 'realm = SAMBADOM.COM' Rowland
>>
>> Thanks for the quick reply Roland. The change didn't make any
>> difference. I remember having it the way you suggested in the first
>> place, but was still getting strangeness. I have put it back to the
>> right way as suggested. I now have a config of:
>>
>> [global]
>>
>> netbios name = MS1
>> workgroup = AD
>> security = ADS
>> realm = SAMDOM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 30000000-40000000
>> idmap config AD:backend = ad
>> idmap config AD:schema_mode = rfc2307
>> idmap config AD:range = 600-29999999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>>
>> SAMDOM is as you say, a domain name for the AD.
>>
>> I noticed that the UIDNumber of new accounts are overlapping with
>> system accounts.
>>
>> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh
>> krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false
>>
>> fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh
>> administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false
>>
>>
>
>
> Strange, have you tried running 'net cache flush' on the member server ?
No I hadn't. I tried it. Now 'getent passwd' gives only gives me the unix accounts on the server. 'wbinfo -u' works fine.
> Have you given all the users & groups an ID number in AD ?
Only users and groups that I have created. Do I have to do that for the default accounts too?
>
> Can you post the exact command you are using to create users.
>
samba-tool user add fred --userou='OU=Test Users' --profile-path='\\ms1.example.com\profiles\fred' --home-drive='u:' --home-directory='\\ms1.example.com\fred' --login-shell='/bin/tcsh' --gecos='Fred Nerks' --gid-number='600' --uid-number='4999' --uid='fred' --unix-home='/home/fred' --nis-domain='AD' --surname='Nerks' --given-name='Fred' --mail-address='fred at example.com' --random-password
> Rowland
>
> Cheers,
> David Minard.
> Ph: 0247 360 155
> Fax: 0247 360 770
>
> School of Computing, Engineering, and Mathematics
> Building Y - Penrith Campus (Kingswood)
> Locked bag 1797
> Penrith South DC
> NSW 1797
>
> [Sometimes waking up just isn't worth the insult of the day to come.]
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list