[Samba] Cannot chown file to active directory user/group on member server
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Nov 18 09:34:14 UTC 2015
On 17/11/15 23:09, Jeff Dickens wrote:
> So I am still stuck. For reference here is the smb.conf on the member
> server:
>
> root at florence:~# more /etc/samba/smb.conf
> [global]
>
> netbios name = FLORENCE
> security = ADS
> workgroup = IOL
> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM>
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> # idmap config used for your domain.
> # Choose one of the following backends fitting to your
> # requirements and add the corresponding configuration.
> # idmap config ad
> # - idmap config rid
> # - idmap config autorid
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config IOL:backend = ad
> idmap config IOL:schema_mode = rfc2307
> idmap config IOL:range = 1000000-9999999
>
> winbind nss info = rfc2307
>
>
> [home]
> path=/home/
> read only = No
>
>
> I increased the range because it seems like the DC is using IDs above
> 1,000,000. This is on the DC:
Ah, I think I see your problem, you think that because a user on the DC
gets a uid, it should get one on a domain member without any
intervention on your part.
Did you miss this:
Prerequisites
* NIS extensions
<https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory>
installed in AD and RFC2307 enabled
<https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers>
in each DCs smb.conf
* Users and groups have RFC2307 attributes set in AD
on this wiki page:
https://wiki.samba.org/index.php/Idmap_config_ad
This means that any users that must be known to a Unix domain member
*must* have a unique uidNumber, also Domain Users (at least) *must* have
a unique gidNumber. These numbers must be inside the range you set in
smb.conf, in your case '1000000-9999999'
The numbers used on the DC are 'xidNumbers' and are only used on a DC
and they could be different on other DCs
If you do not want to add rfc2307 attributes, you could use the winbind
'rid' backend instead, see the wiki.
Rowland
>
> root at athens:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at athens:~# wbinfo -i administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root at athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root at athens:~#
>
>
> And on the member server:
>
> root at florence:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at florence:~# wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> Also:
>
> root at florence:~# wbinfo -n test1
> S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
> root at florence:~# wbinfo -n administrator
> S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
>
> Thought it might have something to do with the fact that the Kerberos
> user tools were not installed -but I set them up and no change.
>
> root at florence:~# kinit administrator at IOL.SEAMANPAPER.COM
> <mailto:administrator at IOL.SEAMANPAPER.COM>
> Password for administrator at IOL.SEAMANPAPER.COM
> <mailto:administrator at IOL.SEAMANPAPER.COM>:
> root at florence:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at IOL.SEAMANPAPER.COM
> <mailto:administrator at IOL.SEAMANPAPER.COM>
>
> Valid starting Expires Service principal
> 11/17/2015 17:20:51 11/18/2015 03:20:51
> krbtgt/IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM
> <mailto:IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM>
> renew until 11/18/2015 17:19:59
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~# !smbc
> smbcontrol all reload-config
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> I found a note about a missing link to libnss_winbind.so.2.. fixed
> that and no difference.
>
> So it can list the users but not get the IDs... So it seems to have
> some kind of authentication issue.
>
> I've been all through the wiki and can't find anything else that seems
> relevant.
>
>
More information about the samba
mailing list