[Samba] Cannot chown file to active directory user/group on member server

Rowland Penny rowlandpenny241155 at gmail.com
Wed Nov 18 09:34:14 UTC 2015


On 17/11/15 23:09, Jeff Dickens wrote:
> So I am still stuck.  For reference here is the smb.conf on the member 
> server:
>
> root at florence:~# more /etc/samba/smb.conf
> [global]
>
>        netbios name = FLORENCE
>        security = ADS
>        workgroup = IOL
>        realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM>
>
>        log file = /var/log/samba/%m.log
>        log level = 1
>
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>        winbind refresh tickets = yes
>
>        winbind trusted domains only = no
>        winbind use default domain = yes
>        winbind enum users  = yes
>        winbind enum groups = yes
>
>        # idmap config used for your domain.
>        # Choose one of the following backends fitting to your
>        # requirements and add the corresponding configuration.
>        # idmap config ad
>        #  - idmap config rid
>        #  - idmap config autorid
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>         idmap config IOL:backend = ad
>         idmap config IOL:schema_mode = rfc2307
>         idmap config IOL:range = 1000000-9999999
>
>         winbind nss info = rfc2307
>
>
> [home]
>         path=/home/
>         read only = No
>
>
> I increased the range because it seems like the DC is using IDs above 
> 1,000,000.  This is on the DC:

Ah, I think I see your problem, you think that because a user on the DC 
gets a uid, it should get one on a domain member without any 
intervention on your part.

Did you miss this:


    Prerequisites

  * NIS extensions
    <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory>
    installed in AD and RFC2307 enabled
    <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers>
    in each DCs smb.conf
  * Users and groups have RFC2307 attributes set in AD


on this wiki page:

https://wiki.samba.org/index.php/Idmap_config_ad

This means that any users that must be known to a Unix domain member 
*must* have a unique uidNumber, also Domain Users (at least) *must* have 
a unique gidNumber. These numbers must be inside the range you set in 
smb.conf, in your case '1000000-9999999'

The numbers used on the DC are 'xidNumbers' and are only used on a DC 
and they could be different on other DCs

If you do not want to add rfc2307 attributes, you could use the winbind 
'rid' backend instead, see the wiki.

Rowland

>
> root at athens:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at athens:~# wbinfo -i administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root at athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root at athens:~#
>
>
> And on the member server:
>
> root at florence:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root at florence:~# wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> Also:
>
> root at florence:~# wbinfo -n test1
> S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
> root at florence:~# wbinfo -n administrator
> S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
>
> Thought it might have something to do with the fact that the Kerberos 
> user tools were not installed -but I set them up and no change.
>
> root at florence:~# kinit administrator at IOL.SEAMANPAPER.COM 
> <mailto:administrator at IOL.SEAMANPAPER.COM>
> Password for administrator at IOL.SEAMANPAPER.COM 
> <mailto:administrator at IOL.SEAMANPAPER.COM>:
> root at florence:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at IOL.SEAMANPAPER.COM 
> <mailto:administrator at IOL.SEAMANPAPER.COM>
>
> Valid starting       Expires    Service principal
> 11/17/2015 17:20:51  11/18/2015 03:20:51 
>  krbtgt/IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM 
> <mailto:IOL.SEAMANPAPER.COM at IOL.SEAMANPAPER.COM>
>         renew until 11/18/2015 17:19:59
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~# !smbc
> smbcontrol all reload-config
> root at florence:~# wbinfo -i test1
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root at florence:~#
>
> I found a note about a missing link to libnss_winbind.so.2.. fixed 
> that and no difference.
>
> So it can list the users but not get the IDs... So it seems to have 
> some kind of authentication issue.
>
> I've been all through the wiki and can't find anything else that seems 
> relevant.
>
>



More information about the samba mailing list