[Samba] multiple domain and winbind use default domain
BLINDAUER Emmanuel
e.blindauer at gmail.com
Fri Aug 19 07:22:50 UTC 2016
Hello
I'm preparing a new fileserver, based on jessie + sernet 4.2.10
packages. the server is bound to a forest, "AD" where users account are
stored, and subdomains "PSI" for computers and some local accounts
The Active directory forest is managed by 2008R2 servers, with rfc2307
attributs filled for accounts.
I'm using "winbind use default domain" because users are also used on
linux PC labs.
So currently an user user1 from domain AD can request a ticket and
access his share with smbclient -k //server/user1
wbinfo -i user1 gives correct values.
But a user admin.eb from subdomain PSI can't access his share after
requesting a ticket
wbinfo -i admin.eb gives correct value:
PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
but the smbd logs are saying:
Adding homes service for user 'PSI+admin.eb' using home directory:
'/psihome/admin/admin.eb'
adding home's share [admin.eb] for user 'PSI+admin.eb' at
'/psihome/admin/admin.eb'
smb_pam_start: PAM: Init passed for user: PSI+admin.eb
smb_pam_account: PAM: Account OK for User: PSI+admin.eb
string_to_sid: SID admin.eb is not in a valid format
user 'PSI+admin.eb' (from session setup) not permitted to access this
share (admin.eb)
looking in log.winbindd, winbindd try several names search:
getpwnam psi+admin.eb
getpwnam PSI+admin.eb
getpwnam PSI+admin.eb
lookupname AD+admin.eb
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
lookupname Unix User+admin.eb
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
getpwnam admin.eb
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
getpwnam ADMIN.EB
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
To be sure I verified the account on the server
# getent passwd PSI+admin.eb
PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
It seems that the domain is dropped.
if I add a local user account in /etc/passwd:
admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
it works fine
Here the smb.conf:
# Global parameters
[global]
workgroup = AD
realm = AD.UNISTRA.FR
server role = member server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
kerberos method = secrets and keytab
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
panic action = /usr/share/samba/panic-action %d
winbind separator = +
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind max domain connections = 100
idmap config psi : range = 5000-9998
idmap config psi : schema_mode = rfc2307
idmap config psi : backend = ad
idmap config ad : schema_mode = rfc2307
idmap config ad : range = 9999-1000000
idmap config ad : default = yes
idmap config ad : backend = ad
idmap config * : range = 3000-4000
idmap config * : backend = tdb2
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
More information about the samba
mailing list