[Samba] multiple domain and winbind use default domain
Rowland Penny
rpenny at samba.org
Fri Aug 19 07:46:21 UTC 2016
On Fri, 19 Aug 2016 09:22:50 +0200
BLINDAUER Emmanuel via samba <samba at lists.samba.org> wrote:
> Hello
> I'm preparing a new fileserver, based on jessie + sernet 4.2.10
> packages. the server is bound to a forest, "AD" where users account
> are stored, and subdomains "PSI" for computers and some local accounts
> The Active directory forest is managed by 2008R2 servers, with
> rfc2307 attributs filled for accounts.
>
> I'm using "winbind use default domain" because users are also used on
> linux PC labs.
>
> So currently an user user1 from domain AD can request a ticket and
> access his share with smbclient -k //server/user1
> wbinfo -i user1 gives correct values.
>
> But a user admin.eb from subdomain PSI can't access his share after
> requesting a ticket
> wbinfo -i admin.eb gives correct value:
> PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
>
> but the smbd logs are saying:
>
> Adding homes service for user 'PSI+admin.eb' using home directory:
> '/psihome/admin/admin.eb'
> adding home's share [admin.eb] for user 'PSI+admin.eb' at
> '/psihome/admin/admin.eb'
> smb_pam_start: PAM: Init passed for user: PSI+admin.eb
> smb_pam_account: PAM: Account OK for User: PSI+admin.eb
> string_to_sid: SID admin.eb is not in a valid format
> user 'PSI+admin.eb' (from session setup) not permitted to access
> this share (admin.eb)
>
>
> looking in log.winbindd, winbindd try several names search:
>
> getpwnam psi+admin.eb
> getpwnam PSI+admin.eb
> getpwnam PSI+admin.eb
> lookupname AD+admin.eb
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> lookupname Unix User+admin.eb
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> getpwnam admin.eb
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> getpwnam ADMIN.EB
> Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>
>
> To be sure I verified the account on the server
> # getent passwd PSI+admin.eb
> PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
>
>
> It seems that the domain is dropped.
> if I add a local user account in /etc/passwd:
> admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
>
> it works fine
>
>
>
>
>
>
> Here the smb.conf:
>
>
> # Global parameters
> [global]
> workgroup = AD
> realm = AD.UNISTRA.FR
> server role = member server
> security = ADS
> map to guest = Bad User
> obey pam restrictions = Yes
> kerberos method = secrets and keytab
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> panic action = /usr/share/samba/panic-action %d
> winbind separator = +
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind max domain connections = 100
> idmap config psi : range = 5000-9998
> idmap config psi : schema_mode = rfc2307
> idmap config psi : backend = ad
> idmap config ad : schema_mode = rfc2307
> idmap config ad : range = 9999-1000000
> idmap config ad : default = yes
> idmap config ad : backend = ad
> idmap config * : range = 3000-4000
> idmap config * : backend = tdb2
>
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> create mask = 0700
> directory mask = 0700
> browseable = No
>
try removing 'winbind use default domain = Yes', I think this could be
your problem.
Rowland
More information about the samba
mailing list