[Samba] Samba domain member and rfc2307 user IDs
Blindauer Emmanuel
e.blindauer at gmail.com
Mon Jul 25 21:22:54 UTC 2016
On 25/07/2016 18:02, Kevin Davidson wrote:
> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>
> samba and winbind v 2.4.2.10+dfs
>
> wbinfo -u lists all the domain users
> wbinfo -g lists all the domain groups
>
> getent group lists all the local groups and the AD domain groups that have a UNIX gid set
> getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.
>
> The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.
>
> This is from smb.conf on the domain server:
>
> [global]
>
> netbios name = TERRA
> workgroup = DOMAIN
> security = ADS
> realm = OFFICE.DOMAIN.COM
> encrypt passwords = yes
>
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 1001-60000
> idmap config DOMAIN:default = yes
> idmap config *:backend = tdb
> idmap config *:range = 60001-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> What have I done wrong?
>
> Kevin Davidson
> Apple Certified System Administrator
> Technical Director
>
> t 01506 668674
> m 07813 149620
> w www.indigospring.co.uk
>
> indigospring (Scotland) Ltd
> Registered in Scotland No. SC398572
> Registered office: 103 Oldwood Place, Livingston EH54 6US
>
> Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
>
> http://www.indigospring.co.uk/terms-and-conditions
>
>
>
>
>
I'm facing the same problem, except that wbinfo -u never returned users
(wbinfo -g works).
wbinfo -i user returned the correct value for some days, and stopped
working.
same packages from jessie, but I have also tested the sernet packages
for 4.2.14 without more success.
I have also some errors showing up with a high level of debug for winbind:
[2016/07/25 23:15:24.221239, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2016/07/25 23:15:24.263941, 5]
../source3/librpc/crypto/gse.c:265(gse_init_client)
gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
supplied, or the credentials were unavailable or inaccessible.: unknown
mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a
kinit.
[2016/07/25 23:15:24.264068, 4]
../auth/gensec/gensec_start.c:679(gensec_start_mech)
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
My config file:
[global]
workgroup = AD
realm=AD.UNISTRA.FR
log file = /var/log/samba/log.%m
max log size = 100000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
map to guest = bad user
kerberos method = secrets and keytab
idmap config * : backend = tdb2
idmap config * : range = 3000-4000
idmap config AD : backend = ad
idmap config AD : default = yes
idmap config AD : range = 10000-1000000
idmap config AD : schema_mode = rfc2307
idmap config PSI : schema_mode = rfc2307
idmap config PSI : range = 5000-9998
winbind nss info = rfc2307
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
More information about the samba
mailing list