[Samba] Samba domain member and rfc2307 user IDs

Blindauer Emmanuel e.blindauer at gmail.com
Mon Jul 25 21:22:54 UTC 2016 

On 25/07/2016 18:02, Kevin Davidson wrote:
> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>
> samba and winbind v 2.4.2.10+dfs
>
> wbinfo -u lists all the domain users
> wbinfo -g lists all the domain groups
>
> getent group lists all the local groups and the AD domain groups that have a UNIX gid set
> getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.
>
> The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.
>
> This is from smb.conf on the domain server:
>
> [global]
>
>   netbios name = TERRA
>   workgroup = DOMAIN
>   security = ADS
>   realm = OFFICE.DOMAIN.COM
>   encrypt passwords = yes
>
>   idmap config DOMAIN:backend = ad
>   idmap config DOMAIN:schema_mode = rfc2307
>   idmap config DOMAIN:range = 1001-60000
>   idmap config DOMAIN:default = yes
>   idmap config *:backend = tdb
>   idmap config *:range = 60001-9999999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>
> What have I done wrong?
>
> Kevin Davidson
> Apple Certified System Administrator
> Technical Director
>
> t 01506 668674
> m 07813 149620
> w www.indigospring.co.uk
>
> indigospring (Scotland) Ltd
> Registered in Scotland No. SC398572
> Registered office: 103 Oldwood Place, Livingston EH54 6US
>
> Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
>
> http://www.indigospring.co.uk/terms-and-conditions
>
>
>
>
>

I'm facing the same problem, except that wbinfo -u never returned users 
(wbinfo -g works).
wbinfo -i user returned the correct value for some days, and stopped 
working.

same packages from jessie, but I have also tested the sernet packages 
for 4.2.14 without more success.

I have also some errors showing up with a high level of debug for winbind:

[2016/07/25 23:15:24.221239,  5] 
../auth/gensec/gensec_start.c:672(gensec_start_mech)
   Starting GENSEC submechanism gse_krb5
[2016/07/25 23:15:24.263941,  5] 
../source3/librpc/crypto/gse.c:265(gse_init_client)
   gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were 
supplied, or the credentials were unavailable or inaccessible.: unknown 
mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a 
kinit.
[2016/07/25 23:15:24.264068,  4] 
../auth/gensec/gensec_start.c:679(gensec_start_mech)
   Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR

My config file:

[global]
    workgroup = AD
    realm=AD.UNISTRA.FR
    log file = /var/log/samba/log.%m
    max log size = 100000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    server role = member server
    obey pam restrictions = yes
    map to guest = bad user

kerberos method = secrets and keytab
idmap config * : backend = tdb2
idmap config * : range = 3000-4000
idmap config AD : backend = ad
idmap config AD : default = yes
idmap config AD : range = 10000-1000000
idmap config AD : schema_mode = rfc2307
idmap config PSI : schema_mode = rfc2307
idmap config PSI : range = 5000-9998

winbind nss info = rfc2307
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

More information about the samba mailing list