[Samba] Samba domain member and rfc2307 user IDs
Emmanuel Blindauer
e.blindauer at gmail.com
Tue Jul 26 07:33:33 UTC 2016
I need tout correct, i had a typo, with sernet packages, winbind works ,
and faster. Still doesnt get wbinfo -u to return users, but i think wbinfo
timeout before getting all 140k users,WB logs still sho retrieving users
Emmanuel
On Tuesday, July 26, 2016, Blindauer Emmanuel <e.blindauer at gmail.com> wrote:
> On 25/07/2016 18:02, Kevin Davidson wrote:
>
>> Having problems with rfc2307 user ids. This was working briefly and now
>> it’s not.
>>
>> samba and winbind v 2.4.2.10+dfs
>>
>> wbinfo -u lists all the domain users
>> wbinfo -g lists all the domain groups
>>
>> getent group lists all the local groups and the AD domain groups that
>> have a UNIX gid set
>> getent passwd lists only the local users, then pauses for a moment, then
>> nothing. AD users can’t log in and can’t access any shares being shared
>> from the server.
>>
>> The domain user UNIX user IDs are all in the range 1001 - 2000 and need
>> to match up with other servers using the same UIDs.
>>
>> This is from smb.conf on the domain server:
>>
>> [global]
>>
>> netbios name = TERRA
>> workgroup = DOMAIN
>> security = ADS
>> realm = OFFICE.DOMAIN.COM
>> encrypt passwords = yes
>>
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 1001-60000
>> idmap config DOMAIN:default = yes
>> idmap config *:backend = tdb
>> idmap config *:range = 60001-9999999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> What have I done wrong?
>>
>> Kevin Davidson
>> Apple Certified System Administrator
>> Technical Director
>>
>> t 01506 668674
>> m 07813 149620
>> w www.indigospring.co.uk
>>
>> indigospring (Scotland) Ltd
>> Registered in Scotland No. SC398572
>> Registered office: 103 Oldwood Place, Livingston EH54 6US
>>
>> Follow us on Twitter - twitter.com/indigospringIT <
>> http://twitter.com/indigospringIT>
>> Members of the Apple Consultants Network - consultants.apple.com/uk <
>> http://consultants.apple.com/uk>
>>
>> http://www.indigospring.co.uk/terms-and-conditions
>>
>>
>>
>>
>>
>>
> I'm facing the same problem, except that wbinfo -u never returned users
> (wbinfo -g works).
> wbinfo -i user returned the correct value for some days, and stopped
> working.
>
> same packages from jessie, but I have also tested the sernet packages for
> 4.2.14 without more success.
>
> I have also some errors showing up with a high level of debug for winbind:
>
> [2016/07/25 23:15:24.221239, 5]
> ../auth/gensec/gensec_start.c:672(gensec_start_mech)
> Starting GENSEC submechanism gse_krb5
> [2016/07/25 23:15:24.263941, 5]
> ../source3/librpc/crypto/gse.c:265(gse_init_client)
> gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
> supplied, or the credentials were unavailable or inaccessible.: unknown
> mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a
> kinit.
> [2016/07/25 23:15:24.264068, 4]
> ../auth/gensec/gensec_start.c:679(gensec_start_mech)
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
>
> My config file:
>
> [global]
> workgroup = AD
> realm=AD.UNISTRA.FR
> log file = /var/log/samba/log.%m
> max log size = 100000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> server role = member server
> obey pam restrictions = yes
> map to guest = bad user
>
> kerberos method = secrets and keytab
> idmap config * : backend = tdb2
> idmap config * : range = 3000-4000
> idmap config AD : backend = ad
> idmap config AD : default = yes
> idmap config AD : range = 10000-1000000
> idmap config AD : schema_mode = rfc2307
> idmap config PSI : schema_mode = rfc2307
> idmap config PSI : range = 5000-9998
>
> winbind nss info = rfc2307
> winbind separator = +
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
>
More information about the samba
mailing list