[Samba] wbinfo -S SID deliver -1

Rowland Penny rpenny at samba.org
Tue Apr 25 21:06:59 UTC 2017 

On Tue, 25 Apr 2017 22:31:48 +0200
edv--- via samba <samba at lists.samba.org> wrote:

> i have setup a samba server as a AD member. AD: 2012R2
> 
> The first day everything was working fine. After restart the Samba 
> Service i had no access to my shares.
> 
> getent passwd  and getent group deliver the UID and GID : 
> 4294967295:4294967295: by all AD Users
> 
> which is -1 (FFFF FFFF)
> 
> wbinfo -n user deliver S-1-5-21-4001112740-1724199908-163113746-1106 
> SID_USER (1) which is correct !
> 
> I get from wbinfo -S S-1-5-21-4001112740-1724199908-163113746-1106 as 
> result -1 !
> 
> In the Winbind log i get :
> i get from the log Parsing value for key 
> [IDMAP/SID2XID/S-1-5-21-4001112740-1724199908-163113746-1106]:
> value=[-1:N]
> 
> 
> The Samba Version is : Version 4.2.14-Debian
> 
> My smb.conf is :
>   [global]
>          netbios name = fs2
>          workgroup = XDNT
>          security = ADS
>          realm = XDNT.DE
>          encrypt passwords = yes
> 
>          log file = /var/log/samba/log.%m
>          log level = 10  #passdp:10 auth:10 winbind:10
> 
> # Log auf Datei Zugriff
>          vfs object = full_audit recycle acl_xattr
>          full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
>          full_audit:success = mkdir rename unlink rmdir pwrite
>          full_audit:failure = none
>          full_audit:facility = local7
> #       full_audit:priority = DEBUG
>          full_audit:priority = notice
> 
> # Log auf Datei löschen
>          recycle:repository = /srv/export/samba/recycle
>          recycle:subdir_mode = 0770
>          recycle:directory_mode = 0770
>          recycle:keeptree = Yes
>          recycle:versions = Yes
>          recycle:touch = Yes
>          recycle:touch_mtime = Yes
>          recycle:maxsize = 0
> 
>          syslog = yes
> 
> #idmap config *:backend = tdb
> #idmap config *:range = 85000-86000

Uncomment the above two lines you need them ;-)

> 
>          idmap config XDNT : backend = ad
>          idmap config XDNT : schema_mode = rfc2307
>          idmap config XDNT : range = 3000000-4000000

Have you actually given your users and groups a uidNumber or gidNumber
attribute inside the range 3000000-4000000 ?

If not, change the backend to 'rid' instead of 'ad' and remove the
schema_mode line.

> 
>          idmap config XDNT:unix_primary_group = yes

The Same goes for the above line, if you have no gidNumber attributes,
remove it.

> 
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind refresh tickets = yes
> 
> #       winbind nss info = template
> #       template shell = /bin/bash
> #       template homedir = /home/%U

uncomment the template lines if you use the 'rid' backend

> 
>          map acl inherit = Yes
>          store dos attributes = Yes

Add 'vfs objects = acl_xattr' as well

> 
>          follow symlinks = yes
> 
> passdb backend = tdbsam
> map untrusted to domain = Yes
> 
> username map = /etc/samba/user.map

What is in the username map ?

Try reading this Samba wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list