[Samba] wbinfo -S SID deliver -1
Rowland Penny
rpenny at samba.org
Tue Apr 25 21:06:59 UTC 2017
On Tue, 25 Apr 2017 22:31:48 +0200
edv--- via samba <samba at lists.samba.org> wrote:
> i have setup a samba server as a AD member. AD: 2012R2
>
> The first day everything was working fine. After restart the Samba
> Service i had no access to my shares.
>
> getent passwd and getent group deliver the UID and GID :
> 4294967295:4294967295: by all AD Users
>
> which is -1 (FFFF FFFF)
>
> wbinfo -n user deliver S-1-5-21-4001112740-1724199908-163113746-1106
> SID_USER (1) which is correct !
>
> I get from wbinfo -S S-1-5-21-4001112740-1724199908-163113746-1106 as
> result -1 !
>
> In the Winbind log i get :
> i get from the log Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-4001112740-1724199908-163113746-1106]:
> value=[-1:N]
>
>
> The Samba Version is : Version 4.2.14-Debian
>
> My smb.conf is :
> [global]
> netbios name = fs2
> workgroup = XDNT
> security = ADS
> realm = XDNT.DE
> encrypt passwords = yes
>
> log file = /var/log/samba/log.%m
> log level = 10 #passdp:10 auth:10 winbind:10
>
> # Log auf Datei Zugriff
> vfs object = full_audit recycle acl_xattr
> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
> full_audit:success = mkdir rename unlink rmdir pwrite
> full_audit:failure = none
> full_audit:facility = local7
> # full_audit:priority = DEBUG
> full_audit:priority = notice
>
> # Log auf Datei löschen
> recycle:repository = /srv/export/samba/recycle
> recycle:subdir_mode = 0770
> recycle:directory_mode = 0770
> recycle:keeptree = Yes
> recycle:versions = Yes
> recycle:touch = Yes
> recycle:touch_mtime = Yes
> recycle:maxsize = 0
>
> syslog = yes
>
> #idmap config *:backend = tdb
> #idmap config *:range = 85000-86000
Uncomment the above two lines you need them ;-)
>
> idmap config XDNT : backend = ad
> idmap config XDNT : schema_mode = rfc2307
> idmap config XDNT : range = 3000000-4000000
Have you actually given your users and groups a uidNumber or gidNumber
attribute inside the range 3000000-4000000 ?
If not, change the backend to 'rid' instead of 'ad' and remove the
schema_mode line.
>
> idmap config XDNT:unix_primary_group = yes
The Same goes for the above line, if you have no gidNumber attributes,
remove it.
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> # winbind nss info = template
> # template shell = /bin/bash
> # template homedir = /home/%U
uncomment the template lines if you use the 'rid' backend
>
> map acl inherit = Yes
> store dos attributes = Yes
Add 'vfs objects = acl_xattr' as well
>
> follow symlinks = yes
>
> passdb backend = tdbsam
> map untrusted to domain = Yes
>
> username map = /etc/samba/user.map
What is in the username map ?
Try reading this Samba wiki page:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list