[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Rowland Penny rpenny at samba.org
Mon Aug 21 16:15:44 UTC 2017 

On Mon, 21 Aug 2017 17:25:31 +0200
Martin Decker via samba <samba at lists.samba.org> wrote:

> Dear Rowland,
> 
> our windows admin assured me that they have set uidNumber and
> gidNumber in the range. I have requested screenshots for confirmation.
> 
> Now we are one step further: "getent passwd | grep mdecker" now lists
> the AD account.
> 
> mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
> 
> With "getent passwd mdecker" however, it shows
> "NT_STATUS_NO_SUCH_USER".
> 
> getent passwd mdecker
> 
> winbindd_getpwnam: My domain -- rejecting getpwnam() for
> MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
> 
> Also not working:
> 
> getnet passwd mdecker
> getent passwd "MYDOM\\mdecker"
> 
> What is working though is when i give REALM Suffix ".ADS"
> 
> getent passwd "MYDOM.ADS\\mdecker"
> mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
> 

If I run:
getent passwd rowland
getent passwd "SAMDOM\rowland"
getent passwd "SAMDOM.EXAMPLE.COM\rowland"

They all produce the same output:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Lets step back a bit here, is this just one Unix fileserver? 
It also looks like you will not be using most of the RFC2307
attributes, just UidNumber & gidNumber.

if this is the case, have you considered the rid backend ?
With this, you do not need anything in AD, it uses the RID to calculate
the users or groups ID.

If you change:

    idmap config * :backend = tdb
    idmap config * : range = 1000000-1999999
    idmap config MYDOM : backend = ad
    idmap config MYDOM : range = 100-999999
    idmap config MYDOM : schema_mode = rfc2307  

To:
    idmap config * :backend = tdb
    idmap config * : range = 1000000-1999999
    idmap config MYDOM : backend = rid
    idmap config MYDOM : range = 100-999999

You should get everything to work.
If it does, it proves that the problem is in AD
If it doesn't, then there must be a problem on your Unix domain member.

Rowland

More information about the samba mailing list