[Samba] Centos 7 member server login fails

Paul R. Ganci ganci at nurdog.com
Thu Dec 28 02:00:27 UTC 2017 

0n 12/27/2017 02:39 AM, Rowland Penny via samba wrote:
>
> Have you actually given your users & groups a uidNumber or gidNumber
> attribute, or are you using the 'rid' backend
Yes I am using the AD backend and they have these uidNumber &gidNumbers. 
They come from when I was originally using rid (back in the 4.0 days) 
and switched to the AD backend. I just happened to make the 
uidNumber/gidNumber the number one would get if using rid. I never 
changed them to anything more reasonable since I didn't want to deal 
with the issues that creates. So yes it seems strange but everything is 
correct.

There is actually another list message in the archives where the use of 
these uidNumber/gidNumber caused confusion. Maybe one of these days I 
will changeover to something more reasonable if just to avoid that 
confusion.
> This gets stranger and stranger, if you are using the 'rid' backend,
> why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
> isn't it '0:0' ?
The kinit command was issued from the testuser1 account. I will go out 
on a limb and suggest that 3001107 is correct since that is the keyring 
owner. If it makes you feel better here is the same getent passwd on the 
DC (note the "0" in the administrator user):

 > getent passwd
MYDC\administrator:*:0:3000513::/home/administrator:/bin/bash
MYDC\testuser2:*:3001108:3000513::/home/testuser2:/bin/bash
MYDC\testuser1:*:3001107:3000513::/home/testuser1:/bin/bash

I did give domain users and domain admin groups gidNumbers so that is 
what you see. That is why it is not 0:0. My understanding is that is 
okay. You just cannot give administrator a uidNumber if I recall other 
list messages correctly.

Also if I do the kinit/klist commands on the member server as root I get 
this:
 > kinit administrator
Password for administrator at MYDC.TEST.COM:
 > klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kgkyAS7
Default principal: administrator at MYDC.TEST.COM

Valid starting       Expires              Service principal
12/27/2017 18:24:49  12/28/2017 04:24:49 krbtgt/MYDC.TEST.COM at MYDC.TEST.COM
     renew until 01/03/2018 18:24:46
> Winbind cannot find your user
Yes sssd was completely removed. The SERNET samba distribution will not 
install if sssd is installed. Yum errors will occur. And as I said in my 
other message the problem disappears once I re-ran authconfig-tui.  
Authconfig-tui changes /etc/nsswitch.conf file per your suggestion, and 
it recreates /etc/pam.d/passwd-auth-ac file and 
/etc/pam.d/system-auth-ac for use with winbind. I had been using 
/etc/pam.d/ files created from those used by sssd and hand edited with 
vi to change over to winbind. While that worked at one time it failed 
this time with my upgrade from samba 4.6 to 4.7. They were admittedly 
pretty old versions of the PAM files so I guess I should have expected 
this day to come.

In any event, I will reiterate that everything is working like it is 
supposed to now. Thank you for your help.

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list