[Samba] ADS domain member: winbind fails [SOLVED]
Rowland Penny
rpenny at samba.org
Sun Jan 1 15:04:49 UTC 2017
On Sun, 1 Jan 2017 15:40:53 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
> googled and tried stuff:
>
> # net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName
> uidNumber gidNumber -P | grep uidN | sort -n
>
> ... shows me uidNumbers:
>
> uidNumber: 0
You definitely shouldn't have a user with the ID of '0' (in my opinion)
Is this Administrator ?
> uidNumber: 1000
>
> .. up to 1077
So it looks like you only have 77 users, but cannot have any local Unix
users because your Unix users start at 1000. How do feel about changing
the uidNumbers ? if so, the easiest way will be to open the AD database
with ldbedit:
ldbedit -e nano -H /usr/local/samba/private/sam.ldb
Then search through the file for 'uidNumber' and then change the
contents, I would just add a '0' after the first digit i.e. '1077'
would become '10077'
Remove the uidNumber that contains '0'
check that Domain Users has a gidNumber attribute and that it contains
a number in the 10000 range
finally change 'idmap config ARBEITSGRUPPE:range = 1000-9999' to 'idmap
config ARBEITSGRUPPE:range = 10000-99999' and put the 'idmap config
SAMDOM : schema_mode = rfc2307' line back.
restart the Samba deamons, run 'net cache flush' again then run 'getent
passwd sgw'
>
> So my idmap range was completely wrong, I assume.
>
> I now have on the member server:
>
> # cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = ARBEITSGRUPPE
> realm = arbeitsgruppe.secret.tld
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> #idmap config * : range = 2000-2999
>
> ## idmap config for the ARBEITSGRUPPE domain
> idmap config ARBEITSGRUPPE:backend = ad
> idmap config ARBEITSGRUPPE:range = 1000-9999
>
> username map = /etc/samba/user.map
>
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
>
>
> Now I get wbinfo -i again:
>
> # wbinfo -i sgw
> sgw:*:4294967295:4294967295:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
>
> But the group is wrong.
>
> # wbinfo --group-info 'domain users'
> domain users:x:4294967295:
>
> What to correct here, please?
>
>
What is in the 'user.map' ?
Rowland
More information about the samba
mailing list