[Samba] winbind -u works, getent passwd dont't work

Rowland Penny rpenny at samba.org
Mon Jan 30 16:15:18 UTC 2017


On Mon, 30 Jan 2017 14:33:03 +0100
basti via samba <samba at lists.samba.org> wrote:

> The getent passwd works for now on my ads member, thanks a lot.
> 
> I think I have an other problem. ("FOO" is the short domain)

Yes, you haven't setup the smb.conf on the domain member correctly ;-)

> 
> AD DC:
> getent passwd | tail -2
> FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
> 
> vs.
> AD Member
> 
> FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
> FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
> 
> UID and GID on AD member is always the same.
> 
> My smb.conf on AD member:
> 
> 
> root at rtr-01:~# cat /etc/samba/smb.conf
> [global]
>        netbios name = rtr-01
>        security = ads
>        workgroup = FOO
>        realm = FOO
> 
>        log file = /var/log/samba/%m.log
>        log level = 2
> 
>        # Default ID mapping configuration for local BUILTIN accounts
>        # and groups on a domain member. The default (*) domain:
>        # - must not overlap with any domain ID mapping configuration!
>        # - must use an read-write-enabled back end, such as tdb.
>        idmap config * : backend = ldap

So very wrong, you should only use the 'tdb' backend for the '*' domain


>        idmap config * : range = 3000-7999

And whilst '3000-7999' is okay for the '*' domain, you haven't setup
the 'FOO' domain range at all, also, the range '500-2999' (which appears
to be what you will need to set it to) is very small and gives you
nowhere to store any local Unix users.

> 
> 	# fix LDAP connection error
> 	ldap server require strong auth = No

This should only be in a DC smb.conf

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland



More information about the samba mailing list