[Samba] winbind -u works, getent passwd dont't work
Rowland Penny
rpenny at samba.org
Mon Jan 30 16:15:18 UTC 2017
On Mon, 30 Jan 2017 14:33:03 +0100
basti via samba <samba at lists.samba.org> wrote:
> The getent passwd works for now on my ads member, thanks a lot.
>
> I think I have an other problem. ("FOO" is the short domain)
Yes, you haven't setup the smb.conf on the domain member correctly ;-)
>
> AD DC:
> getent passwd | tail -2
> FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
>
> vs.
> AD Member
>
> FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
> FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
>
> UID and GID on AD member is always the same.
>
> My smb.conf on AD member:
>
>
> root at rtr-01:~# cat /etc/samba/smb.conf
> [global]
> netbios name = rtr-01
> security = ads
> workgroup = FOO
> realm = FOO
>
> log file = /var/log/samba/%m.log
> log level = 2
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = ldap
So very wrong, you should only use the 'tdb' backend for the '*' domain
> idmap config * : range = 3000-7999
And whilst '3000-7999' is okay for the '*' domain, you haven't setup
the 'FOO' domain range at all, also, the range '500-2999' (which appears
to be what you will need to set it to) is very small and gives you
nowhere to store any local Unix users.
>
> # fix LDAP connection error
> ldap server require strong auth = No
This should only be in a DC smb.conf
Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list