[Samba] [samba] Winbindd without RFC2307 question
L.P.H. van Belle
belle at bazuin.nl
Wed Jul 19 14:00:43 UTC 2017
Hai Mathias,
If you use AD backend you must define UID/GIDs.
samba-tool user add --help on the DC. ( If its a samba DC )
See the "User's Unix/RFC2307" settings.
Without it, you wil not see any user or group.
And you did install : libnss-winbind libpam-winbind
If yes, assign uid/gids.
https://wiki.samba.org/index.php/Idmap_config_ad
See the Prerequisites. ( the first one.. : Users must have at least the uidNumber and groups the gidNumber attribute set. )
Quickest workaround, use RID.
! If you switch, make sure you run : net cache flush and restart samba and winbind.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> mathias dufresne via samba
> Verzonden: woensdag 19 juli 2017 15:34
> Aan: samba
> Onderwerp: [Samba] [samba] Winbindd without RFC2307 question
>
> Hi all,
>
> I'm trying to set up some Samba files server retrieving users
> from AD. This AD has no RFC2307 installed yet.
>
> The Linux system hosting this files server is Debian 9.0.
>
> The issue is system side commands as "getent passwd
> some_user" or "id some_user" are not working, not showing any result.
>
> Here is my whole smb.conf (shares will come later) :
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.TLD
> security = ads
>
> winbind use default domain = true
> winbind offline logon = false
>
> winbind nss info = template
> template shell = /bin/bash
> template homedir = /home/%U
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-999999
>
>
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = template
> idmap config DOMAIN:range = 16777216-33554431
>
> log level = 6
>
>
> Using that smb.conf "wbinfo -u" or -g are working, as is
> working "wbinfo -t some_user"
>
> /etc/nsswitch.conf has been modified as follow:
> # grep winbind /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
>
> PAM configuration has been auto-altered as follow:
> /etc/pam.d/common-account:18:
> account [success=1 new_authtok_reqd=done default=ignore]
> pam_winbind.so use_first_pass
> /etc/pam.d/common-auth:18:
> auth [success=1 default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> /etc/pam.d/common-password:26:
> password [success=1 default=ignore] pam_winbind.so use_authtok
> try_first_pass
> /etc/pam.d/common-session:25:
> session optional pam_winbind.so
> /etc/pam.d/common-session-noninteractive:25:
> session optional pam_winbind.so
>
> Logs in log.winbindd:
> [2017/07/19 15:30:58.122017, 6]
> ../source3/winbindd/winbindd.c:918(new_connection)
> accepted socket 32
> [2017/07/19 15:30:58.122240, 3]
> ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> [ 8727]: request interface version (version = 28)
> [2017/07/19 15:30:58.122475, 3]
> ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> [ 8727]: request location of privileged pipe
> [2017/07/19 15:30:58.122767, 6]
> ../source3/winbindd/winbindd.c:918(new_connection)
> accepted socket 34
> [2017/07/19 15:30:58.122918, 6]
> ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> closing socket 32, client exited
> [2017/07/19 15:30:58.123104, 3]
> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> getpwnam agasmi
> [2017/07/19 15:30:58.123546, 5]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-123456789-0123456789-123456789-1234:
> NT_STATUS_NONE_MAPPED
> [2017/07/19 15:30:58.123827, 6]
> ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> closing socket 34, client exited
>
> If anyone has an idea of what I missed, that would be great.
>
> Cheers,
>
> mathias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list