[Samba] [samba] Winbindd without RFC2307 question

mathias dufresne infractory at gmail.com
Wed Jul 19 14:54:49 UTC 2017 

Thank you both for your replies. Unfortunately I will not be able to use
rfc2307 and then uidNumber and co until they modify their AD. It would
perhaps be done soon but for now, no real idea.

So back to Rowland's proposition to use "rid" backend rather than "ad"
backend for idmap configuration.
To switch from "ad" to "rid" idmap backend I just changed :
idmap config CENTORIAL:backend = ad
into
idmap config CENTORIAL:backend = rid

Then I reload everything with "smbcontrol all reload-config"

To finally test all that with "id username" which wasn't working.

I just restart the samba processes (systemctl restart blablabla) and all
went well.

Thank you again :)

Have a nice day all,

mathias



2017-07-19 16:00 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org
>:

> Hai Mathias,
>
> If you use AD backend you must define UID/GIDs.
>
> samba-tool user add --help on the DC. ( If its a samba DC )
> See the "User's Unix/RFC2307" settings.
>
> Without it, you wil not see any user or group.
>
> And you did install :  libnss-winbind libpam-winbind
> If yes, assign uid/gids.
> https://wiki.samba.org/index.php/Idmap_config_ad
> See the Prerequisites. ( the first one.. :  Users must have at least the
> uidNumber and groups the gidNumber attribute set.  )
>
> Quickest workaround, use RID.
> ! If you switch, make sure you run : net cache flush and restart samba and
> winbind.
>
>
> Greetz,
>
> Louis
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > mathias dufresne via samba
> > Verzonden: woensdag 19 juli 2017 15:34
> > Aan: samba
> > Onderwerp: [Samba] [samba] Winbindd without RFC2307 question
> >
> > Hi all,
> >
> > I'm trying to set up some Samba files server retrieving users
> > from AD. This AD has no RFC2307 installed yet.
> >
> > The Linux system hosting this files server is Debian 9.0.
> >
> > The issue is system side commands as "getent passwd
> > some_user" or "id some_user" are not working, not showing any result.
> >
> > Here is my whole smb.conf (shares will come later) :
> >
> > [global]
> >    workgroup = DOMAIN
> >    realm = DOMAIN.TLD
> >    security = ads
> >
> >    winbind use default domain = true
> >    winbind offline logon = false
> >
> >    winbind nss info = template
> >    template shell = /bin/bash
> >    template homedir = /home/%U
> >
> >    idmap config * : backend = tdb
> >    idmap config * : range = 10000-999999
> >
> >
> >    idmap config DOMAIN:backend = ad
> >    idmap config DOMAIN:schema_mode = template
> >    idmap config DOMAIN:range = 16777216-33554431
> >
> >    log level = 6
> >
> >
> > Using that smb.conf "wbinfo -u" or -g are working, as is
> > working "wbinfo -t some_user"
> >
> > /etc/nsswitch.conf has been modified as follow:
> > # grep winbind /etc/nsswitch.conf
> > passwd:         compat winbind
> > group:          compat winbind
> >
> > PAM configuration has been auto-altered as follow:
> > /etc/pam.d/common-account:18:
> > account    [success=1 new_authtok_reqd=done default=ignore]
> > pam_winbind.so use_first_pass
> > /etc/pam.d/common-auth:18:
> > auth  [success=1 default=ignore]      pam_winbind.so krb5_auth
> > krb5_ccache_type=FILE cached_login try_first_pass
> > /etc/pam.d/common-password:26:
> > password  [success=1 default=ignore]      pam_winbind.so use_authtok
> > try_first_pass
> > /etc/pam.d/common-session:25:
> > session    optional                        pam_winbind.so
> > /etc/pam.d/common-session-noninteractive:25:
> > session     optional                        pam_winbind.so
> >
> > Logs in log.winbindd:
> > [2017/07/19 15:30:58.122017,  6]
> > ../source3/winbindd/winbindd.c:918(new_connection)
> >   accepted socket 32
> > [2017/07/19 15:30:58.122240,  3]
> > ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> >   [ 8727]: request interface version (version = 28)
> > [2017/07/19 15:30:58.122475,  3]
> > ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> >   [ 8727]: request location of privileged pipe
> > [2017/07/19 15:30:58.122767,  6]
> > ../source3/winbindd/winbindd.c:918(new_connection)
> >   accepted socket 34
> > [2017/07/19 15:30:58.122918,  6]
> > ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> >   closing socket 32, client exited
> > [2017/07/19 15:30:58.123104,  3]
> > ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
> >   getpwnam agasmi
> > [2017/07/19 15:30:58.123546,  5]
> > ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> >   Could not convert sid S-1-5-21-123456789-0123456789-123456789-1234:
> > NT_STATUS_NONE_MAPPED
> > [2017/07/19 15:30:58.123827,  6]
> > ../source3/winbindd/winbindd.c:967(winbind_client_request_read)
> >   closing socket 34, client exited
> >
> > If anyone has an idea of what I missed, that would be great.
> >
> > Cheers,
> >
> > mathias
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list