[Samba] [samba] Member server winbind issue
mathias dufresne
infractory at gmail.com
Sun Jul 23 14:18:40 UTC 2017
2017-07-23 15:42 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Sun, 23 Jul 2017 14:13:52 +0200
> mathias dufresne <infractory at gmail.com> wrote:
>
> > winbind nss info = rfc2307
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config AD:backend = ad
> > idmap config AD:schema_mode = rfc2307
> > idmap config AD:range = 8000-99999999
> >
> > I see two differences: ranges and spaces around ":" but I don't expect
> > these spaces are mandatory.
>
> No, not mandatory, just easier to read and Samba will ignore the spaces.
>
> > Both group and user have uidNumber and gidNumber declared in AD,
> > inside the range defined by "idmap config AD:range = 8000-99999999"
> > dc02:~# ldbsearch -H $sam cn="domain users" dn objectclass gidNumber
> > # record 1
> > dn: CN=Domain Users,CN=Users,DC=ad,DC=domain,DC=tld
> > objectClass: top
> > objectClass: group
> > gidNumber: 20000002
> >
> > So, here again, it seems to to be OK.
>
> Everything looks okay.
>
> >
> > And I'm still completely puzzled.
>
> Just a thought, does the libnss_winbind package match the rest of the
> Samba packages ?
>
Yes, all the very same:
# dpkg -l | egrep 'winbind|samba'
ii libnss-winbind:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba winbind client library
ii python-samba 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Python bindings for Samba
ii samba 2:4.5.8+dfsg-2+deb9u1+b1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.8+dfsg-2+deb9u1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.5.8+dfsg-2+deb9u1+b1
amd64 service to resolve user and group information from Windows NT
servers
This is unfiltered result, so that should be all packages related to Samba.
> >
> > DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I
> > don't really expect this to change anything.
>
> You will then need to use the 'new' idmap config settings.
>
> >
> > DC were provisioned without RFC2307. I set it up yesterday using
> > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#
> Verifying_the_Domain_Controller_and_Active_Directory_Setup
> > So I've added the following line in DCs smb.conf:
> > idmap_ldb:use rfc2307 = yes
> >
> > after I followed "Installing the NIS Extensions" paragraph (with
> > mainly copy/paste).
> >
> > After these changes by DC side I was able to manage Unix attributes
> > with ADUC from some Windows client, which seems to mean the changes
> > were correct.
>
> If everything is correct, then it should work, what does running
> 'pam-auth-update' show ?
>
Here is a copy from 'pam-auth-update':
│ PAM profiles to
enable:
│
│
│
│ [*] Unix
authentication
│
│ [*] Winbind NT/Active Directory
authentication
│
│ [*] Register user sessions in the systemd control group hierarchy
There are only these 3 options.
Could it comes from DC config? The smb.conf seems to be correct and I tried
the same on two different systems with different versions of Samba so
perhaps the issue is not from client. But as DC's smb.conf is even smaller
than the one for client, except if there was also changes in smb.conf
regarding rfc2307 and 4.6.x, I would not bet on a DC side issue.
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list