[Samba] SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Jiří Černý
cerny at svmetal.cz
Thu Sep 7 14:46:39 UTC 2017
Yes, that's exactly what I've done.Ok, my group has name "IT admins",
but logic is same;)Thank you.
However I have one more problem.
If I create new group or user and give it UID/GID, this is immediately
reachable on linux server. id user, or getent group/passwd and also
wbinfo -u/-g/-i can list info about it.
But if I assign group to user (or deassign), it spends a lot of time to
reflect this change.
nsswitch.conf is set up corectly. I tried to "net cache flush", but no
luck. Tried restart winbind service and also delete winbindd_cache.tdb
and winbindd_idmap.tdb files and
restart winbind, but no luck. Still old groups. I even tried to delete
whole /var/lib/samba directory, reinstall all packages and rejoin, but
the same. User has old groups.
BUT after few hours (I didn't measured how long it took) I tried to id
user and it has (magically) right groups.
I tested it on 3 different member servers, 2 CentOS 7 with Samba 4.4.4
and SerNet Samba 4.6.7 and 1 CentOS with SerNet Samba 4.6.7.
Have you ever heard about this behavior?
Jiří
On Thu, 07 Sep 2017 15:04:43 +0200 Jiří Černý via samba <samba at
lists.samba.org
( https://lists.samba.org/mailman/listinfo/samba) > wrote: > > You may
get away with using the 'rid' backend, but this will have to> be> your
choice, but whatever you choose, I am sure we can help you> be> get> to>
a working domain.>> > RowlandSo I have an example. We have file and
print server based on> CentOS 7 with Samba 4.4.4. As wiki said>
(https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)>
we have to set permissions on [print$] share:> > # chgrp -R
"SAMDOM\Domain Admins" /srv/samba/printer_drivers/> # chmod -R 2755
/srv/samba/printer_drivers/But I can't do that,> beacause I removed GID
of Domain Admins, so winbind can't enumerate> this group.> So how to do
that?Do I have to change idmap backend to from AD to RID?OK, my
suggestion is to create an AD group, (again this is just a suggestion,
'Unix Admins'), give this group a gidNumber and make it a member of
'Domain Admins'. Now use this new group instead of 'Domain Admins' on
Unix. Rowland
More information about the samba
mailing list