[Samba] Issues post AD migration

Rowland Penny rpenny at samba.org
Thu Apr 12 11:18:54 UTC 2018


On Thu, 12 Apr 2018 10:48:04 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> I added the following,  reloaded the samba configs, joined the member
> server to the AD domain again
> 
> [global]
>        netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>          winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap config TESTDOM:backend = ad
>         idmap config TESTDOM:schema_mode = rfc2307
>         idmap config TESTDOM:range = 10000-999999
> 
> 
> I get the following
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/04/12 20:20:34.389732,  0]
> passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix
> account for peteruser 'TESTDOM\pghimire' (from session setup) not
> permitted to access this share (data)
> 
> 
> Just to confirm getent is working
> getent group gives me all the groups in AD DC
> 
> allowed rodc password replication group:x:3012:
> enterprise read-only domain controllers:x:3013:
> denied rodc password replication group:x:3008:krbtgt
> read-only domain controllers:x:3014:
> group policy creator owners:x:3007:administrator
> ras and ias servers:x:3015:
> domain controllers:x:3016:
> enterprise admins:x:3009:administrator
> 
> 
> 

Hmm, where is 'Domain Users' and the groups are (rightly) being mapped
to the '*' domain.

Does 'Domain Users' have a 'gidNumber' attribute containing a number
inside the '10000-999999' range ?
Do your users have a 'uidNumber' attribute containing a unique number
inside the same range ?

What version of Samba are you using ?
If it is less than 4.6.0 then you also need this line:

winbind nss info = rfc2307

From 4.6.0 it is replaced by:

idmap config TESTDOM : unix_nss_info

Rowland


= yes



More information about the samba mailing list