[Samba] Issues post AD migration
Rowland Penny
rpenny at samba.org
Thu Apr 12 11:18:54 UTC 2018
On Thu, 12 Apr 2018 10:48:04 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> Hi Rowland,
>
> I added the following, reloaded the samba configs, joined the member
> server to the AD domain again
>
> [global]
> netbios name = FS01
> security = ADS
> workgroup = TESTDOM
> realm = TESTDOM.GROUP
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> idmap config TESTDOM:backend = ad
> idmap config TESTDOM:schema_mode = rfc2307
> idmap config TESTDOM:range = 10000-999999
>
>
> I get the following
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/04/12 20:20:34.389732, 0]
> passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix
> account for peteruser 'TESTDOM\pghimire' (from session setup) not
> permitted to access this share (data)
>
>
> Just to confirm getent is working
> getent group gives me all the groups in AD DC
>
> allowed rodc password replication group:x:3012:
> enterprise read-only domain controllers:x:3013:
> denied rodc password replication group:x:3008:krbtgt
> read-only domain controllers:x:3014:
> group policy creator owners:x:3007:administrator
> ras and ias servers:x:3015:
> domain controllers:x:3016:
> enterprise admins:x:3009:administrator
>
>
>
Hmm, where is 'Domain Users' and the groups are (rightly) being mapped
to the '*' domain.
Does 'Domain Users' have a 'gidNumber' attribute containing a number
inside the '10000-999999' range ?
Do your users have a 'uidNumber' attribute containing a unique number
inside the same range ?
What version of Samba are you using ?
If it is less than 4.6.0 then you also need this line:
winbind nss info = rfc2307
From 4.6.0 it is replaced by:
idmap config TESTDOM : unix_nss_info
Rowland
= yes
More information about the samba
mailing list