[Samba] Samba 4.5: trying to setup an omnios system as a DC member
Rowland Penny
rpenny at samba.org
Tue Jun 19 15:52:05 UTC 2018
On Tue, 19 Jun 2018 16:10:33 +0200
Andrea Cucciarrè via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I'm trying to setup an omnios system as a Samba DC member, and I need
> AD backend for consistent IDs on all Samba clients.
> The AD join is successful, the wbinfo shows the AD users
>
> # /opt/samba/bin/wbinfo -n andrea
> S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1)
>
> however, " getent passwd ..." returns nothing for the user (all the
> AD user)
>
> I have enabled debugging and I can see the following relevant error:
>
> [2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies
> [2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username)
> resolve_alias_to_username: backend query returned
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> ...
> [2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid
> S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED
>
> Also the command wbinfo fails to convert the SID to UID
>
> # /opt/samba/bin/wbinfo -S
> S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid
> S-1-5-21-2680195940-2267646359-3814218302-1109 to uid
>
> This is the relevant smb.conf:
>
> ===============================
> [global]
> log file = /opt/samba/log/%m.log
> log level = 10
> workgroup = HYPERFILE
> security = ADS
> realm = HYPERFILE.NET
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Data %h
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
>
> idmap config * : backend = tdb
> idmap config * : range = 1000000-2000000
> idmap config * : schema_mode = rfc2307
Hmm, the range is slightly excessive. The '*' domain is for the 'Well
Known SIDs' (and there are less than 200 of these) and anything outside
the domain, do you really expect around '999,800' users & groups from
outside the domain to connect to the domain ?
You also do not use 'idmap config * : schema_mode = rfc2307' with the
'*' domain.
>
> idmap config HYPERFILE:backend = ad
> idmap config HYPERFILE:schema_mode = rfc2307
> idmap config HYPERFILE:range = 1000-9999
> idmap config HYPERFILE:unix_primary_group = yes
Have you really only have 8,999 users ?
Do they have a uidNumber inside the '1000-9999' range
Does 'Domain Users' have a gidNumber inside the same range ?
Neither the uidNumber or gidNumber attributes are added automatically,
you must add them manually.
And on the subject of the '1000-9999' range, do you not have any Unix
users other than the system users ?
Rowland
More information about the samba
mailing list