[Samba] security = ads, backend = ad parameter not working in samba 4.10.10

Rowland penny rpenny at samba.org
Thu Dec 5 17:45:37 UTC 2019


On 05/12/2019 17:30, Sérgio Basto wrote:
> On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
>> On 05/12/2019 17:00, Sérgio Basto wrote:
>>> On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
>>>> On 05/12/2019 06:16, Sérgio Basto wrote:
>>>>> Sorry , I spoke too soon getent passwd "a new user to this
>>>>> server"
>>>>> doesn't work .
>>>>> But wbinfo -u or wbinfo -g always worked perfectly in any case
>>>>> ,
>>>>> why
>>>>> getent don't ?
>>>>>
>>>> If 'wbinfo -u' works, 'getent passwd username' doesn't, then it
>>>> points
>>>> to a lack of, or wrong, rfc2307 attributes (if you are using the
>>>> 'ad'
>>>> backend).
>>>>
>>>> Any users you want to be visible to Unix, must have a uidNumber
>>>> attribute containing a unique number inside the DOMAIN range set
>>>> in
>>>> smb.conf. You MUST also give Domain Users a gidNumber containing
>>>> a
>>>> number inside the same range.
>>> yes, I use backend = ad , if configure backend = ad with realm [1]
>>> (as
>>> you said is wrong ) every 'getent passwd username' give me a new
>>> uidNumber or make a new uidNumber in sequence [1].
>>> when I  configure backend = ad with workgroup (as you said that
>>> must
>>> have to be ) 'getent passwd username' don't produce any new id .
>>> and in /var/log/samba/winbindd.log I see
>>> Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
>>> 2662:
>>> NT_STATUS_NO_SUCH_USER
>>>
>>>
>>> [1]
>>> idmap config CORP.LOCAL : backend = ad
>>>
>>> [2]
>>> root at repo:~# getent passwd "vmjp01"
>>> vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
>>> root at repo:~# getent passwd "maa001"
>>> maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
>>> root at repo:~# getent passwd "tsdg01"
>>> tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
>>> root at repo:~# getent passwd "rmac01"
>>> rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
>>>
>>>
>>>
>>>> Rowland
>>>>
>>>>
>>>>
>> Have you added any RFC2307 attributes (uidNumber, gidNumber, etc) to
>> your users and groups in AD ?
> Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know but
> I think not , what you recommend ?
> I don't find ATM the scripts to convert users but I used ldb tools ...

If you do not have any uidNumber and gidNumber attributes in AD, then 
the winbind 'ad' backend will not work, try the 'rid' backend instead.

Rowland






More information about the samba mailing list