[Samba] security = ads, backend = ad parameter not working in samba 4.10.10

Sérgio Basto sergio at serjux.com
Thu Dec 5 17:48:35 UTC 2019


On Thu, 2019-12-05 at 17:30 +0000, Sérgio Basto via samba wrote:
> On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba wrote:
> > On 05/12/2019 17:00, Sérgio Basto wrote:
> > > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
> > > > On 05/12/2019 06:16, Sérgio Basto wrote:
> > > > > Sorry , I spoke too soon getent passwd "a new user to this
> > > > > server"
> > > > > doesn't work .
> > > > > But wbinfo -u or wbinfo -g always worked perfectly in any
> > > > > case
> > > > > ,
> > > > > why
> > > > > getent don't ?
> > > > > 
> > > > If 'wbinfo -u' works, 'getent passwd username' doesn't, then it
> > > > points
> > > > to a lack of, or wrong, rfc2307 attributes (if you are using
> > > > the
> > > > 'ad'
> > > > backend).
> > > > 
> > > > Any users you want to be visible to Unix, must have a uidNumber
> > > > attribute containing a unique number inside the DOMAIN range
> > > > set
> > > > in
> > > > smb.conf. You MUST also give Domain Users a gidNumber
> > > > containing
> > > > a
> > > > number inside the same range.
> > > yes, I use backend = ad , if configure backend = ad with realm
> > > [1]
> > > (as
> > > you said is wrong ) every 'getent passwd username' give me a new
> > > uidNumber or make a new uidNumber in sequence [1].
> > > when I  configure backend = ad with workgroup (as you said that
> > > must
> > > have to be ) 'getent passwd username' don't produce any new id .
> > > and in /var/log/samba/winbindd.log I see
> > > Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
> > > 2662:
> > > NT_STATUS_NO_SUCH_USER
> > > 
> > > 
> > > [1]
> > > idmap config CORP.LOCAL : backend = ad
> > > 
> > > [2]
> > > root at repo:~# getent passwd "vmjp01"
> > > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > > root at repo:~# getent passwd "maa001"
> > > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > > root at repo:~# getent passwd "tsdg01"
> > > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > > root at repo:~# getent passwd "rmac01"
> > > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > > 
> > > 
> > > 
> > > > Rowland
> > > > 
> > > > 
> > > > 
> > Have you added any RFC2307 attributes (uidNumber, gidNumber, etc)
> > to 
> > your users and groups in AD ?
> 
> Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know
> but
> I think not , what you recommend ? 
> I don't find ATM the scripts to convert users but I used ldb tools
> ... 


I did migration with something like this : 

ldbsearch -H /opt/samba/private/sam.ldb -s sub -b dc=old_ad,dc=local
'(objectClass=user)' > user-export2.ldif
scp user-export2.ldif to_the_new_machine:

in new machine :

sed -i 's/DC=old_ad/DC=corp/g; s/old_ad.local/corp.local/g' user-export2.ldif
sed -i bla bla  user-export2.ldif

ldbmodify -H /var/lib/samba/private/sam.ldb --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 user-export2.ldif


> 
> > Rowland
> > 
> > 
> > 
> -- 
> Sérgio M. B.
> 
> 
-- 
Sérgio M. B.




More information about the samba mailing list