[Samba] Winbind issues with AD member file server

Christian Naumer cn at brain-biotech.de
Tue Jul 9 19:21:02 UTC 2019 

In centos there is also /etc/pam.d/system-auth (and another file I cant remember) there is a restriction to only allow uids>1000 maybe this is part of your problem?

Regards


Am 9. Juli 2019 19:38:22 MESZ schrieb Eric Shell via samba <samba at lists.samba.org>:
>I am setting up a CentOS 7 system as a file server within an AD domain,
>following the following Red Hat documentation:
>
>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
>
>Here is some information that likely complicates things:
>
>- we have a number of users and groups with sub-1000 uid or gid numbers
>which can't easily be addressed
>- the system is integrated into a OpenLDAP service but UNIX attributes
>are
>replicated to AD from OpenLDAP so uid and gid values match across all
>users
>and groups
>- the system's samba shares are themselves NFS-mounted from a ZFS file
>server
>
>--------------------------------------------------------------------------------
>
>Thus far I've done the following:
>
>1. installed packages - realmd oddjob-mkhomedir oddjob
>samba-winbind-clients samba-winbind samba-common-tools samba
>samba-winbind-krb5-locator
>2. joined the AD domain with "realm join" and the
>--automatic-id-mapping=no
>option, as we wish to use uidNumber and gidNumber attributes we've
>added to
>users and groups in AD
>3. at this point I attempted to query AD records but couldn't, so I
>updated
>/etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc
>=
>true" option, which allowed me to kinit successfully but still not see
>records
>4. I added the following two idmap configuration options to
>/etc/samba/smb.conf and was then able to retrieve user and group
>records
>from AD, but the group members aren't included:
>
>idmap config BSOE : unix_nss_info = yes
>idmap config BSOE : unix_primary_group = yes
>
># getent passwd BSOE\\eshell
>BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash
># getent group "BSOE\\staff-group"
>BSOE\staff-group:x:552:
>
>5. I've found that querying some groups returns no information, perhaps
>because of low gidNumber values (BSOE\staff-group has gidNumber 552):
>
># getent group "BSOE\\staff-group"
>#
>
>6. I tried changing the idmap config range from 500-999999 to
>100-999999
>but it doesn't seem to affect these queries.
>
>--------------------------------------------------------------------------------
>
>Some things appear to be working properly.  I can "su - BSOE\\eshell"
>and I
>am able to mount and access the NFS directories appropriately.  "id
>eshell"
>and "id BSOE\\eshell" return the same information.  I can also
>successfully
>authenticate to samba with my AD account, but then I am told that there
>are
>no available shares.  I'm guessing that this is related to the NSS
>group
>issues I'm having.
>
>Why can't I see the members of some groups?  How do I debug this
>behavior?
>
>Why isn't samba able to mount the NFS shares after a user has
>authenticated
>when I can do so in a shell by becoming that user on the samba host?
>
>Thanks in advance for any help you can provide.

-- 
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list