[Samba] Samba with AD : SID rejected

Vincent Ducot vincent.ducot at rubycat-labs.com
Fri May 3 10:06:38 UTC 2019 

Hi,
Louis, Rowland, thanks for you answer.

@Louis
All packages were installed.
I change my config file following your advices, the problem is still here.
I already followed guides from thctlo's github.

@Rowland
Yes, my dns domain was different, but answered also to test.lan. It's
now set to 'kdc=dc.foo.lab'
I have my user vincent with uidNumber 10010 and gidNumber 13010
(corresponding to Domain Users group).


Getting SID from name (wbinfo -n) and name from SID (wbinfo -s) works .
Commands with UID involved (wbinfo --sid-to-uid, wbinfo --uid-to-sid)
work for my user vincent but not for the groups.

Could it be a Windows problem ? Is there any changes in attributes
between 2016 and 2019 ? (I use evaluation version of 2019, not yet a
licence)

Thanks in advance,
Vincent

Le 26/04/2019 à 14:29, Rowland Penny via samba a écrit :

> On Fri, 26 Apr 2019 10:39:47 +0200
> Vincent Ducot via samba <samba at lists.samba.org> wrote:
>
>> [libdefaults]
>>     default_realm = FOO.LAB
> Now this could be a typo, but you show your REALM as 'FOO.LAB', which
> would mean your dns domain is 'foo.lab'
>
>> [realms]
>>     FOO.LAB = {
>>         kdc = dc.test.lan
>>     }
> But your kdc's dns domain appears to be 'test.lan'
>
>> [global]
>> security = ADS
>> workgroup = FOO
>> realm = FOO.LAB
>> netbios name= share
>>
>> log file = /var/log/samba/%m.log
>> log level = 10
>>
>> preferred master = no
>> domain master = no
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config FOO:backend = ad
>> idmap config FOO:schema_mode = rfc2307
>> idmap config FOO:range = 10000-999999
>> idmap config FOO:unix_nss_info = yes
>> idmap config FOO:unix_primary_group = yes
> For the above to work, any users you want to be Unix users must have
> a uidNumber attribute containing a unique number inside the range set
> for the domain in smb.conf, in this case '10000-999999'.
> You will also need to give Domain users a gidNumber attribute
> containing a number inside the same range.
> Because you have also set 'unix_primary_group = yes', you can also give
> your users a gidNumber attribute containing the ID (gidNumber) of a
> group, this would then override the users Windows primary group (Domain
> Users), but only when logged into a Unix machine and not when
> connecting to a share.
>  
>
>> winbind nss info = rfc2307
> You no longer use the line above 
>
>> unix password sync = yes
> The line above is no longer required, you cannot have domain users
> in /etc/passwd.
>  
> Rowland 
>
>

More information about the samba mailing list