[Samba] Samba with AD : SID rejected

L.P.H. van Belle belle at bazuin.nl
Fri May 3 11:29:44 UTC 2019 

Hai, 

> @Louis
> All packages were installed.
> I change my config file following your advices, the problem is still here.
> I already followed guides from thctlo's github. 

Yes, great, but please get the debug script i use/pointed on my github. 
You can pm it to me, if you dont want to show to much, or anonymize it and send it to the list. 
Ps. Dont anonymize for example a dnsdomain my.domain.tld to MYDNSDOMAIN because i need these to be in the same format. 
host.dom.tld  or im seeing strange things and then is even harder to debug it. 

I would start with 2 things. 
krb5.conf, only this, if everything is in the same domain. 

[libdefaults]
    default_realm = YOUR.REALM.HERE 
    dns_lookup_kdc = true
    dns_lookup_realm = false


Did you run 
run net cache flush
No, then do it and restart samba

This : 
> > Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> > works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> > --uid-to-sid) work for my user vincent but not for the groups.

Does not show how to tested the group. 
Try this. 
wbinfo -G 13010

And use the output in 
wbinfo -Y ...Output of above00  

And whats the result. ( after the net cache flush and restart ) 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 3 mei 2019 13:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba with AD : SID rejected
> 
> On Fri, 3 May 2019 12:06:38 +0200
> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> 
> > Hi,
> > Louis, Rowland, thanks for you answer.
> > 
> > @Louis
> > All packages were installed.
> > I change my config file following your advices, the problem is still
> > here. I already followed guides from thctlo's github.
> > 
> > @Rowland
> > Yes, my dns domain was different, but answered also to 
> test.lan. It's
> > now set to 'kdc=dc.foo.lab'
> > I have my user vincent with uidNumber 10010 and gidNumber 13010
> > (corresponding to Domain Users group).
> > 
> > 
> > Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> > works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> > --uid-to-sid) work for my user vincent but not for the groups.
> > 
> > Could it be a Windows problem ? Is there any changes in attributes
> > between 2016 and 2019 ? (I use evaluation version of 2019, not yet a
> > licence)
> > 
> 
> Whilst I think that there are attribute changes between 2016 & 2019,
> they will have been additions rather than removal. Samba, 
> when using the
> winbind 'ad' on Unix domain members, relies on RFC2307 attributes and
> if you can add them to AD, you shouldn't have a problem.
> 
> I think your problem is more likely to be dns related. I note that
> Louis pointed out that your kdc domain didn't seem to match your Samba
> domain, so are all the machines in the same dns domain ?
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list