[Samba] Samba with AD : SID rejected
L.P.H. van Belle
belle at bazuin.nl
Fri May 3 11:29:44 UTC 2019
Hai,
> @Louis
> All packages were installed.
> I change my config file following your advices, the problem is still here.
> I already followed guides from thctlo's github.
Yes, great, but please get the debug script i use/pointed on my github.
You can pm it to me, if you dont want to show to much, or anonymize it and send it to the list.
Ps. Dont anonymize for example a dnsdomain my.domain.tld to MYDNSDOMAIN because i need these to be in the same format.
host.dom.tld or im seeing strange things and then is even harder to debug it.
I would start with 2 things.
krb5.conf, only this, if everything is in the same domain.
[libdefaults]
default_realm = YOUR.REALM.HERE
dns_lookup_kdc = true
dns_lookup_realm = false
Did you run
run net cache flush
No, then do it and restart samba
This :
> > Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> > works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> > --uid-to-sid) work for my user vincent but not for the groups.
Does not show how to tested the group.
Try this.
wbinfo -G 13010
And use the output in
wbinfo -Y ...Output of above00
And whats the result. ( after the net cache flush and restart )
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: vrijdag 3 mei 2019 13:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba with AD : SID rejected
>
> On Fri, 3 May 2019 12:06:38 +0200
> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>
> > Hi,
> > Louis, Rowland, thanks for you answer.
> >
> > @Louis
> > All packages were installed.
> > I change my config file following your advices, the problem is still
> > here. I already followed guides from thctlo's github.
> >
> > @Rowland
> > Yes, my dns domain was different, but answered also to
> test.lan. It's
> > now set to 'kdc=dc.foo.lab'
> > I have my user vincent with uidNumber 10010 and gidNumber 13010
> > (corresponding to Domain Users group).
> >
> >
> > Getting SID from name (wbinfo -n) and name from SID (wbinfo -s)
> > works . Commands with UID involved (wbinfo --sid-to-uid, wbinfo
> > --uid-to-sid) work for my user vincent but not for the groups.
> >
> > Could it be a Windows problem ? Is there any changes in attributes
> > between 2016 and 2019 ? (I use evaluation version of 2019, not yet a
> > licence)
> >
>
> Whilst I think that there are attribute changes between 2016 & 2019,
> they will have been additions rather than removal. Samba,
> when using the
> winbind 'ad' on Unix domain members, relies on RFC2307 attributes and
> if you can add them to AD, you shouldn't have a problem.
>
> I think your problem is more likely to be dns related. I note that
> Louis pointed out that your kdc domain didn't seem to match your Samba
> domain, so are all the machines in the same dns domain ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list