[Samba] Samba with AD : SID rejected

Vincent Ducot vincent.ducot at rubycat-labs.com
Mon May 6 09:47:34 UTC 2019 

Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit :
> On Mon, 6 May 2019 10:58:56 +0200
> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>
>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :
>>> On Mon, 6 May 2019 09:08:10 +0200
>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>>>  
>>>> Hi,
>>>>
>>>> sorry for the mistake, I meaned
>>>>
>>>> getent passwd vincent shows nothing and I got in the log file:
>>>>
>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for
>>>> FOO\vincent.
>>>>
>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good
>>>> username. 
>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will
>>> know the user, even if the smb.conf appears to be correct.
>>>
>>> You originally posted this:
>>>
>>> idmap config FOO:backend = ad
>>> idmap config FOO:schema_mode = rfc2307
>>> idmap config FOO:range = 10000-999999
>>> idmap config FOO:unix_nss_info = yes
>>> idmap config FOO:unix_primary_group = yes
>>>
>>> So, does 'vincent' have a uidNumber attribute containing a number
>>> inside the range '10000-99999999' AND either a gidnumber attribute
>>> containing the gidNumber of an AD group, or does Domain
>>> Users have gidNumber attribute ? The gidNumber must be inside the
>>> same range.
>>>
>>> Rowland  
>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and
>> primaryGroupID 513.
>>
>> 513 corresponds to the group "Domain Users", which have gidNumber
>> 13010
>>
>> Vincent
>>
> OK, can you try something as a test ?
>
> Change this:
>
> idmap config FOO:backend = ad
> idmap config FOO:schema_mode = rfc2307
> idmap config FOO:range = 10000-999999
> idmap config FOO:unix_nss_info = yes
> idmap config FOO:unix_primary_group = yes
>
> To this:
>
> idmap config FOO:backend = rid
> idmap config FOO:range = 10000-999999
>
> Restart Samba and run:
>
> net cache flush
>
> Then run:
>
> getent passwd vincent
>
> This will test the connectivity between your Unix domain member and the
> DC.
>
> Don't worry if you get ID's that you don't expect, this is just a test,
> just change everything back after the test.
>
> Rowland
>
getent passwd vincent output nothing, and log.winbindd still says "My
domain -- rejecting getpwnam() for FOO\vincent."

More information about the samba mailing list