[Samba] Samba with AD : SID rejected

Rowland Penny rpenny at samba.org
Mon May 6 10:06:31 UTC 2019 

On Mon, 6 May 2019 11:47:34 +0200
Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:

> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit :
> > On Mon, 6 May 2019 10:58:56 +0200
> > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >  
> >> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :  
> >>> On Mon, 6 May 2019 09:08:10 +0200
> >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >>>    
> >>>> Hi,
> >>>>
> >>>> sorry for the mistake, I meaned
> >>>>
> >>>> getent passwd vincent shows nothing and I got in the log file:
> >>>>
> >>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for
> >>>> FOO\vincent.
> >>>>
> >>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good
> >>>> username.   
> >>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS
> >>> will know the user, even if the smb.conf appears to be correct.
> >>>
> >>> You originally posted this:
> >>>
> >>> idmap config FOO:backend = ad
> >>> idmap config FOO:schema_mode = rfc2307
> >>> idmap config FOO:range = 10000-999999
> >>> idmap config FOO:unix_nss_info = yes
> >>> idmap config FOO:unix_primary_group = yes
> >>>
> >>> So, does 'vincent' have a uidNumber attribute containing a number
> >>> inside the range '10000-99999999' AND either a gidnumber attribute
> >>> containing the gidNumber of an AD group, or does Domain
> >>> Users have gidNumber attribute ? The gidNumber must be inside the
> >>> same range.
> >>>
> >>> Rowland    
> >> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and
> >> primaryGroupID 513.
> >>
> >> 513 corresponds to the group "Domain Users", which have gidNumber
> >> 13010
> >>
> >> Vincent
> >>  
> > OK, can you try something as a test ?
> >
> > Change this:
> >
> > idmap config FOO:backend = ad
> > idmap config FOO:schema_mode = rfc2307
> > idmap config FOO:range = 10000-999999
> > idmap config FOO:unix_nss_info = yes
> > idmap config FOO:unix_primary_group = yes
> >
> > To this:
> >
> > idmap config FOO:backend = rid
> > idmap config FOO:range = 10000-999999
> >
> > Restart Samba and run:
> >
> > net cache flush
> >
> > Then run:
> >
> > getent passwd vincent
> >
> > This will test the connectivity between your Unix domain member and
> > the DC.
> >
> > Don't worry if you get ID's that you don't expect, this is just a
> > test, just change everything back after the test.
> >
> > Rowland
> >  
> getent passwd vincent output nothing, and log.winbindd still says "My
> domain -- rejecting getpwnam() for FOO\vincent."
> 

You are getting nothing, even when using the 'rid' backend ?

Do you have libpam-winbind libnss-winbind and libpam-krb5 installed ?

are the passwd & group lines in /etc/nsswitch.conf like this:

passwd:         compat winbind
group:          compat winbind

Rowland

More information about the samba mailing list