[Samba] Samba with AD : SID rejected

Vincent Ducot vincent.ducot at rubycat-labs.com
Mon May 6 13:33:08 UTC 2019 

Le 06/05/2019 à 12:06, Rowland Penny via samba a écrit :
> On Mon, 6 May 2019 11:47:34 +0200
> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>
>> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit :
>>> On Mon, 6 May 2019 10:58:56 +0200
>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>>>  
>>>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :  
>>>>> On Mon, 6 May 2019 09:08:10 +0200
>>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
>>>>>    
>>>>>> Hi,
>>>>>>
>>>>>> sorry for the mistake, I meaned
>>>>>>
>>>>>> getent passwd vincent shows nothing and I got in the log file:
>>>>>>
>>>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for
>>>>>> FOO\vincent.
>>>>>>
>>>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good
>>>>>> username.   
>>>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS
>>>>> will know the user, even if the smb.conf appears to be correct.
>>>>>
>>>>> You originally posted this:
>>>>>
>>>>> idmap config FOO:backend = ad
>>>>> idmap config FOO:schema_mode = rfc2307
>>>>> idmap config FOO:range = 10000-999999
>>>>> idmap config FOO:unix_nss_info = yes
>>>>> idmap config FOO:unix_primary_group = yes
>>>>>
>>>>> So, does 'vincent' have a uidNumber attribute containing a number
>>>>> inside the range '10000-99999999' AND either a gidnumber attribute
>>>>> containing the gidNumber of an AD group, or does Domain
>>>>> Users have gidNumber attribute ? The gidNumber must be inside the
>>>>> same range.
>>>>>
>>>>> Rowland    
>>>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and
>>>> primaryGroupID 513.
>>>>
>>>> 513 corresponds to the group "Domain Users", which have gidNumber
>>>> 13010
>>>>
>>>> Vincent
>>>>  
>>> OK, can you try something as a test ?
>>>
>>> Change this:
>>>
>>> idmap config FOO:backend = ad
>>> idmap config FOO:schema_mode = rfc2307
>>> idmap config FOO:range = 10000-999999
>>> idmap config FOO:unix_nss_info = yes
>>> idmap config FOO:unix_primary_group = yes
>>>
>>> To this:
>>>
>>> idmap config FOO:backend = rid
>>> idmap config FOO:range = 10000-999999
>>>
>>> Restart Samba and run:
>>>
>>> net cache flush
>>>
>>> Then run:
>>>
>>> getent passwd vincent
>>>
>>> This will test the connectivity between your Unix domain member and
>>> the DC.
>>>
>>> Don't worry if you get ID's that you don't expect, this is just a
>>> test, just change everything back after the test.
>>>
>>> Rowland
>>>  
>> getent passwd vincent output nothing, and log.winbindd still says "My
>> domain -- rejecting getpwnam() for FOO\vincent."
>>
> You are getting nothing, even when using the 'rid' backend ?
Exact
>
> Do you have libpam-winbind libnss-winbind and libpam-krb5 installed ?
Yes
>
> are the passwd & group lines in /etc/nsswitch.conf like this:
>
> passwd:         compat winbind
> group:          compat winbind

It is compat winbind systemd, as advised by Louis, but the behaviour is
the same.

Vincent

> Rowland
>

More information about the samba mailing list