[Samba] Samba with AD : SID rejected
Rowland Penny
rpenny at samba.org
Mon May 6 14:06:43 UTC 2019
On Mon, 6 May 2019 15:33:08 +0200
Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> Le 06/05/2019 à 12:06, Rowland Penny via samba a écrit :
> > On Mon, 6 May 2019 11:47:34 +0200
> > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >
> >> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit :
> >>> On Mon, 6 May 2019 10:58:56 +0200
> >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >>>
> >>>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :
> >>>>> On Mon, 6 May 2019 09:08:10 +0200
> >>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> sorry for the mistake, I meaned
> >>>>>>
> >>>>>> getent passwd vincent shows nothing and I got in the log file:
> >>>>>>
> >>>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for
> >>>>>> FOO\vincent.
> >>>>>>
> >>>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good
> >>>>>> username.
> >>>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS
> >>>>> will know the user, even if the smb.conf appears to be correct.
> >>>>>
> >>>>> You originally posted this:
> >>>>>
> >>>>> idmap config FOO:backend = ad
> >>>>> idmap config FOO:schema_mode = rfc2307
> >>>>> idmap config FOO:range = 10000-999999
> >>>>> idmap config FOO:unix_nss_info = yes
> >>>>> idmap config FOO:unix_primary_group = yes
> >>>>>
> >>>>> So, does 'vincent' have a uidNumber attribute containing a
> >>>>> number inside the range '10000-99999999' AND either a gidnumber
> >>>>> attribute containing the gidNumber of an AD group, or does
> >>>>> Domain Users have gidNumber attribute ? The gidNumber must be
> >>>>> inside the same range.
> >>>>>
> >>>>> Rowland
> >>>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and
> >>>> primaryGroupID 513.
> >>>>
> >>>> 513 corresponds to the group "Domain Users", which have gidNumber
> >>>> 13010
> >>>>
> >>>> Vincent
> >>>>
> >>> OK, can you try something as a test ?
> >>>
> >>> Change this:
> >>>
> >>> idmap config FOO:backend = ad
> >>> idmap config FOO:schema_mode = rfc2307
> >>> idmap config FOO:range = 10000-999999
> >>> idmap config FOO:unix_nss_info = yes
> >>> idmap config FOO:unix_primary_group = yes
> >>>
> >>> To this:
> >>>
> >>> idmap config FOO:backend = rid
> >>> idmap config FOO:range = 10000-999999
> >>>
> >>> Restart Samba and run:
> >>>
> >>> net cache flush
> >>>
> >>> Then run:
> >>>
> >>> getent passwd vincent
> >>>
> >>> This will test the connectivity between your Unix domain member
> >>> and the DC.
> >>>
> >>> Don't worry if you get ID's that you don't expect, this is just a
> >>> test, just change everything back after the test.
> >>>
> >>> Rowland
> >>>
> >> getent passwd vincent output nothing, and log.winbindd still says
> >> "My domain -- rejecting getpwnam() for FOO\vincent."
> >>
> > You are getting nothing, even when using the 'rid' backend ?
> Exact
> >
> > Do you have libpam-winbind libnss-winbind and libpam-krb5
> > installed ?
> Yes
> >
> > are the passwd & group lines in /etc/nsswitch.conf like this:
> >
> > passwd: compat winbind
> > group: compat winbind
>
> It is compat winbind systemd, as advised by Louis, but the behaviour
> is the same.
>
> Vincent
>
> > Rowland
> >
Then I am getting lost, usually the 'rid' backend just works.
You install Samba and setup everything correctly, join the domain and
away you go.
Bear with me whilst I setup Ubuntu 18.04 in a VM and install Samba etc,
lets see if I have problems.
Rowland
More information about the samba
mailing list