[Samba] wbinfo work getent passwd does
basti
mailinglist at unix-solution.de
Wed Apr 21 13:10:38 UTC 2021
On 14.04.21 15:24, Rowland penny via samba wrote:
> On 14/04/2021 14:05, basti via samba wrote:
>>
>>
>> yes the uid=100 is seen on AD DC.
>> On an dc in an other domain upgrade from nt4 it looks like:
>> gid=30000(BUILTIN\users) groups=30000(BUILTIN\users)
>
>
> I would suggest you remove that gidNumber from 'dn:
> CN=Users,CN=Builtin,.......'
>
>>
>> sorry my greylister delay your message.
>> yes all users has:
>>
>> - uidNumber
>> - gidNumber
>
>
> Yes, but are they in the range you set in smb.conf for the DOMAIN ?
>
>>
>>>
>>> You could try changing these lines:
>>>
>>> idmap config SAMDM:backend = ad
>>> idmap config SAMDOM:schema_mode = rfc2307
>>> idmap config SAMDOM:range = 7000-20000
>>> For these:
>>>
>>> idmap config SAMDM:backend = rid
>>> idmap config SAMDOM:range = 7000-20000
>>>
>>> Restart Samba and see if 'getent passwd A_USERNAME' works, replace
>>> A_USERNAME with a valid AD user.
>>
>> for now it works, I do not understand what was the problem before.
>
>
> If it works with the 'rid' backend, then your range for the 'ad' backend
> does not match the uidNumber & gidNumber attributes in AD.
>
> Rowland
>
>
>
>
getent passwd does not work anymore:
wbinfo show domain users.
[global]
security = ADS
workgroup = NET
realm = NET.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 1000-6999
# idmap config for the NET domain
idmap config NET:backend = ad
idmap config NET:schema_mode = rfc2307
idmap config NET:range = 7000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# https://lists.samba.org/archive/samba/2014-August/184359.html
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = member server
on dc:
dc1:~# getent passwd user1
NET\user1:*:7101:100::/home/NET/user1:/bin/false
More information about the samba
mailing list