[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Alex
samba at abisoft.biz
Wed Dec 22 16:34:20 UTC 2021
Hello Rowland,
Thank you for your prompt reply!
[skip]
>>
>> smb.conf:
>> [global]
>> workgroup = DOMAIN
>> server string = vm-corp
>> netbios name = VM-CORP
>> realm = DOMAIN.BIZ
>> security = ads
>> template shell = /sbin/nologin
> So, your users never log into the server directly, just via Samba.
Most users don't. Some of them that are allowed have a shell defined in the AD (loginShell attribute).
>> idmap config * : backend = tdb
>> idmap config * : range = 16777216-33554431
> Is there some reason for that range ? It will allow you 16777215 users
> & groups for something that requires only about 200.
I think it's a legacy. Don't remember why it's here. I'll try to remove it.
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 400-999999
> Again why the strange range, do you have users & groups with uidNumber
> & gidNumber attributes that low ?
This is also a legacy thing. There're users in the AD with uidNumber starting from 400.
>> idmap config DOMAIN:unix_primary_group = yes
> Do your users have gidNumber attributes.
Yes, they do. This came from MS Services for Unix.
>> idmap config DOMAIN:unix_nss_info = yes
> This is interesting, you only need that if your users have a
> unixHomeDirectory attribute (at least), yet you are not using '[homes]'
> below.
Yes, they do have unixHomeDirectory attribute.
>> winbind use default domain = true
>> winbind offline logon = false
>> winbind enum users = Yes
>> winbind enum groups = Yes
> You do not need the 'enum' lines, it works without them.
There was an issue w/o the enum lines. Unfortunately, I don't remember exactly what it was, probably couldn't retrieve groups from the AD with "getent group" command.
>> [username]
>> comment = username's home
>> path = /home/username
>> read only = No
>> create mode = 0660
>> valid users = username
> As noted above, why are you not using '[homes]' ?
It's b/c most users are prohibited from using this server. So, I allowed homes on this server for just a few of them directly.
>>
>> I tried to create the username_map_script.sh and add the following
>> lines (as mentioned in
>> https://bugzilla.samba.org/show_bug.cgi?id=14901):
>> min domain uid = 500
> Try changing the '500' to '0'
>> username map script = /etc/samba/username_map_script.sh
> Change that to:
> username map script = /etc/samba/user.map
> Create /etc/samba/user.map containing:
> !root = DOMAIN\Administrator
Assuming you meant "username map = /etc/samba/user.map" here. I did that both (changed min uid to 0 and set a user.map file) - still can't log in :(
--
Best regards,
Alexander Kolesnik
More information about the samba
mailing list