[Samba] Problem with Samba as Member to AD
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 20 10:52:46 UTC 2021
2 questions?
Did you assign an UID and GID to the users. ( and "domain users" )
Please read and adjust where needed :
https://wiki.samba.org/index.php/Idmap_config_ad
If that all correct and you already did set UID/GID
And if its available, what is in /etc/idmap.conf
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mr
> Typo via samba
> Verzonden: dinsdag 20 juli 2021 12:36
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] Problem with Samba as Member to AD
>
> Hey Rowland,
>
> i hope you can help me again. I cant find the error. I did install a
> fresh centos and used the same config as we discussed last week.
>
> no sssd and no ncsd is configured. i can to a SID to uid lookup, but i
> cant lookup uids to SID
>
> i hope you can help me again, i have no idea where to look..
>
> best regards
>
> Typo
>
> [root at sv2-ftp01p ~]# wbinfo -s S-1-1-0
> \Everyone 5
> [root at sv2-ftp01p ~]# wbinfo -s S-1-5-2
> NT Authority\Network 5
> [root at sv2-ftp01p ~]# wbinfo -u | head -5
> administrator
> gast
> krbtgt
> itxadmin
> itxuser
> [root at sv2-ftp01p ~]# wbinfo --ping-dc
> checking the NETLOGON for domain[PFW] dc connection to
> "sv1-dc01p.pfw.local" succeeded
> [root at sv2-ftp01p ~]# net ads info
> LDAP server: 10.40.130.10
> LDAP server name: sv1-dc01p.pfw.local
> Realm: PFW.LOCAL
> Bind Path: dc=PFW,dc=LOCAL
> LDAP port: 389
> Server time: Tue, 20 Jul 2021 12:14:29 CEST
> KDC server: 10.40.130.10
> Server time offset: 0
> Last machine account password change: Tue, 20 Jul 2021 11:28:26 CEST
> [root at sv2-ftp01p ~]# cat /etc/nsswitch.conf|grep winbi
> passwd: files winbind systemd
> group: files winbind systemd
>
> [root at sv2-ftp01p ~]# id itxadmin
> id: 'itxadmin': no such user
> [root at sv2-ftp01p ~]# getent passwd itxadmin
> [root at sv2-ftp01p ~]# wbinfo -s
> S-1-5-21-4080695503-475066264-1108356078-1110
> PFW\adadmsar 1
> [root at sv2-ftp01p ~]# id adadmsar
> id: 'adadmsar': no such user
> [root at sv2-ftp01p ~]# wbinfo -i srvadmsar
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>
>
>
>
> smb.conf
>
> [global]
> workgroup = PFW
> realm = PFW.LOCAL
> security = ads
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config PFW:backend = ad
> idmap config PFW:schema_mode = rfc2307
> idmap config PFW:range = 10000-999999
> idmap config PFW:unix_nss_info = yes
> template homedir = /home/%U
> template shell = /bin/false
> winbind use default domain = true
> winbind enum users = yes
> winbind offline logon = true
> log file = /var/log/samba/log.%m
> max log size = 50
> log level = 9
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> On Sun, Jul 18, 2021 at 12:27 PM Mr Typo
> <euroregistrar at gmail.com> wrote:
> >
> > Hey Rowland,
> >
> > thank you for your answers and help. I found another Layer8 problem
> > and now it is working as expected.
> >
> > thank you again!
> >
> > Typo
> >
> > On Sun, Jul 18, 2021 at 12:04 PM Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Sun, 2021-07-18 at 11:55 +0200, Mr Typo wrote:
> > > > Yeah reading attributes from ad, like unixHomeDirectory and
> > > > loginShell
> > > >
> > > > When i understand it right, i can use
> > > > template homedir = /home/%U
> > > >
> > > > for default values and setting the unixHomeDirectory
> and loginShell
> > > > if
> > > > i want another value, correct?
> > >
> > > Yes and no :-)
> > >
> > > Yes, you can add them to AD, but no they will not be used
> unless you
> > > use the winbind ad backend, try reading this:
> > >
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > >
> > > and this:
> > > https://wiki.samba.org/index.php/Idmap_config_ad
> > >
> > > >
> > > > currently i play with the below configuration but i just the the
> > > > template values for every user. Any ideas?
> > > >
> > > > [global]
> > > > workgroup = PFW
> > > > realm = PFW.LOCAL
> > > > security = ads
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 3000-7999
> > > > idmap config PFW:backend = ad
> > > > idmap config PFW:schema_mode = rfc2307
> > > > idmap config PFW:range = 10000-999999
> > > > idmap config PFW:unix_nss_info = yes
> > > > template homedir = /home/%U
> > > > template shell = /bin/bash
> > > > # idmap config PFW : backend = rid
> > > > # idmap config PFW : range = 500-19999999
> > > > # idmap config PFW : rangesize = 1000000
> > > > winbind use default domain = true
> > > > winbind enum users = no
> > > > winbind offline logon = true
> > > > log file = /var/log/samba/log.%m
> > > > max log size = 50
> > > > log level = 3
> > > > load printers = no
> > > > printing = bsd
> > > > printcap name = /dev/null
> > > > disable spoolss = yes
> > > >
> > >
> > > That looks okay.
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list