[Samba] Problem with Samba as Member to AD

Mr Typo euroregistrar at gmail.com
Tue Jul 20 11:39:32 UTC 2021


I would say, reading the documents a 5th time with investing more time helps...

i did now give the domain users group a gidnumber and every linux use
a uidnumber. now it works with the users where i did assign an
uidnumber.

i thought that this IDs are somehow automatically generated if not existant...

thanks again!


On Tue, Jul 20, 2021 at 1:24 PM Mr Typo <euroregistrar at gmail.com> wrote:
>
> Hey Louis,
>
> thank you for pointing this out. The uids are beeing generated. I
> added another 9 to the higher uid pool.
>
> so i now still have one system where "wbinfo -i" is working and its
> not on a second system.
>
> btw:  flushed the cache on the "Working" system (net cache flush) and
> now both systems are not working anymore. Looks like i ahve the same
> error on both systems.
>
> :(
>
> On Tue, Jul 20, 2021 at 1:13 PM L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
> >
> > So to be sure, all is working correctly now?
> >
> > Because i did see something else..
> >
> > You have  in smb.conf :
> >
> >   idmap config PFW:range = 10000-999999
> >
> > And you output of wbinfo shows.
> > wbinfo -i srvadmsar
> > > srvadmsar:*:1001626:1001013:Server Admin S:/home/srvadmsar:/bin/bash
> >
> > 1001626 is better then the max UID/GID you assigned in smb.conf (999999)
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Mr Typo [mailto:euroregistrar at gmail.com]
> > > Verzonden: dinsdag 20 juli 2021 13:04
> > > Aan: L.P.H. van Belle
> > > CC: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Problem with Samba as Member to AD
> > >
> > > Hello Louis,
> > >
> > > i followed the configuration you posted before and i have a working
> > > system: (same smb.conf)
> > >
> > > [root at smbtest-andi ~]# wbinfo -i srvadmsar
> > > srvadmsar:*:1001626:1001013:Server Admin S:/home/srvadmsar:/bin/bash
> > > wbinfo -i itxadmin
> > > itxadmin:*:1001606:1001013::/home/itxadmin:/bin/false
> > >
> > > idmap.conf is default on both systems
> > >
> > > cat /etc/idmapd.conf |egrep -v '(^#|^$)'
> > > [General]
> > > [Mapping]
> > > [Translation]
> > >
> > > [Static]
> > > [UMICH_SCHEMA]
> > > LDAP_server = ldap-server.local.domain.edu
> > > LDAP_base = dc=local,dc=domain,dc=edu
> > >
> > > On Tue, Jul 20, 2021 at 12:53 PM L.P.H. van Belle via samba
> > > <samba at lists.samba.org> wrote:
> > > >
> > > > 2 questions?
> > > >
> > > > Did you assign an UID and GID to the users. ( and "domain users" )
> > > > Please read and adjust where needed :
> > > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > >
> > > > If that all correct and you already did set UID/GID
> > > > And if its available, what is in /etc/idmap.conf
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mr
> > > > > Typo via samba
> > > > > Verzonden: dinsdag 20 juli 2021 12:36
> > > > > Aan: Rowland Penny
> > > > > CC: sambalist
> > > > > Onderwerp: Re: [Samba] Problem with Samba as Member to AD
> > > > >
> > > > > Hey Rowland,
> > > > >
> > > > > i hope you can help me again. I cant find the error. I
> > > did install a
> > > > > fresh centos and used the same config as we discussed last week.
> > > > >
> > > > > no sssd and no ncsd is configured. i can to a SID to uid
> > > lookup, but i
> > > > > cant lookup uids to SID
> > > > >
> > > > > i hope you can help me again, i have no idea where to look..
> > > > >
> > > > > best regards
> > > > >
> > > > > Typo
> > > > >
> > > > > [root at sv2-ftp01p ~]# wbinfo -s S-1-1-0
> > > > > \Everyone 5
> > > > > [root at sv2-ftp01p ~]# wbinfo -s S-1-5-2
> > > > > NT Authority\Network 5
> > > > > [root at sv2-ftp01p ~]# wbinfo -u | head -5
> > > > > administrator
> > > > > gast
> > > > > krbtgt
> > > > > itxadmin
> > > > > itxuser
> > > > > [root at sv2-ftp01p ~]# wbinfo --ping-dc
> > > > > checking the NETLOGON for domain[PFW] dc connection to
> > > > > "sv1-dc01p.pfw.local" succeeded
> > > > > [root at sv2-ftp01p ~]# net ads info
> > > > > LDAP server: 10.40.130.10
> > > > > LDAP server name: sv1-dc01p.pfw.local
> > > > > Realm: PFW.LOCAL
> > > > > Bind Path: dc=PFW,dc=LOCAL
> > > > > LDAP port: 389
> > > > > Server time: Tue, 20 Jul 2021 12:14:29 CEST
> > > > > KDC server: 10.40.130.10
> > > > > Server time offset: 0
> > > > > Last machine account password change: Tue, 20 Jul 2021
> > > 11:28:26 CEST
> > > > > [root at sv2-ftp01p ~]# cat /etc/nsswitch.conf|grep winbi
> > > > > passwd:     files winbind systemd
> > > > > group:      files winbind systemd
> > > > >
> > > > > [root at sv2-ftp01p ~]# id itxadmin
> > > > > id: 'itxadmin': no such user
> > > > > [root at sv2-ftp01p ~]# getent passwd itxadmin
> > > > > [root at sv2-ftp01p ~]# wbinfo -s
> > > > > S-1-5-21-4080695503-475066264-1108356078-1110
> > > > > PFW\adadmsar 1
> > > > > [root at sv2-ftp01p ~]# id adadmsar
> > > > > id: 'adadmsar': no such user
> > > > > [root at sv2-ftp01p ~]# wbinfo -i srvadmsar
> > > > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > smb.conf
> > > > >
> > > > > [global]
> > > > >         workgroup = PFW
> > > > >         realm = PFW.LOCAL
> > > > >         security = ads
> > > > >         idmap config * : backend = tdb
> > > > >         idmap config * : range = 3000-7999
> > > > >         idmap config PFW:backend = ad
> > > > >         idmap config PFW:schema_mode = rfc2307
> > > > >         idmap config PFW:range = 10000-999999
> > > > >         idmap config PFW:unix_nss_info = yes
> > > > >         template homedir = /home/%U
> > > > >         template shell = /bin/false
> > > > >         winbind use default domain = true
> > > > >         winbind enum users = yes
> > > > >         winbind offline logon = true
> > > > >         log file = /var/log/samba/log.%m
> > > > >         max log size = 50
> > > > >         log level = 9
> > > > >         load printers = no
> > > > >         printing = bsd
> > > > >         printcap name = /dev/null
> > > > >         disable spoolss = yes
> > > > >
> > > > >         winbind refresh tickets = Yes
> > > > >         vfs objects = acl_xattr
> > > > >         map acl inherit = Yes
> > > > >         store dos attributes = Yes
> > > > >         dedicated keytab file = /etc/krb5.keytab
> > > > >         kerberos method = secrets and keytab
> > > > >
> > > > > On Sun, Jul 18, 2021 at 12:27 PM Mr Typo
> > > > > <euroregistrar at gmail.com> wrote:
> > > > > >
> > > > > > Hey Rowland,
> > > > > >
> > > > > > thank you for your answers and help. I found another
> > > Layer8 problem
> > > > > > and now it is working as expected.
> > > > > >
> > > > > > thank you again!
> > > > > >
> > > > > > Typo
> > > > > >
> > > > > > On Sun, Jul 18, 2021 at 12:04 PM Rowland Penny via samba
> > > > > > <samba at lists.samba.org> wrote:
> > > > > > >
> > > > > > > On Sun, 2021-07-18 at 11:55 +0200, Mr Typo wrote:
> > > > > > > > Yeah reading attributes from ad, like unixHomeDirectory and
> > > > > > > > loginShell
> > > > > > > >
> > > > > > > > When i understand it right, i can use
> > > > > > > >         template homedir = /home/%U
> > > > > > > >
> > > > > > > > for default values and setting the unixHomeDirectory
> > > > > and loginShell
> > > > > > > > if
> > > > > > > > i want another value, correct?
> > > > > > >
> > > > > > > Yes and no :-)
> > > > > > >
> > > > > > > Yes, you can add them to AD, but no they will not be used
> > > > > unless you
> > > > > > > use the winbind ad backend, try reading this:
> > > > > > >
> > > > >
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > > > > > >
> > > > > > > and this:
> > > > > > > https://wiki.samba.org/index.php/Idmap_config_ad
> > > > > > >
> > > > > > > >
> > > > > > > > currently i play with the below configuration but i
> > > just the the
> > > > > > > > template values for every user. Any ideas?
> > > > > > > >
> > > > > > > >    [global]
> > > > > > > >         workgroup = PFW
> > > > > > > >         realm = PFW.LOCAL
> > > > > > > >         security = ads
> > > > > > > >         idmap config * : backend = tdb
> > > > > > > >         idmap config * : range = 3000-7999
> > > > > > > >         idmap config PFW:backend = ad
> > > > > > > >         idmap config PFW:schema_mode = rfc2307
> > > > > > > >         idmap config PFW:range = 10000-999999
> > > > > > > >         idmap config PFW:unix_nss_info = yes
> > > > > > > >         template homedir = /home/%U
> > > > > > > >         template shell = /bin/bash
> > > > > > > > #        idmap config PFW : backend = rid
> > > > > > > > #        idmap config PFW : range = 500-19999999
> > > > > > > > #        idmap config PFW : rangesize = 1000000
> > > > > > > >         winbind use default domain = true
> > > > > > > >         winbind enum users = no
> > > > > > > >         winbind offline logon = true
> > > > > > > >         log file = /var/log/samba/log.%m
> > > > > > > >         max log size = 50
> > > > > > > >         log level = 3
> > > > > > > >         load printers = no
> > > > > > > >         printing = bsd
> > > > > > > >         printcap name = /dev/null
> > > > > > > >         disable spoolss = yes
> > > > > > > >
> > > > > > >
> > > > > > > That looks okay.
> > > > > > >
> > > > > > > Rowland
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > To unsubscribe from this list go to the following URL
> > > and read the
> > > > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list