Following the guidance here, https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to my smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04. Samba no longer starts and testparm reports that the idmap ranges for the default * domain and the AD domain are overlapping. Here's my smb.conf file (FWIW, if I don't comment security = ADS, server role is set to Member Server): # Global parameters [global] dns forwarder = 8.8.8.8 netbios name = DC0 realm = SAMDOM.COM server role = active directory domain controller workgroup = SAMDOM # Global parameters from https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End # security = ADS log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config LAN:backend = ad idmap config LAN:schema_mode = rfc2307 idmap config LAN:range = 10000-999999 idmap config LAN:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [netlogon] path = /var/lib/samba/sysvol/lsamdom.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No End of file. I'm try to get this working in order to be able to implement a Samba file server joined to the domain, which AD users will access with winbind. Thanks.
On 16/10/2019 16:06, John Redmond via samba wrote:> Following the guidance here, > https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to my > smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04. Samba no > longer starts and testparm reports that the idmap ranges for the default * > domain and the AD domain are overlapping. Here's my smb.conf file (FWIW, > if I don't comment security = ADS, server role is set to Member Server): >I take it you missed this warning near the top of that page: ID mapping back ends are not supported in the |smb.conf| file on a Samba Active Directory (AD) domain controller (DC). You need to remove ALL these lines, they DO NOT work on a DC: # Global parameters from https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End #?????? security = ADS # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain ??????? idmap config LAN:backend = ad ??????? idmap config LAN:schema_mode = rfc2307 ??????? idmap config LAN:range = 10000-999999 ??????? idmap config LAN:unix_nss_info = yes ??????? vfs objects = acl_xattr ??????? map acl inherit = yes ??????? store dos attributes = yes It sounds like you need to read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Rowland - Thanks. The idmap lines belong in the file-server domain member, not the domain controller, right? Using ADUC on a Windows 10 machine, do you have any guidance on what GIDs and UIDs (numbers and range) to use in setting the default AD users and groups? In setting the "idmap config * : range= " in the smb.conf file on the file server what range should I use? I assume that is for the Linux/local users on the file server instead of the domain users. John On Wed, Oct 16, 2019 at 11:06 AM John Redmond <barkingdoggy at gmail.com> wrote:> Following the guidance here, > https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to > my smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04. Samba no > longer starts and testparm reports that the idmap ranges for the default * > domain and the AD domain are overlapping. Here's my smb.conf file (FWIW, > if I don't comment security = ADS, server role is set to Member Server): > > # Global parameters > [global] > dns forwarder = 8.8.8.8 > netbios name = DC0 > realm = SAMDOM.COM > server role = active directory domain controller > workgroup = SAMDOM > # Global parameters from > https://wiki.samba.org/index.php/Idmap_config_ad#Advantages_and_Disadvantages_of_the_ad_Back_End > # security = ADS > log file = /var/log/samba/%m.log > log level = 1 > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config LAN:backend = ad > idmap config LAN:schema_mode = rfc2307 > idmap config LAN:range = 10000-999999 > idmap config LAN:unix_nss_info = yes > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > [netlogon] > path = /var/lib/samba/sysvol/lsamdom.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > End of file. > > I'm try to get this working in order to be able to implement a Samba file > server joined to the domain, which AD users will access with winbind. > > Thanks. >
On 16/10/2019 20:37, John Redmond via samba wrote:> Rowland - Thanks. The idmap lines belong in the file-server domain member, > not the domain controller, right?Yes, they are perfectly valid on a Unix domain member.> > Using ADUC on a Windows 10 machine, do you have any guidance on what GIDs > and UIDs (numbers and range) to use in setting the default AD users and > groups? In setting the "idmap config * : range= " in the smb.conf file > on the file server what range should I use? I assume that is for the > Linux/local users on the file server instead of the domain users. >There are two ranges you need to set, the '*' domain for the Well Known SIDs and the 'DOMAIN' (where 'DOMAIN' is your AD domain) range. It might help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member That explains it without having to type it whole over again ;-) The only thing to stress is, the only one of the AD Well Known SIDS that must have a Unix ID is the 'Domain Users' group which must have a gidNumber. Rowland
On 16/10/2019 21:31, John Redmond wrote:> Thanks, Rowland.? Believe it or not, I've pored over these wiki pages > and ended up confused.? I'll have another look/try. >OK, re-read the page I pointed you to and make a list of questions and I will try to answer them. Rowland
On 18/10/2019 15:30, John Redmond wrote:> Rowland - After re-reading wiki.samba.org/index.php/Idmap_config_ad > <http://wiki.samba.org/index.php/Idmap_config_ad>, I have these > questions (FYI, the contents of my smb.conf and nsswitch.conf files > are provided below) : > > * Running "sudo getent passwd" on the fileserver, I see the range of > local users and groups? (non-AD users & groups) is 0 - 65534. So > to accommodate the uid and gid range of the local users on the > file server, I set "idmap config * : range = 0-99999".? Am I > interpreting things correctly?? (See smb.conf below.) >You do not seem to have read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member If you had, you would have realised that 0-999 is reserved for local Unix system users & groups, you then need to leave space for any local users & groups, then there are the Well Known SIDS, finally you have AD users & groups. All of this means that your range isn't really a good one,> * Using Windows ADUC to manage AD on the DC, I've set 'Domain Users' > gidNumber to 100000. >I normally use a range starting at '10000' (which is where ADUC normally started from)> > * To manage the access of AD default security groups, I want to give > them gidNumbers as well, so I'm going to reserve the bottom end of > the SAMDOM idmap range (e.g. < 100100) for those gidNumbers.? Is > that logic sound? >No, most (if not all) of the other default AD users & groups (aka Well Known SIDs) should not be given a uidNumber or gidNumber attribute.> > * Using Windows ADUC, how do I add users to more than one group?? Do > I list multiple groups in the user's gidNumber field (comma > separated?)?? Or do I add them via memberUid field of the group > (comma separated?)? >Neither. I think you are misunderstanding things, when you give a user a uidNumber or give a group a gidNumber, then (provided a Unix domain member is set up correctly) they become Unix users and groups. You just add the user to a Windows group as normal (for Windows), then provided the user has a uidNumber and the group has a gidNumber, everything will just work.> * Are domain users automagically added to 'Domain Users' when they > are created? >Yes, all AD users are members of the Domain Users group, even if it doesn't show anywhere in AD.> > * After creating a domain user, I have to use ADUC to set the new > user's undefined uidNumber and gidNumber fields. For example > uidNumber = 100100 and gidNumber = 100100. Should I also add new > users to the Domain Users group (100000)? >It really looks like you do not understand AD and Samba. I think you think that you can have a Unix personal group (e.g. the AD user 'fred' could have a personal group called 'fred'), sorry but this isn't allowed. Also, as I said, all users are members of Domain Users.> > * Currently, running "wbinfo -u" and "wbinfo -g" on the file server > lists AD users and groups. >This only shows that the users & groups exist in AD, this does not mean that they are known to Unix, this is where Samba comes in.> * However, "sudo getent passwd" and "sudo getent group" finds no > domain users or groups.? Any ideas what's wrong? >Either: The computer is not joined to the domain. The Domain Users does not have a gidNumber attribute inside the 'DOMAIN' range you have set in the Unix domain member smb.conf The user does not have a uidNumber attribute containing a unique number inside the 'DOMAIN' range. The group does not have a gidNumber attribute containing a unique number inside the 'DOMAIN' range.> * When I join the fileserver to the domain, why does it come back > with the error, "No DNS domain configured for fsvr0. Unable to > perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER"?? I can ignore it, > right? >Offhand, it sounds like a misconfigured /etc/hosts> FYI, the principal sources of my info and confusion are: > > * wiki.samba.org <http://wiki.samba.org> > * www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/ > <http://www.tecmint.com/join-ubuntu-to-active-directory-domain-member-samba-winbind/> > * www.server-world.info <http://www.server-world.info> > * help.ubuntu.com/lts/serverguide > <http://help.ubuntu.com/lts/serverguide> > > Thanks again! > > John > > # /etc/samba/smb.conf > [global] > > ? ?workgroup = SAMDOM > ? ?password server = dc0.samdom.example.com > <http://dc0.samdom.example.com>Remove the 'password server' line, you should allow Samba to find the best DC> ? ?realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM> > ? ?security = ADS > ? ?dedicated keytab file = /etc/krb5.keytab > ? ?kerberos method = secrets and keytab > ? ?idmap config * : backend = tbd > ? ?idmap config * : range = 2000-9999 > ? ?idmap config SAMDOM : backend = ad > ? ?idmap config SAMDOM : schema_mode = rfc2307 > ? ?idmap config SAMDOM : range = 100000-999999 > ? ?idmap_ldb : use rfc2307 = ?yesThe last line is only used on a DC> > ? ?template homedir = /home/samdom.example.com/profiles/%U > <http://samdom.example.com/profiles/%U>Most people would use 'SAMDOM' instead (and this the default)> ? ?template shell = /bin/bash > ? ?winbind refresh tickets = yes > ? ?winbind use default domain = true > ? ?winbind offline logon = yes > ? ?winbind nss info = rfc2307 > ? ?winbind enum users = yes > ? ?winbind enum groups = yesThe last two lines just slow things down and are not required> > ? ?domain master = no > ? ?local master = no > ? ?preferred master = no > ? ?os level = 20 > ? ?map to guest = bad user > ? ?host msdfs = no > > ? ?vfs objects = acl_xattr > ? ?map acl inherit = yes > ? ?store dos attributes = yes > ? ?server string = %h server (Samba, Ubuntu) > ? ?dns proxy = no > > # /etc/nsswitch.conf > > passwd: ? ? ? ? compat systemd winbind > group: ? ? ? ? ?compat systemd winbind > shadow: ? ? ? ? compat winbindWrong, should be: passwd:???????? compat winbind systemd group:????????? compat winbind systemd shadow:???????? compat Rowland
On 18/10/2019 18:48, John Redmond wrote:> DNS is another area where I have read and experimented a lot.? Result: > confusion.? Again, I'm using fresh installs of Ubuntu 18.04 LTS > "server" for both the AD-DC and the fileserver machines.? Here's what > the various config files on the fileserver look like now.? Test > results are not exactly what they should?be, according to > wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > <https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>. > I'm not sure if or how DNS is broken. > > Thanks for your assistance! > > John > > # /etc/hosts > > 127.0.0.1 localhost localhost.samdom.example.com > <http://localhost.samdom.example.com> > 10.199.251.11 fsvr0 fsvr0.samdom.example.com > <http://fsvr0.samdom.example.com> > 10.199.251.10 dc0 dc0.samdom.example.com > <http://dc0.samdom.example.com> >Replace the above with this: 127.0.0.1 localhost 10.199.251.11 fsvr0.samdom.example.com fsvr0> > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > # EOF > > # /etc/netplan/01-netconfig.yamlAh, netplan, I personally just brute force it by removing it, but you might want to read this instead: ?https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt> network: > ? ? ? ? version: 2 > ? ? ? ? ethernets: > ? ? ? ? ? ? ? ? eth0: > ? ? ? ? ? ? ? ? ? ? ? ? dhcp4: no > ? ? ? ? ? ? ? ? ? ? ? ? addresses: [10.199.251.11/24 > <http://10.199.251.11/24>] > ? ? ? ? ? ? ? ? ? ? ? ? gateway4: 10.199.251.1 > ? ? ? ? ? ? ? ? ? ? ? ? nameservers: > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? search: [samdom.example.com > <http://samdom.example.com>] > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? addresses: [10.199.251.10] > > #EOF > > # /run/systemd/resolve/stub-resolv.conf > > nameserver 127.0.0.53 > options edns0 > search samdom.example.com <http://lan.lenkin.com> workgroup > > #EOFThat may or may not work> > # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg > > network: > ? ? config: disabled > > #EOF > > Testing DNS > > _admin at fsvr0:/$ nslookup dc0.samdom.example.com > <http://dc0.samdom.example.com>_ > > Server: ? ? ? ? 127.0.0.53 > > Address: ? ? ? ?127.0.0.53#53 > > > Non-authoritative answer: > > Name: dc0.samdom.example.com <http://dc0.samdom.example.com> > > Address: 10.199.251.10 > > > _admin at fsvr0:/$ nslookup 10.199.251.10_ > > 10.251.199.10.in-addr.arpa ? ? ?name = dc0. > > 10.251.199.10.in-addr.arpa ? ? ?name = dc0.samdom.example.com > <http://dc0.samdom.example.com>. > > > Authoritative answers can be found from: > > > _admin at fsvr0:/$ nslookup_ > > > set type=SRV > > > _ldap._tcp.samdom.example.com <http://tcp.samdom.example.com>. > > Server: ? ? ? ? 127.0.0.53 > > Address: ?127.0.0.53#53 > > > Non-authoritative answer: > > _ldap._tcp.lan.lenkin.com <http://tcp.lan.lenkin.com> service > = 0 100 389 dc0.samdom.example.com > <http://dc0.samdom.example.com>. > > Authoritative answers can be found from: > > > > > _admin at fsvr0:/$ getent hosts fsvr0_ > > 10.199.251.11 ? fsvr0 fsvr0.samdom.example.com > <http://fsvr0.samdom.example.com> >Lokks like it does ;-) Rowland
On 18/10/2019 22:54, John Redmond wrote:> One step forward with respect to the fileserver configs.? Good news > first... > > * Netplan:? The symlink? /etc/resolv.conf to > /run/systemd/resolve/stub-resolv.conf was wrong.? It now goes to > /run/systemd/resolve/resolv.conf.? And > > _admin at fsvr0:/etc$ nslookup dc0.lan.lenkin.com > <http://dc0.lan.lenkin.com>_ > > Server: ? ? ? ? 10.199.251.10 > > Address: ? ? ? ?10.199.251.10#53 > > > Name: dc0.lan.lenkin.com <http://dc0.lan.lenkin.com> > > Address: 10.199.251.10 > > So the command result shows the nameserver is now the DC, instead > of 127.0.0.53 > > * I changed the fileserver smb.conf and nsswitch.conf files as per > your suggestions.? No difference with respect to results of > commands "sudo net ads join -U administrator" (join successful, > error DNS update failed: NT_STATUS_INVALID_PARAMETER), "getent > passwd" and "getent groups" (no domain users or groups listed). >OK, lets test the join, run (as root) in a terminal: net ads join It should return: Join is OK If that passes, change these lines in smb.conf: ?? idmap config SAMDOM : backend = ad ?? idmap config SAMDOM : schema_mode = rfc2307 To: ?? idmap config SAMDOM : backend = rid ?? #idmap config SAMDOM : schema_mode = rfc2307 Run: net cache flush and restart winbind Do you now get a users info with 'getent passwd username' and a groups info with 'getent group groupname' ? If so, repeat the procedure, but put the original lines back, you should get output from the two commands again, but with different IDs. If you do not get any output, you need to check the uidNumber & gidNumber attributes in AD. Whilst typing this, I began to think 'is he just typing getent passwd', if so, this will not work without the 'winbind enum' lines in smb.conf, that is all they do (apart from slowing things down). Rowland
On 21/10/2019 14:17, John Redmond wrote:> I took the weekend off... > > This morning, I made the smb.conf change to backend = rid and > commented schema_mode statement.? I also added 'winbind enum' users > and groups lines.? I rebooted and rejoined fileserver to domain > without error: > > _admin at fsvr0:~$ sudo net rpc join -U Administrator_ > Enter Administrator's password: > Using short domain name -- SAMDOM > Joined 'FSVR0' to realm 'samdom.example.com > <http://samdom.example.com>' > > Unfortunately, still, no domain users or groups are returned with the > "getent" command.If you are using the 'rid' backend then this shouldn't happen.> > Checking the uidNumbers and gidNumbers in AD, I have the following > > Domain Users group: gidNumber = 10000 > Administrator:? uidNumber = 10100 >Remove the uidNumber from Administrator, it shouldn't have one.> > User1 user: uidNumber = 10101 > > > I only have a single domain user added to the domain, the only other > users and groups are the defaults (including Administrator). And > smb.conf has? "idmap? config SAMDOM : range = 10000-19999.Add a few more users and try 'getent passwd' again. You should also be aware that the 'rid' backend does not use the uidNumber and gidNumber attributes, it calculates the Unix ID from the objects RID and the lower part of the range set in smb.conf, in your case: ID = RID + 10000 So for the ONLY user you have at present (Administrator), this would become: ID = 500 + 10000 ID = 10500 You could be hitting the 'cache' problem, winbind caches everything and will use the cache before anything else (unless it has expired), so try running 'net cache flush' before running 'getent' Rowland> > Thanks. > > John > > > > > On Sat, Oct 19, 2019 at 4:00 AM Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > On 18/10/2019 22:54, John Redmond wrote: > > One step forward with respect to the fileserver configs. Good news > > first... > > > >? ?* Netplan:? The symlink? /etc/resolv.conf to > >? ? ?/run/systemd/resolve/stub-resolv.conf was wrong.? It now goes to > >? ? ?/run/systemd/resolve/resolv.conf.? And > > > >? ? ?_admin at fsvr0:/etc$ nslookup dc0.lan.lenkin.com > <http://dc0.lan.lenkin.com> > >? ? ?<http://dc0.lan.lenkin.com>_ > > > >? ? ? ? ?Server: ? ? ? ? 10.199.251.10 > > > >? ? ? ? ?Address: ? ? ? ?10.199.251.10#53 > > > > > >? ? ? ? ?Name: dc0.lan.lenkin.com <http://dc0.lan.lenkin.com> > <http://dc0.lan.lenkin.com> > > > >? ? ? ? ?Address: 10.199.251.10 > > > >? ? ?So the command result shows the nameserver is now the DC, > instead > >? ? ?of 127.0.0.53 > > > >? ?* I changed the fileserver smb.conf and nsswitch.conf files as per > >? ? ?your suggestions.? No difference with respect to results of > >? ? ?commands "sudo net ads join -U administrator" (join successful, > >? ? ?error DNS update failed: NT_STATUS_INVALID_PARAMETER), "getent > >? ? ?passwd" and "getent groups" (no domain users or groups listed). > > > OK, lets test the join, run (as root) in a terminal: > > net ads join > > It should return: > > Join is OK > > If that passes, change these lines in smb.conf: > > ??? idmap config SAMDOM : backend = ad > ??? idmap config SAMDOM : schema_mode = rfc2307 > > To: > > ??? idmap config SAMDOM : backend = rid > ??? #idmap config SAMDOM : schema_mode = rfc2307 > > Run: net cache flush and restart winbind > > Do you now get a users info with 'getent passwd username' and a > groups > info with 'getent group groupname' ? > > If so, repeat the procedure, but put the original lines back, you > should > get output from the two commands again, but with different IDs. If > you > do not get any output, you need to check the uidNumber & gidNumber > attributes in AD. > > Whilst typing this, I began to think 'is he just typing getent > passwd', > if so, this will not work without the 'winbind enum' lines in > smb.conf, > that is all they do (apart from slowing things down). > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 21/10/2019 15:35, John Redmond wrote:> No joy.? Join successful, but no domain info with getent after > flushing net cache.? Perhaps there are still some traces of ADS in the > [global] section of the smb.conf file that are breaking RID?? For > example: > ? ?security = ADS > ? ?winbind nss info = rfc2307 >To join a Unix domain member to AD, you need 'security = ADS', but 'winbind nss info = rfc2307' is only required up to Samba 4.6.0 and then only when using the 'ad' backend. If you run 'wbinfo -u', this will show all users in AD, but this will not guarantee they are Unix users If you use the 'rid' backend AND 'winbind enum users = yes' & 'winbind enum groups = yes' are set in smb.conf, then 'getent passwd' & 'getent group' should return all domain users and groups, but only if the join is correct. Can you check a few things . Does /etc/resolv.conf point to the AD DC as the first nameserver ? Is a firewall running ? is apparmor or selinux running ? Do the 'passwd' & 'group' lines in /etc/nsswitch.conf have 'winbind' as the second option ? You may have already checked these, but please check again. Please post your current smb.conf. Rowland
On 21/10/2019 16:41, John Redmond wrote:> > > is apparmor or selinux running ? > > "By default, *Ubuntu*?uses AppArmor and not *SeLinux."* and these two > systems are default installs of Ubuntu 18.04 server. >Yes, I knew that ;-) But, stranger things have been known ;-) Everything shouts that it should work, but it doesn't, either put Samba into 'complain' mode (don't ask me, I always do the next thing) or 'apt-get remove apparmor' and reboot. Rowland
On 21/10/2019 17:34, John Redmond wrote:> No luck.? I have to go out now.? I'll put Samba in complain mode and > try it again later. > > How about using sssd instead of winbind?? Would that work better/easier?No, you should not use sssd with winbind (just a thought, you do have winbind, libnss-winbind and libpam-winbind installed, don't you ?) and the winbind 'rid' backend is supposed to be easy to set up (you don't have to add anything to AD). Rowland
On 21/10/2019 20:05, John Redmond wrote:> Yes, the latest versions of those packages are installed. > > I added these lines to the domain controller smb.conf file: > ? ? ? ? log file = /var/log/samba/%m.log > ? ? ? ? log level = 1 auth:5 winbind:5 > > And this to the file server smb.conf file: > ? ? ? ?log level = 1 auth:5 winbind:5 > > When I issue the getent passwd command on the fileserver, these logs > on the fileserver update : > tlc-admin at fsvr0:/var/log/samba$ ls -l -t > total 104 > -rw-r--r-- 1 root root 13998 Oct 21 18:53 log.wb-LAN > -rw-r--r-- 1 root root ?8813 Oct 21 18:53 log.winbindd-idmap > -rw-r--r-- 1 root root ?3718 Oct 21 18:53 log.wb-BUILTIN > -rw-r--r-- 1 root root 17100 Oct 21 18:53 log.winbindd > > The log.winbindd file is the only one showing any "error". Here's a > snippet of that log. > [2019/10/21 18:53:43.608298, ?3] > ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) > ? [ 1894]: request interface version (version = 29) > [2019/10/21 18:53:43.608491, ?3] > ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) > ? [ 1894]: request location of privileged pipe > [2019/10/21 18:53:43.608760, ?3] > ../source3/winbindd/winbindd_getpwent.c:50(winbindd_getpwent_send) > ? [ 1894]: getpwent > [2019/10/21 18:55:02.158877, ?3] > ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) > ? [ 1896]: request interface version (version = 29) > [2019/10/21 18:55:02.159075, ?3] > ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) > ? [ 1896]: request location of privileged pipe > [2019/10/21 18:55:02.159345, ?3] > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > ? getgroups root > [2019/10/21 18:55:02.159477, ?5] > ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv) > ? Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > None of the logs on the domain controller update in response to the > getent passwd command on the fileserver. >OK, I can know assure it does work, I know this because I have installed Ubuntu 18.04 server in a VM, set it up as Samba Unix domain member and got this: getent passwd rowland rowland:*:11107:10513::/home/rowland:/bin/bash Would you like a copy of my notes ? Rowland
On 21/10/2019 20:22, John Redmond wrote:> Perhaps my issue is on the domain controller side?Possibly, but I cannot think where, have a look at my notes and see if that helps, if it doesn't, we will peer very intently at your DC. Rowland