> From: Rowland Penny <rowlandpenny at googlemail.com> > To: samba at lists.samba.org > Date: 09.02.2015 16:09> OK, Does 'getent passwd sktest' show anything ? > > I am willing to bet it doesn't.You're bet is correct, wbinfo -u and wbinfo -g give expected results though.
On 09/02/15 15:36, sk at green.no wrote:>> From: Rowland Penny <rowlandpenny at googlemail.com> >> To: samba at lists.samba.org >> Date: 09.02.2015 16:09 > >> OK, Does 'getent passwd sktest' show anything ? >> >> I am willing to bet it doesn't. > You're bet is correct, wbinfo -u and wbinfo -g give expected results > though.OK, as I thought, your smb.conf is setup to use the winbind 'ad' backend and I am willing to lay another bet with you, you based some of the changes on the samba wiki, if so, did you read what is written under the sample smb.conf ? Thought not, you need to have the users unix attributes in AD before the 'ad' backend will work and as you are using a windows server, it will also need to have 'IDMU' installed. If you will only have windows users connecting to your member server, then change idmap config GREENREEFERS:backend = ad idmap config GREENREEFERS:schema_mode = rfc2307 idmap config GREENREEFERS:range=10000-99999 To idmap config GREENREEFERS:backend = rid idmap config GREENREEFERS:range=10000-99999 Rowland
-----samba-bounces at lists.samba.org wrote: ----->To: samba at lists.samba.org >From: Rowland Penny >Sent by: samba-bounces at lists.samba.org >Date: 02/09/2015 05:12PM >Subject: Re: [Samba] Domain users can't browse or access shares >>OK, as I thought, your smb.conf is setup to use the winbind 'ad' >backend >and I am willing to lay another bet with you, you based some of the >changes on the samba wiki, if so, did you read what is written under >the >sample smb.conf ? > >Thought not, you need to have the users unix attributes in AD before >the >'ad' backend will work and as you are using a windows server, it will > >also need to have 'IDMU' installed. > >If you will only have windows users connecting to your member server, > >then change > > idmap config GREENREEFERS:backend = ad > idmap config GREENREEFERS:schema_mode = rfc2307 > idmap config GREENREEFERS:range=10000-99999 > >To > > idmap config GREENREEFERS:backend = rid > idmap config GREENREEFERS:range=10000-99999I did the change, restarted samba and it didn't do any changes.
On 09/02/15 19:18, sk at green.no wrote:> -----samba-bounces at lists.samba.org wrote: ----- > >> To: samba at lists.samba.org >> From: Rowland Penny >> Sent by: samba-bounces at lists.samba.org >> Date: 02/09/2015 05:12PM >> Subject: Re: [Samba] Domain users can't browse or access shares >> >> OK, as I thought, your smb.conf is setup to use the winbind 'ad' >> backend >> and I am willing to lay another bet with you, you based some of the >> changes on the samba wiki, if so, did you read what is written under >> the >> sample smb.conf ? >> >> Thought not, you need to have the users unix attributes in AD before >> the >> 'ad' backend will work and as you are using a windows server, it will >> >> also need to have 'IDMU' installed. >> >> If you will only have windows users connecting to your member server, >> >> then change >> >> idmap config GREENREEFERS:backend = ad >> idmap config GREENREEFERS:schema_mode = rfc2307 >> idmap config GREENREEFERS:range=10000-99999 >> >> To >> >> idmap config GREENREEFERS:backend = rid >> idmap config GREENREEFERS:range=10000-99999 > I did the change, restarted samba and it didn't do any changes.OK, make the [global] part of your smb.conf look like this: [global] netbios name = bgo-nfs01 workgroup = GREENREEFERS security = ADS realm = GREENREEFERS.NO dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = %h server winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind trusted domains only = no winbind nested groups = yes winbind refresh tickets = Yes winbind nss info = rfc2307 idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config GREENREEFERS:backend = rid idmap config GREENREEFERS:range=10000-99999 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes preferred master = no local master = no template homedir = /dev/null template shell = /bin/true syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No interfaces = eth1 lo bind interfaces only = yes log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 panic action = /usr/share/samba/panic-action %d valid users = @"GREENREEFERS\grr" vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes Check that /etc/krb5.conf exists and looks like this: [libdefaults] default_realm = GREENREEFERS.NO dns_lookup_realm = false dns_lookup_kdc = true Check that /etc/resolv.conf points to your AD DC (first on list) Check that the passwd & group lines in /etc/nsswitch.conf contain 'winbind' Rowland