You are using idmap module rid for your domain. I think getent passwd could not resolve anything because of your id range. I would try a range of 1000 (one thousand)-99999 and see what happens. New users in AD start with a rid of 1000. Well known Users like administrator got their rid starting in the 500 range. You should think of using rfc2307. Regards Tim Am 12. Februar 2015 10:51:47 MEZ, schrieb sk at green.no:>samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43: > >> OK, make the [global] part of your smb.conf look like this: >> >> [global] >> netbios name = bgo-nfs01 >> workgroup = GREENREEFERS >> security = ADS >> realm = GREENREEFERS.NO >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = %h server >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind trusted domains only = no >> winbind nested groups = yes >> winbind refresh tickets = Yes >> winbind nss info = rfc2307 >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config GREENREEFERS:backend = rid >> idmap config GREENREEFERS:range=10000-99999 >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> preferred master = no >> local master = no >> template homedir = /dev/null >> template shell = /bin/true >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> dns proxy = No >> interfaces = eth1 lo >> bind interfaces only = yes >> log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 >> panic action = /usr/share/samba/panic-action %d >> valid users = @"GREENREEFERS\grr" >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> Check that /etc/krb5.conf exists and looks like this: >> >> [libdefaults] >> default_realm = GREENREEFERS.NO >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> Check that /etc/resolv.conf points to your AD DC (first on list) >> >> Check that the passwd & group lines in /etc/nsswitch.conf contain >'winbind' > >Hi, sorry for late answer. > >I did change the [global], and pasted smb.cfg here: >http://pastebin.com/WRNCKu42 >I changed the krb5.conf file and pasted it here: >http://pastebin.com/JqSavqD1 >nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN >resolv.conf have been correct all the time, I have verified now as >well. > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 14/02/15 07:36, Tim wrote:> You are using idmap module rid for your domain. I think getent passwd could not resolve anything because of your id range. I would try a range of 1000 (one thousand)-99999 and see what happens. > New users in AD start with a rid of 1000. Well known Users like administrator got their rid starting in the 500 range. > > You should think of using rfc2307.He was using the 'ad' backend and was getting nothing, so I advised him to change to the 'rid' backend. Samba, when using the 'rid' backend, calculates the users ID this way: ID = RID - BASE_RID + LOW_RANGE_ID which from his set up is: ID = RID - 0 + 10000 So if a user has a RID of 1000 ID = 1000 - 0 + 10000 ID = 11000 What I would try now is to add a couple of 9's to the high range and see if this then shows any users i.e. change 'range=10000-99999' to 'range=10000-9999999' It might just be that *all* his users have RID's higher than 99999 and if this is so, samba will never show them. Rowland
Hi Rowland, I haven't seen a base_rid parameter in his smb.cfg. That's why I advised to correct the value down to 1000 just to give it a try. I also had the problem of not getting any users with getent passwd with ad backend until I realized that all users must have a rfc2307 uid and must have a primary group in ad which also has a rfc2307 gid. The last thing is that what I missed. Example: Domain Users has got a gid of 10000 in ADUC Unix tab. The users also have a uid set in Unix tab and have primary group set to domain users. The ad backend only serves these users where this two things are set to getent passwd. Regards Tim Am 14. Februar 2015 10:41:11 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 14/02/15 07:36, Tim wrote: >> You are using idmap module rid for your domain. I think getent passwd >could not resolve anything because of your id range. I would try a >range of 1000 (one thousand)-99999 and see what happens. >> New users in AD start with a rid of 1000. Well known Users like >administrator got their rid starting in the 500 range. >> >> You should think of using rfc2307. > >He was using the 'ad' backend and was getting nothing, so I advised him > >to change to the 'rid' backend. > >Samba, when using the 'rid' backend, calculates the users ID this way: > >ID = RID - BASE_RID + LOW_RANGE_ID > >which from his set up is: > >ID = RID - 0 + 10000 > >So if a user has a RID of 1000 > >ID = 1000 - 0 + 10000 > >ID = 11000 > >What I would try now is to add a couple of 9's to the high range and >see >if this then shows any users i.e. change 'range=10000-99999' to >'range=10000-9999999' > >It might just be that *all* his users have RID's higher than 99999 and >if this is so, samba will never show them. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
samba-bounces at lists.samba.org wrote on 02/14/2015 10:41:11 AM:> From: Rowland Penny <rowlandpenny at googlemail.com> > To: samba at lists.samba.org > Date: 02/14/2015 10:41 AM > On 14/02/15 07:36, Tim wrote: > > You are using idmap module rid for your domain. I think getent > passwd could not resolve anything because of your id range. I would > try a range of 1000 (one thousand)-99999 and see what happens. > > New users in AD start with a rid of 1000. Well known Users like > administrator got their rid starting in the 500 range. > > > > You should think of using rfc2307. > > He was using the 'ad' backend and was getting nothing, so I advised him > to change to the 'rid' backend. > > Samba, when using the 'rid' backend, calculates the users ID this way: > > ID = RID - BASE_RID + LOW_RANGE_ID > > which from his set up is: > > ID = RID - 0 + 10000 > > So if a user has a RID of 1000 > > ID = 1000 - 0 + 10000 > > ID = 11000 > > What I would try now is to add a couple of 9's to the high range and see> if this then shows any users i.e. change 'range=10000-99999' to > 'range=10000-9999999' > > It might just be that *all* his users have RID's higher than 99999 and > if this is so, samba will never show them.I added a 9 to the ID range of GREENREEFERS and now smbclient give me what I would expect. Thank you very much for your help Rowland! I just need to figure out how to narrow access to shares.