Markert, Martin
2015-Feb-27 14:28 UTC
[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com> :> On 27/02/15 14:04, Markert, Martin wrote: >> Hi, >> I've successfully configure idmap_rid to read id mappings from our AD servers: >> >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind nested groups = Yes >> winbind separator = + >> winbind offline logon = false >> idmap config *:backend = rid >> idmap config *:range = 50000-99999 >> idmap config *:schema_mode = rfc2307 >> >> But when I configure idmap_ad I'm not able to get the uidNumber and gidNumber from the AD servers: >> >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind nested groups = Yes >> winbind separator = + >> winbind offline logon = false >> idmap config ARRI:backend = ad >> idmap config ARRI:range = 1000-999999 >> idmap config ARRI:schema_mode = rfc2307 >> >> [root at supermdc ~]# id schafha >> uid=4294967295 gid=4294967295 groups=4294967295 >> >> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help: >> >> [root at supermdc ~]# id schafha >> id: markert1: No such user >> >> Setup: >> AD: Windows Server 2008 RC2 with Windows Services for UNIX >> AD member: CentOS 6.6, sernet-samba-4.1.14-9 >> >> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem? >> >> Kind regards, >> Martin >> >> >> Martin Markert >> Systems Integrator >> >> Tuerkenstr. 89, 80799 M?nchen / Germany >> Phone +49 89 3809-1848 >> >> EMail MMarkert at arri.de >> >> Visit us on Facebook!________________________________ >> [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv> >> >> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> >> >> ARRI Film & TV Services GmbH >> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen >> Handelsregisternummer: HRB 69396 >> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger > > OK, try this: > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config ARRI : backend = ad > idmap config ARRI : schema_mode = rfc2307 > idmap config ARRI : range = 10000-99999Thank you for your answer, Roland. I've changed the configuration but it doesn't help: [root at supermdc ~]# id schafha id: schafha: No such user [root at supermdc ~]# winbindd -i -d9 ... accepted socket 21 [19077]: request interface version [19077]: request location of privileged pipe accepted socket 23 closing socket 21, client exited getpwnam schafha Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED closing socket 23, client exited> > also are you using sssd on the AD member ?No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it. Martin> > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Feb-27 14:48 UTC
[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
On 27/02/15 14:28, Markert, Martin wrote:> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com> > : > >> On 27/02/15 14:04, Markert, Martin wrote: >>> Hi, >>> I've successfully configure idmap_rid to read id mappings from our AD servers: >>> >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind use default domain = Yes >>> winbind nested groups = Yes >>> winbind separator = + >>> winbind offline logon = false >>> idmap config *:backend = rid >>> idmap config *:range = 50000-99999 >>> idmap config *:schema_mode = rfc2307 >>> >>> But when I configure idmap_ad I'm not able to get the uidNumber and gidNumber from the AD servers: >>> >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind use default domain = Yes >>> winbind nested groups = Yes >>> winbind separator = + >>> winbind offline logon = false >>> idmap config ARRI:backend = ad >>> idmap config ARRI:range = 1000-999999 >>> idmap config ARRI:schema_mode = rfc2307 >>> >>> [root at supermdc ~]# id schafha >>> uid=4294967295 gid=4294967295 groups=4294967295 >>> >>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help: >>> >>> [root at supermdc ~]# id schafha >>> id: markert1: No such user >>> >>> Setup: >>> AD: Windows Server 2008 RC2 with Windows Services for UNIX >>> AD member: CentOS 6.6, sernet-samba-4.1.14-9 >>> >>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem? >>> >>> Kind regards, >>> Martin >>> >>> >>> Martin Markert >>> Systems Integrator >>> >>> Tuerkenstr. 89, 80799 M?nchen / Germany >>> Phone +49 89 3809-1848 >>> >>> EMail MMarkert at arri.de >>> >>> Visit us on Facebook!________________________________ >>> [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv> >>> >>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> >>> >>> ARRI Film & TV Services GmbH >>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen >>> Handelsregisternummer: HRB 69396 >>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger >> OK, try this: >> >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> idmap config ARRI : backend = ad >> idmap config ARRI : schema_mode = rfc2307 >> idmap config ARRI : range = 10000-99999 > Thank you for your answer, Roland. > I've changed the configuration but it doesn't help: > > [root at supermdc ~]# id schafha > id: schafha: No such user > > [root at supermdc ~]# winbindd -i -d9 > ... > accepted socket 21 > [19077]: request interface version > [19077]: request location of privileged pipe > accepted socket 23 > closing socket 21, client exited > getpwnam schafha > Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED > closing socket 23, client exited > >> also are you using sssd on the AD member ? > No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it. > > Martin > > >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaDoes 'getent passwd schafha' show anything ? has 'Domain Users' got a 'gidNumber' ? Rowland
Markert, Martin
2015-Feb-27 14:59 UTC
[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at googlemail.com> :> On 27/02/15 14:28, Markert, Martin wrote: >> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at googlemail.com> >> : >> >>> On 27/02/15 14:04, Markert, Martin wrote: >>>> Hi, >>>> I've successfully configure idmap_rid to read id mappings from our AD servers: >>>> >>>> winbind enum users = Yes >>>> winbind enum groups = Yes >>>> winbind use default domain = Yes >>>> winbind nested groups = Yes >>>> winbind separator = + >>>> winbind offline logon = false >>>> idmap config *:backend = rid >>>> idmap config *:range = 50000-99999 >>>> idmap config *:schema_mode = rfc2307 >>>> >>>> But when I configure idmap_ad I'm not able to get the uidNumber and gidNumber from the AD servers: >>>> >>>> winbind enum users = Yes >>>> winbind enum groups = Yes >>>> winbind use default domain = Yes >>>> winbind nested groups = Yes >>>> winbind separator = + >>>> winbind offline logon = false >>>> idmap config ARRI:backend = ad >>>> idmap config ARRI:range = 1000-999999 >>>> idmap config ARRI:schema_mode = rfc2307 >>>> >>>> [root at supermdc ~]# id schafha >>>> uid=4294967295 gid=4294967295 groups=4294967295 >>>> >>>> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help: >>>> >>>> [root at supermdc ~]# id schafha >>>> id: markert1: No such user >>>> >>>> Setup: >>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX >>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9 >>>> >>>> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem? >>>> >>>> Kind regards, >>>> Martin >>>> >>>> >>>> Martin Markert >>>> Systems Integrator >>>> Tuerkenstr. 89, 80799 M?nchen / Germany >>>> Phone +49 89 3809-1848 >>>> >>>> EMail MMarkert at arri.de >>>> >>>> Visit us on Facebook!________________________________ >>>> [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv> >>>> >>>> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts> >>>> >>>> ARRI Film & TV Services GmbH >>>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen >>>> Handelsregisternummer: HRB 69396 >>>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger >>> OK, try this: >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> idmap config ARRI : backend = ad >>> idmap config ARRI : schema_mode = rfc2307 >>> idmap config ARRI : range = 10000-99999 >> Thank you for your answer, Roland. >> I've changed the configuration but it doesn't help: >> >> [root at supermdc ~]# id schafha >> id: schafha: No such user >> >> [root at supermdc ~]# winbindd -i -d9 >> ... >> accepted socket 21 >> [19077]: request interface version >> [19077]: request location of privileged pipe >> accepted socket 23 >> closing socket 21, client exited >> getpwnam schafha >> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED >> closing socket 23, client exited >> >>> also are you using sssd on the AD member ? >> No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac. That's it. >> >> Martin >> >> >>> Rowland >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > Does 'getent passwd schafha' show anything ?No, it shows nothing. idmap_ad: [root at supermdc ~]# getent passwd schafha [root at supermdc ~]# getent passwd schafha Idmap_rid: [root at supermdc ~]# getent passwd schafha schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false> has 'Domain Users' got a 'gidNumber' ?No, it does nat have a gidNumber.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX
- Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX