This is a common thread and I'm wondering where they answer is.. I can see this theme posted many times -- recently here https://lists.samba.org/archive/samba/2015-May/191483.html and for which I was not able to find a solution The situation is this.. Samba 4.2 compiled from source on ubuntu 14. server. Samba 4.2 AD DC is working great in sliced server. the samba member server joined fine. wbinfo -u on the member server lists domain users. wbinfo -g lists domain groups. So far, great following this great how to at https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks Roland... now the rub.. id DomainUser -- no such user getent passwd lists local users, not domain users ok -- googling about this happens.. following this thread http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- because nmbd starts fine. So, I'm hoping for some suggestions here.. Below is smb.conf and nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis # ### smb.conf # [global] netbios name = tcpm-srv1 workgroup = IN security = ADS realm = IN.TRANSCITYPM.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config IN:backend = ad idmap config IN:schema_mode = rfc2307 idmap config IN:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes bind interfaces only = yes interfaces = em1 log level = 5 log file = /usr/local/samba/var/log.%m [share1] path = /home/fileserv1/share1 read only = no any idea's??? -- David Bear mobile: (602) 903-6476
On Thu, Oct 15, 2015 at 04:00:43PM -0700, David Bear wrote:> This is a common thread and I'm wondering where they answer is.. I can see > this theme posted many times -- recently here > https://lists.samba.org/archive/samba/2015-May/191483.html and for which I > was not able to find a solution > > The situation is this.. > Samba 4.2 compiled from source on ubuntu 14. server. > > Samba 4.2 AD DC is working great in sliced server. > > the samba member server joined fine. wbinfo -u on the member server lists > domain users. wbinfo -g lists domain groups. > > So far, great following this great how to at > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks > Roland... > > now the rub.. > id DomainUser -- no such user > getent passwd lists local users, not domain users > > ok -- googling about this happens.. following this thread > http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- because > nmbd starts fine.Debug level 10 info from winbindd should help track this problem down.
I think you forgot to assign rfc2307 attributes. Did you have the tested user an UID and GID ?> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens David Bear > Verzonden: vrijdag 16 oktober 2015 1:01 > Aan: samba > Onderwerp: [Samba] wbinfo works, id and getent don't > > This is a common thread and I'm wondering where they answer is.. I can see > this theme posted many times -- recently here > https://lists.samba.org/archive/samba/2015-May/191483.html and for which I > was not able to find a solution > > The situation is this.. > Samba 4.2 compiled from source on ubuntu 14. server. > > Samba 4.2 AD DC is working great in sliced server. > > the samba member server joined fine. wbinfo -u on the member server lists > domain users. wbinfo -g lists domain groups. > > So far, great following this great how to at > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks > Roland... > > now the rub.. > id DomainUser -- no such user > getent passwd lists local users, not domain users > > ok -- googling about this happens.. following this thread > http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- because > nmbd starts fine. > > So, I'm hoping for some suggestions here.. Below is smb.conf and > nsswitch.conf > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > # ### smb.conf > # [global] > > netbios name = tcpm-srv1 > workgroup = IN > security = ADS > realm = IN.TRANSCITYPM.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config IN:backend = ad > idmap config IN:schema_mode = rfc2307 > idmap config IN:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > bind interfaces only = yes > interfaces = em1 > log level = 5 > log file = /usr/local/samba/var/log.%m > > [share1] > path = /home/fileserv1/share1 > read only = no > > > any idea's??? > > > > > > > > -- > David Bear > mobile: (602) 903-6476 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 16/10/15 00:00, David Bear wrote:> This is a common thread and I'm wondering where they answer is.. I can see > this theme posted many times -- recently here > https://lists.samba.org/archive/samba/2015-May/191483.html and for which I > was not able to find a solution > > The situation is this.. > Samba 4.2 compiled from source on ubuntu 14. server. > > Samba 4.2 AD DC is working great in sliced server. > > the samba member server joined fine. wbinfo -u on the member server lists > domain users. wbinfo -g lists domain groups. > > So far, great following this great how to at > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks > Roland... > > now the rub.. > id DomainUser -- no such user > getent passwd lists local users, not domain users > > ok -- googling about this happens.. following this thread > http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- because > nmbd starts fine. > > So, I'm hoping for some suggestions here.. Below is smb.conf and > nsswitch.conf > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > # ### smb.conf > # [global] > > netbios name = tcpm-srv1 > workgroup = IN > security = ADS > realm = IN.TRANSCITYPM.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config IN:backend = ad > idmap config IN:schema_mode = rfc2307 > idmap config IN:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > bind interfaces only = yes > interfaces = em1 > log level = 5 > log file = /usr/local/samba/var/log.%m > > [share1] > path = /home/fileserv1/share1 > read only = no > > > any idea's??? >Hi, do your users have a uidNumber attribute containing a unique number between 10000 to 999999 ? Also, does 'Domain Users' have a gidNumber, again inside the 10000-99999 range ? These attributes *do not* exist as standard, you have to create them manually, either using the ADUC Unix Attributes tab or by directly editing AD, you cannot do this with samba-tool. I did come up with a set of patches to make samba-tool work just like ADUC, but they were rejected because I was using deterministic numbers (I used 10000 as a start point, just like ADUC) and there was some talk of a better way of doing it, but then, as far as I can see, there has been talk of a better way of doing it since before samba 4 was released. Rowland
On Fri, 16 Oct 2015, Rowland Penny wrote:> Hi, do your users have a uidNumber attribute containing a unique number > between 10000 to 999999 ? > Also, does 'Domain Users' have a gidNumber, again inside the 10000-99999 > range ? > > These attributes *do not* exist as standard, you have to create them > manually, either using the ADUC Unix Attributes tab or by directly editing > AD, you cannot do this with samba-tool.You are correct about groups. The samba-tool group add command has no provision to specify a gid. The only way to give a group a gid is by modifying the LDAP entry with ADUC or ldbmodify/ldbedit or the like. However, while you also can't do this for existing users with samba-tool, you can do it for new users (once you have your groups set up): samba-tool user create jsmith --uid-number=10000 --gid-number=10000 See "samba-tool user create --help" for all the options. Note that samba-tool will not prevent you from assigning the same UID to two users, you must make sure the UIDs are unique yourself. Wouldn't be too hard to write a wrapper script that does a getent passwd and picks the next unused sequential number.
This must bt the issue -- I need to add the uid/gid numbers on the unix attributes tab. I did add the rfc2307 option in the smb conf -- but not directly on the groups and users.. On Fri, Oct 16, 2015 at 1:05 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 16/10/15 00:00, David Bear wrote: > >> This is a common thread and I'm wondering where they answer is.. I can see >> this theme posted many times -- recently here >> https://lists.samba.org/archive/samba/2015-May/191483.html and for which >> I >> was not able to find a solution >> >> The situation is this.. >> Samba 4.2 compiled from source on ubuntu 14. server. >> >> Samba 4.2 AD DC is working great in sliced server. >> >> the samba member server joined fine. wbinfo -u on the member server lists >> domain users. wbinfo -g lists domain groups. >> >> So far, great following this great how to at >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks >> Roland... >> >> now the rub.. >> id DomainUser -- no such user >> getent passwd lists local users, not domain users >> >> ok -- googling about this happens.. following this thread >> http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- >> because >> nmbd starts fine. >> >> So, I'm hoping for some suggestions here.. Below is smb.conf and >> nsswitch.conf >> >> >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages installed, >> try: >> # `info libc "Name Service Switch"' for information about this file. >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> >> # ### smb.conf >> # [global] >> >> netbios name = tcpm-srv1 >> workgroup = IN >> security = ADS >> realm = IN.TRANSCITYPM.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config IN:backend = ad >> idmap config IN:schema_mode = rfc2307 >> idmap config IN:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = yes >> >> bind interfaces only = yes >> interfaces = em1 >> log level = 5 >> log file = /usr/local/samba/var/log.%m >> >> [share1] >> path = /home/fileserv1/share1 >> read only = no >> >> >> any idea's??? >> >> > Hi, do your users have a uidNumber attribute containing a unique number > between 10000 to 999999 ? > Also, does 'Domain Users' have a gidNumber, again inside the 10000-99999 > range ? > > These attributes *do not* exist as standard, you have to create them > manually, either using the ADUC Unix Attributes tab or by directly editing > AD, you cannot do this with samba-tool. > > I did come up with a set of patches to make samba-tool work just like > ADUC, but they were rejected because I was using deterministic numbers (I > used 10000 as a start point, just like ADUC) and there was some talk of a > better way of doing it, but then, as far as I can see, there has been talk > of a better way of doing it since before samba 4 was released. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476
Possibly Parallel Threads
- wbinfo works, id and getent don't
- wbinfo works, id and getent don't
- help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
- Member server - winbind unable to resolve users/groups
- Setup_a_Samba_AD_Member_Server can get the id of user.