I lose track here and I have to fix this as users get angry (we all know that ...) debian 8.3, samba 4.1.17 (substituted customer name by "CUST" below ...) [global] workgroup = CUST realm = MABC.CUST security = ADS map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config CUST:range = 10000-99999 idmap config CUST:backend = ad idmap config *:range = 2000-9999 idmap config * : backend = tdb correct? # /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat ---- I have correct time. I have a valid join: # net ads testjoin Join is OK # wbinfo -t checking the trust secret for domain CUST via RPC calls succeeded I get users and groups via "wbinfo -[ug]". 1) smbstatus displays "-1" for Username and Group *sometimes* ... why? 2) right now I don't get ADS-users/groups via getent. 3) in turn I only see UIDs and GIDs in the linux filesystem, no ADS-user/group-names. - please help me to get that correct at last ... thanks
On 24/02/16 11:49, Stefan G. Weichinger wrote:> I lose track here and I have to fix this as users get angry (we all know > that ...) > > debian 8.3, samba 4.1.17 > > (substituted customer name by "CUST" below ...) > > [global] > workgroup = CUST > realm = MABC.CUST > security = ADS > map untrusted to domain = Yes > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config CUST:range = 10000-99999 > idmap config CUST:backend = ad > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > > correct?I would add a few extra lines: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes idmap config CUST:schema_mode = rfc2307 The first three should ensure the tickets never expire and the last one defines the schema that idmap will use.> > > # /etc/nsswitch.conf > > passwd: compat winbind > group: compat winbind > shadow: compat > > ---- > > I have correct time. > > I have a valid join: > > # net ads testjoin > Join is OK > > # wbinfo -t > checking the trust secret for domain CUST via RPC calls succeeded > > I get users and groups via "wbinfo -[ug]". > > 1) smbstatus displays "-1" for Username and Group *sometimes* ... why? > > 2) right now I don't get ADS-users/groups via getent.Is PAM setup correctly ? Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?> > 3) in turn I only see UIDs and GIDs in the linux filesystem, no > ADS-user/group-names.This looks like something set up incorrectly in PAM. Rowland> - > > please help me to get that correct at last ... thanks > > > >
On Wed, 24 Feb 2016, Stefan G. Weichinger wrote: [snip]> idmap config CUST:range = 10000-99999 > idmap config CUST:backend = ad > idmap config *:range = 2000-9999 > idmap config * : backend = tdbIf your idmap backend is ad, you need to assign your users uids (and gids for groups) in active directory. You don't mention if you did that or not. Only users/groups with uids/gids will get mapped to linux users.> I get users and groups via "wbinfo -[ug]".You will still see them in wbinfo, even if they don't have uid/gids.
Am 2016-02-24 um 13:44 schrieb Sketch:> On Wed, 24 Feb 2016, Stefan G. Weichinger wrote: > [snip] >> idmap config CUST:range = 10000-99999 >> idmap config CUST:backend = ad >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb > > If your idmap backend is ad, you need to assign your users uids (and > gids for groups) in active directory. You don't mention if you did that > or not. Only users/groups with uids/gids will get mapped to linux users.In fact I didn't have any idmap-related lines in there before the problems arised today. It worked so far! Using "ad" backend was a step in panic today ... without any mapping, right! I set up a test VM now, same OS and software, with [global] workgroup = CUST realm = MABCD.CUST security = ADS load printers = No printcap name = /dev/null disable spoolss = Yes template homedir = /home/%U template shell = /sbin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap config CUST:range = 10000-99999 idmap config CUST:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j This *seems* to work fine now there with some test-shares ... is it correct in general terms? If yes, I would take this config to the production server then later this evening. Thanks!
Am 2016-02-24 um 13:32 schrieb Rowland penny:> I would add a few extra lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > idmap config CUST:schema_mode = rfc2307 > > The first three should ensure the tickets never expire and the last one > defines the schema that idmap will use.I had crashes as the /etc/krb5.keytab does not yet exist and the howto looked complicated. Will attack that one again, OK.> Is PAM setup correctly ?I tried my best. The examples in the docs always look slightly different from the files in the various distros. ran pam-auth-update now (as recommended for Debian)> Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?3x yes>> 3) in turn I only see UIDs and GIDs in the linux filesystem, no >> ADS-user/group-names. > > This looks like something set up incorrectly in PAM.hmm -- status on the production machine: I get users and groups via wbinfo AND via getent clients are connected and tell me things work so far In the shell I still see only numbers for owners of files # ls -l [..] -rwxrwxr--. 1 1026 1009 1037630 Jän 24 2013 20130102.txt [..] This is better than people not able to access their files ;) but still not satisfying as mentioned in my other reply I think of using "rid" later, ok?