On Sun, 1 Jan 2017 13:45:11 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-01-01 um 13:29 schrieb Rowland Penny via samba: > > > Try checking in AD, as you have classicupgraded, your users should > > have uidNumber attributes. Find the lowest and the highest, do the > > same for groups and if you change to the 'ad' backend and set the > > range based on your lowest and highest numbers (remembering you > > will probably want to add new users, so add something to the > > highest number), you should get the same IDs you had on the PDC. > > You will have to remove the users from /etc/passwd though. > > > > The ranges on the wiki were chosen for: > > the '*' range starts at 2000 so that it allows for any local Unix > > users & groups you may require, it ends at 9999. > > The 'DOMAIN' range starts at 10000, this is where ADUC starts from, > > you can end it where you like. > > > > The whole idea behind AD is having just one place to maintain users, > > so you do not and should not have users in multiple databases. > > I was bold now. > rm-ed users from memberserver:/etc/passwd > > stopped samba services, edited backend to "ad", restarted > > seems to work for me ;-)Good> > same to do on DC, I assume (we run 3 administrative shares there as > well)If you are thinking of adding the 'idmap config' lines to the smb.conf, then don't. On earlier versions of Samba they do nothing, but from 4.5.0 they cause errors. If a user has a uidNumber, this will be used on a DC instead of the xidNumber stored in idmap.ldb, though you may have to run 'net cache flush' Rowland
Stefan G. Weichinger
2017-Jan-01 13:59 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
Am 2017-01-01 um 14:40 schrieb Rowland Penny via samba:>> same to do on DC, I assume (we run 3 administrative shares there as >> well) > > If you are thinking of adding the 'idmap config' lines to the > smb.conf, then don't. On earlier versions of Samba they do nothing, but > from 4.5.0 they cause errors. > If a user has a uidNumber, this will be used on a DC instead of the > xidNumber stored in idmap.ldb, though you may have to run 'net cache > flush'I wasn't specific enough, I only meant removing users and groups from /etc/passwd and /etc/group. Nothing in smb.conf Did so, seems to work so far ;-)
Stefan G. Weichinger
2017-Jan-01 14:14 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
Am 2017-01-01 um 14:40 schrieb Rowland Penny via samba:> If a user has a uidNumber, this will be used on a DC instead of the > xidNumber stored in idmap.ldb, though you may have to run 'net cache > flush'"net cache flush" threw me back on the member server now :-( Maybe I shouldn't have done that, maybe it's good to uncover some hidden issue(s). # wbinfo -i sgw failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user sgw # wbinfo -n sgw S-1-5-21-2777655458-4002997014-749295002-3000 SID_USER (1) # wbinfo -S S-1-5-21-2777655458-4002997014-749295002-3000 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-2777655458-4002997014-749295002-3000 to uid # wbinfo -u | grep sgw sgw *scratches head* ... again
Stefan G. Weichinger
2017-Jan-01 14:18 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
Am 2017-01-01 um 15:14 schrieb Stefan G. Weichinger via samba:> # wbinfo -S S-1-5-21-2777655458-4002997014-749295002-3000 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-2777655458-4002997014-749295002-3000 to uid-----------------------------------------------------------------^^^^ I think I have my idmap range wrong, correct?
Stefan G. Weichinger
2017-Jan-01 14:40 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
googled and tried stuff: # net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P | grep uidN | sort -n ... shows me uidNumbers: uidNumber: 0 uidNumber: 1000 .. up to 1077 So my idmap range was completely wrong, I assume. I now have on the member server: # cat /etc/samba/smb.conf [global] security = ADS workgroup = ARBEITSGRUPPE realm = arbeitsgruppe.secret.tld log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb #idmap config * : range = 2000-2999 ## idmap config for the ARBEITSGRUPPE domain idmap config ARBEITSGRUPPE:backend = ad idmap config ARBEITSGRUPPE:range = 1000-9999 username map = /etc/samba/user.map winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes Now I get wbinfo -i again: # wbinfo -i sgw sgw:*:4294967295:4294967295:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false But the group is wrong. # wbinfo --group-info 'domain users' domain users:x:4294967295: What to correct here, please?
On Sun, 1 Jan 2017 15:14:19 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-01-01 um 14:40 schrieb Rowland Penny via samba: > > > If a user has a uidNumber, this will be used on a DC instead of the > > xidNumber stored in idmap.ldb, though you may have to run 'net cache > > flush' > > "net cache flush" threw me back on the member server now :-( > > Maybe I shouldn't have done that, maybe it's good to uncover some > hidden issue(s).'net cache flush' clears winbind's cache, but this should be refilled the next time winbind connects to AD.> > # wbinfo -i sgw > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user sgw > > # wbinfo -n sgw > S-1-5-21-2777655458-4002997014-749295002-3000 SID_USER (1) > > # wbinfo -S S-1-5-21-2777655458-4002997014-749295002-3000 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-2777655458-4002997014-749295002-3000 > to uid > > # wbinfo -u | grep sgw > sgw > > *scratches head* ... again > >The problem with using wbinfo is, it isn't what the underlying OS uses, you need to use 'getent' for this. Just seen you latest post, moving to that Rowland