i have setup a samba server as a AD member. AD: 2012R2
The first day everything was working fine. After restart the Samba
Service i had no access to my shares.
getent passwd and getent group deliver the UID and GID :
4294967295:4294967295: by all AD Users
which is -1 (FFFF FFFF)
wbinfo -n user deliver S-1-5-21-4001112740-1724199908-163113746-1106
SID_USER (1) which is correct !
I get from wbinfo -S S-1-5-21-4001112740-1724199908-163113746-1106 as
result -1 !
In the Winbind log i get :
i get from the log Parsing value for key
[IDMAP/SID2XID/S-1-5-21-4001112740-1724199908-163113746-1106]: value=[-1:N]
The Samba Version is : Version 4.2.14-Debian
My smb.conf is :
[global]
netbios name = fs2
workgroup = XDNT
security = ADS
realm = XDNT.DE
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 10 #passdp:10 auth:10 winbind:10
# Log auf Datei Zugriff
vfs object = full_audit recycle acl_xattr
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = local7
# full_audit:priority = DEBUG
full_audit:priority = notice
# Log auf Datei löschen
recycle:repository = /srv/export/samba/recycle
recycle:subdir_mode = 0770
recycle:directory_mode = 0770
recycle:keeptree = Yes
recycle:versions = Yes
recycle:touch = Yes
recycle:touch_mtime = Yes
recycle:maxsize = 0
syslog = yes
#idmap config *:backend = tdb
#idmap config *:range = 85000-86000
idmap config XDNT : backend = ad
idmap config XDNT : schema_mode = rfc2307
idmap config XDNT : range = 3000000-4000000
idmap config XDNT:unix_primary_group = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
# winbind nss info = template
# template shell = /bin/bash
# template homedir = /home/%U
map acl inherit = Yes
store dos attributes = Yes
follow symlinks = yes
passdb backend = tdbsam
map untrusted to domain = Yes
username map = /etc/samba/user.map
Some one can help me please ?
On Tue, 25 Apr 2017 22:31:48 +0200 edv--- via samba <samba at lists.samba.org> wrote:> i have setup a samba server as a AD member. AD: 2012R2 > > The first day everything was working fine. After restart the Samba > Service i had no access to my shares. > > getent passwd and getent group deliver the UID and GID : > 4294967295:4294967295: by all AD Users > > which is -1 (FFFF FFFF) > > wbinfo -n user deliver S-1-5-21-4001112740-1724199908-163113746-1106 > SID_USER (1) which is correct ! > > I get from wbinfo -S S-1-5-21-4001112740-1724199908-163113746-1106 as > result -1 ! > > In the Winbind log i get : > i get from the log Parsing value for key > [IDMAP/SID2XID/S-1-5-21-4001112740-1724199908-163113746-1106]: > value=[-1:N] > > > The Samba Version is : Version 4.2.14-Debian > > My smb.conf is : > [global] > netbios name = fs2 > workgroup = XDNT > security = ADS > realm = XDNT.DE > encrypt passwords = yes > > log file = /var/log/samba/log.%m > log level = 10 #passdp:10 auth:10 winbind:10 > > # Log auf Datei Zugriff > vfs object = full_audit recycle acl_xattr > full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > full_audit:success = mkdir rename unlink rmdir pwrite > full_audit:failure = none > full_audit:facility = local7 > # full_audit:priority = DEBUG > full_audit:priority = notice > > # Log auf Datei löschen > recycle:repository = /srv/export/samba/recycle > recycle:subdir_mode = 0770 > recycle:directory_mode = 0770 > recycle:keeptree = Yes > recycle:versions = Yes > recycle:touch = Yes > recycle:touch_mtime = Yes > recycle:maxsize = 0 > > syslog = yes > > #idmap config *:backend = tdb > #idmap config *:range = 85000-86000Uncomment the above two lines you need them ;-)> > idmap config XDNT : backend = ad > idmap config XDNT : schema_mode = rfc2307 > idmap config XDNT : range = 3000000-4000000Have you actually given your users and groups a uidNumber or gidNumber attribute inside the range 3000000-4000000 ? If not, change the backend to 'rid' instead of 'ad' and remove the schema_mode line.> > idmap config XDNT:unix_primary_group = yesThe Same goes for the above line, if you have no gidNumber attributes, remove it.> > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > # winbind nss info = template > # template shell = /bin/bash > # template homedir = /home/%Uuncomment the template lines if you use the 'rid' backend> > map acl inherit = Yes > store dos attributes = YesAdd 'vfs objects = acl_xattr' as well> > follow symlinks = yes > > passdb backend = tdbsam > map untrusted to domain = Yes > > username map = /etc/samba/user.mapWhat is in the username map ? Try reading this Samba wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Thanks for fast help ! Inside username map is : !root = EDNT\Administrator EDNT\administrator All your changs done. With rid it works ! Why i cant use AD ?? Regards Karl Am 25.04.2017 um 23:06 schrieb Rowland Penny via samba:> On Tue, 25 Apr 2017 22:31:48 +0200 > edv--- via samba <samba at lists.samba.org> wrote: > >> i have setup a samba server as a AD member. AD: 2012R2 >> >> The first day everything was working fine. After restart the Samba >> Service i had no access to my shares. >> >> getent passwd and getent group deliver the UID and GID : >> 4294967295:4294967295: by all AD Users >> >> which is -1 (FFFF FFFF) >> >> wbinfo -n user deliver S-1-5-21-4001112740-1724199908-163113746-1106 >> SID_USER (1) which is correct ! >> >> I get from wbinfo -S S-1-5-21-4001112740-1724199908-163113746-1106 as >> result -1 ! >> >> In the Winbind log i get : >> i get from the log Parsing value for key >> [IDMAP/SID2XID/S-1-5-21-4001112740-1724199908-163113746-1106]: >> value=[-1:N] >> >> >> The Samba Version is : Version 4.2.14-Debian >> >> My smb.conf is : >> [global] >> netbios name = fs2 >> workgroup = XDNT >> security = ADS >> realm = XDNT.DE >> encrypt passwords = yes >> >> log file = /var/log/samba/log.%m >> log level = 10 #passdp:10 auth:10 winbind:10 >> >> # Log auf Datei Zugriff >> vfs object = full_audit recycle acl_xattr >> full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S >> full_audit:success = mkdir rename unlink rmdir pwrite >> full_audit:failure = none >> full_audit:facility = local7 >> # full_audit:priority = DEBUG >> full_audit:priority = notice >> >> # Log auf Datei löschen >> recycle:repository = /srv/export/samba/recycle >> recycle:subdir_mode = 0770 >> recycle:directory_mode = 0770 >> recycle:keeptree = Yes >> recycle:versions = Yes >> recycle:touch = Yes >> recycle:touch_mtime = Yes >> recycle:maxsize = 0 >> >> syslog = yes >> >> #idmap config *:backend = tdb >> #idmap config *:range = 85000-86000 > Uncomment the above two lines you need them ;-) > >> idmap config XDNT : backend = ad >> idmap config XDNT : schema_mode = rfc2307 >> idmap config XDNT : range = 3000000-4000000 > Have you actually given your users and groups a uidNumber or gidNumber > attribute inside the range 3000000-4000000 ? > > If not, change the backend to 'rid' instead of 'ad' and remove the > schema_mode line. > >> idmap config XDNT:unix_primary_group = yes > The Same goes for the above line, if you have no gidNumber attributes, > remove it. > >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = yes >> >> # winbind nss info = template >> # template shell = /bin/bash >> # template homedir = /home/%U > uncomment the template lines if you use the 'rid' backend > >> map acl inherit = Yes >> store dos attributes = Yes > Add 'vfs objects = acl_xattr' as well > >> follow symlinks = yes >> >> passdb backend = tdbsam >> map untrusted to domain = Yes >> >> username map = /etc/samba/user.map > What is in the username map ? > > Try reading this Samba wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland > > >