Hello all,
I have a very old samba server, successfully migrated from 2.11 to 3.x,
then now to 4.8.0 while the windows userbase went from workgroup to AD,
now on AD 2008R2. Everything seems to work flawlessly till a new user
was added to the AD. From my samba server I can't see it in the getent
passwd list (the others are all there) tough wbinfo -a newuser%password
says:
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -i says
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user newuser
Of course the new user cannot see it's home directory.
Of course I restarted the service, cleaned the cache and even
bootstrapped my server, removed the *tdb files end rejoined
the domain.
Has someone else seen the same?
My relevant configuration:
nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.4/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: winbind files
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
smb4.conf:
[global]
security = ADS
netbios name = HERMES
server string = "HERMES"
password server = 192.168.132.4 *
workgroup = MCS2003
idmap uid = 3000-8004
idmap gid = 800-1988
idmap config MCS2003 : backend = rid
idmap config MCS2003 : range = 3000 - 8004
winbind enum users = yes
winbind enum groups = yes
template homedir = /dati/mailbox/%U
template shell = /bin/tcsh
os level = 2
time server = Yes
unix extensions = Yes
encrypt passwords = Yes
map to guest = Bad User
log level = 1 auth:10 winbind:2
log file = /var/log/samba/users/%m.log
wins support = No
max xmit = 8192
max protocol = SMB3_11
realm = MCS2003.IT
winbind refresh tickets = yes
winbind use default domain = yes
client use spnego = yes
client ntlmv2 auth = yes
usershare allow guests = No
nt pipe support = no
write cache size = 65536
allow trusted domains = no
[homes]
comment = Home Directory for %S
vfs objects = zfsacl
path = /dati/mailbox/%S
browseable = yes
guest ok = no
read only = No
create mask = 0644
directory mask = 0755
preserve case = yes
short preserve case = yes
Luciano.
--
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy)
\ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG
/ \ AND POSTINGS / WWW: http://www.lesassaie.IT/
On Wed, 30 May 2018 16:55:02 +0200 Luciano Mannucci via samba <samba at lists.samba.org> wrote:> > Hello all, > > I have a very old samba server, successfully migrated from 2.11 to > 3.x, then now to 4.8.0 while the windows userbase went from workgroup > to AD, now on AD 2008R2. Everything seems to work flawlessly till a > new user was added to the AD. From my samba server I can't see it in > the getent passwd list (the others are all there) tough wbinfo -a > newuser%password says: > > plaintext password authentication succeeded > challenge/response password authentication succeeded > > wbinfo -i says > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user newuser > > Of course the new user cannot see it's home directory. > > Of course I restarted the service, cleaned the cache and even > bootstrapped my server, removed the *tdb files end rejoined > the domain. > > Has someone else seen the same? > > My relevant configuration: > > nsswitch.conf > # > group: winbind files > passwd: winbind filesThey should be the other way around 'files winbind'> > smb4.conf: > [global] > security = ADS > netbios name = HERMES > server string = "HERMES" > password server = 192.168.132.4 *Remove the above line> workgroup = MCS2003 > idmap uid = 3000-8004 > idmap gid = 800-1988The above two lines are deprecated Add these lines instead: idmap config * : backend = tdb idmap config * : range = 10000-11000> idmap config MCS2003 : backend = rid > idmap config MCS2003 : range = 3000 - 8004Change the above line to: idmap config MCS2003 : range = 800-8004> winbind enum users = yes > winbind enum groups = yesRemove the above two lines> template homedir = /dati/mailbox/%U > template shell = /bin/tcsh > os level = 2 > time server = YesReally, a Unix domain member as a time server ? Rowland
On Wed, 30 May 2018 16:27:20 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > workgroup = MCS2003 > > idmap uid = 3000-8004 > > idmap gid = 800-1988 > > The above two lines are deprecated > > Add these lines instead: > idmap config * : backend = tdb > idmap config * : range = 10000-11000 > > > idmap config MCS2003 : backend = rid > > idmap config MCS2003 : range = 3000 - 8004 > > Change the above line to: > idmap config MCS2003 : range = 800-8004Will this change preserve my actual gid-uid mapping? If not I will have to reset manually the ownership of all the files of all the users, which might trigger a couple terabytes of backup otherwise totally useless... BTW, thank you for your valuable hints. Cheers, Luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/