Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit :> On Mon, 6 May 2019 10:58:56 +0200 > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : >>> On Mon, 6 May 2019 09:08:10 +0200 >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: >>> >>>> Hi, >>>> >>>> sorry for the mistake, I meaned >>>> >>>> getent passwd vincent shows nothing and I got in the log file: >>>> >>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for >>>> FOO\vincent. >>>> >>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good >>>> username. >>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will >>> know the user, even if the smb.conf appears to be correct. >>> >>> You originally posted this: >>> >>> idmap config FOO:backend = ad >>> idmap config FOO:schema_mode = rfc2307 >>> idmap config FOO:range = 10000-999999 >>> idmap config FOO:unix_nss_info = yes >>> idmap config FOO:unix_primary_group = yes >>> >>> So, does 'vincent' have a uidNumber attribute containing a number >>> inside the range '10000-99999999' AND either a gidnumber attribute >>> containing the gidNumber of an AD group, or does Domain >>> Users have gidNumber attribute ? The gidNumber must be inside the >>> same range. >>> >>> Rowland >> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and >> primaryGroupID 513. >> >> 513 corresponds to the group "Domain Users", which have gidNumber >> 13010 >> >> Vincent >> > OK, can you try something as a test ? > > Change this: > > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 10000-999999 > idmap config FOO:unix_nss_info = yes > idmap config FOO:unix_primary_group = yes > > To this: > > idmap config FOO:backend = rid > idmap config FOO:range = 10000-999999 > > Restart Samba and run: > > net cache flush > > Then run: > > getent passwd vincent > > This will test the connectivity between your Unix domain member and the > DC. > > Don't worry if you get ID's that you don't expect, this is just a test, > just change everything back after the test. > > Rowland >getent passwd vincent output nothing, and log.winbindd still says "My domain -- rejecting getpwnam() for FOO\vincent."
On Mon, 6 May 2019 11:47:34 +0200 Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit : > > On Mon, 6 May 2019 10:58:56 +0200 > > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > > > >> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : > >>> On Mon, 6 May 2019 09:08:10 +0200 > >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >>> > >>>> Hi, > >>>> > >>>> sorry for the mistake, I meaned > >>>> > >>>> getent passwd vincent shows nothing and I got in the log file: > >>>> > >>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for > >>>> FOO\vincent. > >>>> > >>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good > >>>> username. > >>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS > >>> will know the user, even if the smb.conf appears to be correct. > >>> > >>> You originally posted this: > >>> > >>> idmap config FOO:backend = ad > >>> idmap config FOO:schema_mode = rfc2307 > >>> idmap config FOO:range = 10000-999999 > >>> idmap config FOO:unix_nss_info = yes > >>> idmap config FOO:unix_primary_group = yes > >>> > >>> So, does 'vincent' have a uidNumber attribute containing a number > >>> inside the range '10000-99999999' AND either a gidnumber attribute > >>> containing the gidNumber of an AD group, or does Domain > >>> Users have gidNumber attribute ? The gidNumber must be inside the > >>> same range. > >>> > >>> Rowland > >> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and > >> primaryGroupID 513. > >> > >> 513 corresponds to the group "Domain Users", which have gidNumber > >> 13010 > >> > >> Vincent > >> > > OK, can you try something as a test ? > > > > Change this: > > > > idmap config FOO:backend = ad > > idmap config FOO:schema_mode = rfc2307 > > idmap config FOO:range = 10000-999999 > > idmap config FOO:unix_nss_info = yes > > idmap config FOO:unix_primary_group = yes > > > > To this: > > > > idmap config FOO:backend = rid > > idmap config FOO:range = 10000-999999 > > > > Restart Samba and run: > > > > net cache flush > > > > Then run: > > > > getent passwd vincent > > > > This will test the connectivity between your Unix domain member and > > the DC. > > > > Don't worry if you get ID's that you don't expect, this is just a > > test, just change everything back after the test. > > > > Rowland > > > getent passwd vincent output nothing, and log.winbindd still says "My > domain -- rejecting getpwnam() for FOO\vincent." >You are getting nothing, even when using the 'rid' backend ? Do you have libpam-winbind libnss-winbind and libpam-krb5 installed ? are the passwd & group lines in /etc/nsswitch.conf like this: passwd: compat winbind group: compat winbind Rowland
Le 06/05/2019 à 12:06, Rowland Penny via samba a écrit :> On Mon, 6 May 2019 11:47:34 +0200 > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit : >>> On Mon, 6 May 2019 10:58:56 +0200 >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: >>> >>>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : >>>>> On Mon, 6 May 2019 09:08:10 +0200 >>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> sorry for the mistake, I meaned >>>>>> >>>>>> getent passwd vincent shows nothing and I got in the log file: >>>>>> >>>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for >>>>>> FOO\vincent. >>>>>> >>>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good >>>>>> username. >>>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS >>>>> will know the user, even if the smb.conf appears to be correct. >>>>> >>>>> You originally posted this: >>>>> >>>>> idmap config FOO:backend = ad >>>>> idmap config FOO:schema_mode = rfc2307 >>>>> idmap config FOO:range = 10000-999999 >>>>> idmap config FOO:unix_nss_info = yes >>>>> idmap config FOO:unix_primary_group = yes >>>>> >>>>> So, does 'vincent' have a uidNumber attribute containing a number >>>>> inside the range '10000-99999999' AND either a gidnumber attribute >>>>> containing the gidNumber of an AD group, or does Domain >>>>> Users have gidNumber attribute ? The gidNumber must be inside the >>>>> same range. >>>>> >>>>> Rowland >>>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and >>>> primaryGroupID 513. >>>> >>>> 513 corresponds to the group "Domain Users", which have gidNumber >>>> 13010 >>>> >>>> Vincent >>>> >>> OK, can you try something as a test ? >>> >>> Change this: >>> >>> idmap config FOO:backend = ad >>> idmap config FOO:schema_mode = rfc2307 >>> idmap config FOO:range = 10000-999999 >>> idmap config FOO:unix_nss_info = yes >>> idmap config FOO:unix_primary_group = yes >>> >>> To this: >>> >>> idmap config FOO:backend = rid >>> idmap config FOO:range = 10000-999999 >>> >>> Restart Samba and run: >>> >>> net cache flush >>> >>> Then run: >>> >>> getent passwd vincent >>> >>> This will test the connectivity between your Unix domain member and >>> the DC. >>> >>> Don't worry if you get ID's that you don't expect, this is just a >>> test, just change everything back after the test. >>> >>> Rowland >>> >> getent passwd vincent output nothing, and log.winbindd still says "My >> domain -- rejecting getpwnam() for FOO\vincent." >> > You are getting nothing, even when using the 'rid' backend ?Exact> > Do you have libpam-winbind libnss-winbind and libpam-krb5 installed ?Yes> > are the passwd & group lines in /etc/nsswitch.conf like this: > > passwd: compat winbind > group: compat winbindIt is compat winbind systemd, as advised by Louis, but the behaviour is the same. Vincent> Rowland >