Le 06/05/2019 à 12:06, Rowland Penny via samba a écrit :> On Mon, 6 May 2019 11:47:34 +0200 > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit : >>> On Mon, 6 May 2019 10:58:56 +0200 >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: >>> >>>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : >>>>> On Mon, 6 May 2019 09:08:10 +0200 >>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> sorry for the mistake, I meaned >>>>>> >>>>>> getent passwd vincent shows nothing and I got in the log file: >>>>>> >>>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for >>>>>> FOO\vincent. >>>>>> >>>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good >>>>>> username. >>>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS >>>>> will know the user, even if the smb.conf appears to be correct. >>>>> >>>>> You originally posted this: >>>>> >>>>> idmap config FOO:backend = ad >>>>> idmap config FOO:schema_mode = rfc2307 >>>>> idmap config FOO:range = 10000-999999 >>>>> idmap config FOO:unix_nss_info = yes >>>>> idmap config FOO:unix_primary_group = yes >>>>> >>>>> So, does 'vincent' have a uidNumber attribute containing a number >>>>> inside the range '10000-99999999' AND either a gidnumber attribute >>>>> containing the gidNumber of an AD group, or does Domain >>>>> Users have gidNumber attribute ? The gidNumber must be inside the >>>>> same range. >>>>> >>>>> Rowland >>>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and >>>> primaryGroupID 513. >>>> >>>> 513 corresponds to the group "Domain Users", which have gidNumber >>>> 13010 >>>> >>>> Vincent >>>> >>> OK, can you try something as a test ? >>> >>> Change this: >>> >>> idmap config FOO:backend = ad >>> idmap config FOO:schema_mode = rfc2307 >>> idmap config FOO:range = 10000-999999 >>> idmap config FOO:unix_nss_info = yes >>> idmap config FOO:unix_primary_group = yes >>> >>> To this: >>> >>> idmap config FOO:backend = rid >>> idmap config FOO:range = 10000-999999 >>> >>> Restart Samba and run: >>> >>> net cache flush >>> >>> Then run: >>> >>> getent passwd vincent >>> >>> This will test the connectivity between your Unix domain member and >>> the DC. >>> >>> Don't worry if you get ID's that you don't expect, this is just a >>> test, just change everything back after the test. >>> >>> Rowland >>> >> getent passwd vincent output nothing, and log.winbindd still says "My >> domain -- rejecting getpwnam() for FOO\vincent." >> > You are getting nothing, even when using the 'rid' backend ?Exact> > Do you have libpam-winbind libnss-winbind and libpam-krb5 installed ?Yes> > are the passwd & group lines in /etc/nsswitch.conf like this: > > passwd: compat winbind > group: compat winbindIt is compat winbind systemd, as advised by Louis, but the behaviour is the same. Vincent> Rowland >
On Mon, 6 May 2019 15:33:08 +0200 Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:> Le 06/05/2019 à 12:06, Rowland Penny via samba a écrit : > > On Mon, 6 May 2019 11:47:34 +0200 > > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > > > >> Le 06/05/2019 à 11:23, Rowland Penny via samba a écrit : > >>> On Mon, 6 May 2019 10:58:56 +0200 > >>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >>> > >>>> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : > >>>>> On Mon, 6 May 2019 09:08:10 +0200 > >>>>> Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> sorry for the mistake, I meaned > >>>>>> > >>>>>> getent passwd vincent shows nothing and I got in the log file: > >>>>>> > >>>>>> winbindd_getpwnam: My domain -- rejecting getpwnam() for > >>>>>> FOO\vincent. > >>>>>> > >>>>>> 'wbinfo -u | grep 'vincent' returns vincent, it's the good > >>>>>> username. > >>>>> Just because 'wbinfo' shows a user, doesn't mean that a Unix OS > >>>>> will know the user, even if the smb.conf appears to be correct. > >>>>> > >>>>> You originally posted this: > >>>>> > >>>>> idmap config FOO:backend = ad > >>>>> idmap config FOO:schema_mode = rfc2307 > >>>>> idmap config FOO:range = 10000-999999 > >>>>> idmap config FOO:unix_nss_info = yes > >>>>> idmap config FOO:unix_primary_group = yes > >>>>> > >>>>> So, does 'vincent' have a uidNumber attribute containing a > >>>>> number inside the range '10000-99999999' AND either a gidnumber > >>>>> attribute containing the gidNumber of an AD group, or does > >>>>> Domain Users have gidNumber attribute ? The gidNumber must be > >>>>> inside the same range. > >>>>> > >>>>> Rowland > >>>> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and > >>>> primaryGroupID 513. > >>>> > >>>> 513 corresponds to the group "Domain Users", which have gidNumber > >>>> 13010 > >>>> > >>>> Vincent > >>>> > >>> OK, can you try something as a test ? > >>> > >>> Change this: > >>> > >>> idmap config FOO:backend = ad > >>> idmap config FOO:schema_mode = rfc2307 > >>> idmap config FOO:range = 10000-999999 > >>> idmap config FOO:unix_nss_info = yes > >>> idmap config FOO:unix_primary_group = yes > >>> > >>> To this: > >>> > >>> idmap config FOO:backend = rid > >>> idmap config FOO:range = 10000-999999 > >>> > >>> Restart Samba and run: > >>> > >>> net cache flush > >>> > >>> Then run: > >>> > >>> getent passwd vincent > >>> > >>> This will test the connectivity between your Unix domain member > >>> and the DC. > >>> > >>> Don't worry if you get ID's that you don't expect, this is just a > >>> test, just change everything back after the test. > >>> > >>> Rowland > >>> > >> getent passwd vincent output nothing, and log.winbindd still says > >> "My domain -- rejecting getpwnam() for FOO\vincent." > >> > > You are getting nothing, even when using the 'rid' backend ? > Exact > > > > Do you have libpam-winbind libnss-winbind and libpam-krb5 > > installed ? > Yes > > > > are the passwd & group lines in /etc/nsswitch.conf like this: > > > > passwd: compat winbind > > group: compat winbind > > It is compat winbind systemd, as advised by Louis, but the behaviour > is the same. > > Vincent > > > Rowland > >Then I am getting lost, usually the 'rid' backend just works. You install Samba and setup everything correctly, join the domain and away you go. Bear with me whilst I setup Ubuntu 18.04 in a VM and install Samba etc, lets see if I have problems. Rowland
Am 06.05.19 um 16:06 schrieb Rowland Penny via samba:> Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and > primaryGroupID 513. > > 513 corresponds to the group "Domain Users", which have gidNumber > 13010 > > VincentMight this be the problem? He has primaryGroupID set to 513 (hello calssicupgrade?) but "Domain Users" hast a gid of 13010? Regards -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen