Luca Bertoncello
2021-Aug-25 12:55 UTC
[Samba] Problem connecting Samba and Windows Active Directory
Getent passwd shows only local users. No AD-users at all... ? The Users in AD don't have a uidNumber and don't have "Domain Users" as Group (we use another Group as primary one). Thanks Luca -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Mittwoch, 25. August 2021 14:45 An: samba at lists.samba.org Betreff: Re: [Samba] Problem connecting Samba and Windows Active Directory On Wed, 2021-08-25 at 12:34 +0000, Luca Bertoncello via samba wrote:> OK, it seems to work... at least the join... > > Wbinfo -u give me now the users, but I cannot log in... > In the log file I see: > > [2021/08/25 14:33:27.511190, 1] > ../../source3/smbd/service.c:353(create_connection_session_info) > create_connection_session_info: guest user (from session setup) not > permitted to access this share (queo.communication) > [2021/08/25 14:33:27.511318, 1] > ../../source3/smbd/service.c:543(make_connection_snum) > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED >Does 'getent passwd A_KNOWN_USERNAME' produce output ? Your smb.conf uses the 'ad' winbind backend, so do your users have a uidNumber attribute and does 'Domain Users' have a gidNumber attribute ? If so, are they all in side the '200000-1000200000' range you set in your smb.conf ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2021-Aug-25 13:16 UTC
[Samba] Problem connecting Samba and Windows Active Directory
On Wed, 2021-08-25 at 12:55 +0000, Luca Bertoncello via samba wrote:> Getent passwd shows only local users. No AD-users at all... ? > > The Users in AD don't have a uidNumber and don't have "Domain Users" > as Group (we use another Group as primary one).Then the winbind 'ad' backend will never work and you will never have any AD users & groups as Unix users and groups. Replace this block in smb.conf: idmap config * : range = 2000-10000 idmap config AD-QUEO-ORG : backend = ad idmap config AD-QUEO-ORG : range = 200000-1000200000 idmap config AD-QUEO-ORG : unix_primary_group = yes idmap config AD-QUEO-ORG : schema_mode = rfc2307 idmap config AD-QUEO-ORG : unix_nss_info = yes With this: idmap config * : range = 3000-7999 idmap config AD-QUEO-ORG : backend = rid idmap config AD-QUEO-ORG : range = 10000-1000200000 It is either that, or start populating AD with uidNumber & gidNumber attributes. Rowland