fx.cormontagne@howen.be
2004-Jun-12 02:13 UTC
[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain
I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba
3.0.4
as a member server of a Win2k domain controller. I use heimdal-0.6.1 for
kerberos.
I would like my XP machines in the domain to use the share with the user
accounts
defined in Active Directory.
At a first glance it seems to work: the connection to the share succeeds
without a
prompt for a password. Users may create, read, modify and delete files or
folders.
But the ACLs do not show domain accounts but local accounts: those accounts have
the SAME NAME as the domain account BUT they bear the name of the SAMBA machine
instead of the name of the domain.
Here are my conf files:
----- smb.conf -----
[global]
security = ADS
realm = windom
netbios name = SAMBA
workgroup = WINDOM
encrypt passwords=yes
password server = *
obey pam restrictions = yes
winbind cache time = 120
template shell = /sbin/nologin
template homedir = /none
idmap uid = 10000-19999
idmap gid = 10000-19999
winbind nested groups = yes
winbind separator = +
[theshare]
path=/smbroot/theshare
read only=no
-----------------------
------ nsswitch.conf ---
passwd: files winbind
group: files winbind
------------------------
------ pam.d/samba ----
auth required pam_winbind.so debug
account required pam_winbind.so
-----------------------
pam_winbind.so is only present in pam.d/samba
wbinfo -u
wbinfo -g
work fine
pw user show -a # this lists all the user account in a passwd format
shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...)
Then I log into an XP machine as domuser@WINDOM
I open the network location: \\samba\theshare
I create some file, and I edit its properties I find in the ACL and as the owner
of the file:
domuser(SAMBA\domuser)
Then I log on the console of the Samba server as root, and
$ ls -ln /smbroot/theshare/dummyfile.txt
gives a UID of 10034 as the owner
pw user show -u 10034
returns:
domuser:*:10034:65534::0:0:domuser:/none/:/sbin/nologin
again I type: pw user show -a
all the domain users are present but domuser:*:10034 does not
appear in the list
When I turn on: winbind trusted domains only = yes
I get a login screen when I want to connect to the share
and log.smbd tells:
smbd/sesssetup.c:reply_spnego_kerberos(248)
Username WINDOM+domuser is invalid on this system
while log.winbind says:
nsswitch/winbindd_acct.c:winbindd_create_user(884)
winbindd_create_user: Refusing to create user that already exists
(domuser)
It is not clear to me if it is a kerberos or a winbind problem.
Has someone a clue?
Thanks
FX
Jason C. Waters
2004-Jun-12 02:20 UTC
[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain
Does "getent group" and "getent passwd" return the users and groups? If it doesn't I'm guessing that you didn't copy the libnss_winbind.so to your /lib directory and then create a symbolic link, ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.x, where x is the version of nss you use...I think. I put 2 and it works but you can try 0,1, or 2 I think. Hope this helps fx.cormontagne@howen.be wrote:>I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba >3.0.4 > as a member server of a Win2k domain controller. I use heimdal-0.6.1 for >kerberos. > >I would like my XP machines in the domain to use the share with the user >accounts >defined in Active Directory. > >At a first glance it seems to work: the connection to the share succeeds >without a >prompt for a password. Users may create, read, modify and delete files or >folders. >But the ACLs do not show domain accounts but local accounts: those accounts have >the SAME NAME as the domain account BUT they bear the name of the SAMBA machine >instead of the name of the domain. > >Here are my conf files: > >----- smb.conf ----- >[global] > security = ADS > realm = windom > netbios name = SAMBA > workgroup = WINDOM > encrypt passwords=yes > password server = * > obey pam restrictions = yes > winbind cache time = 120 > template shell = /sbin/nologin > template homedir = /none > idmap uid = 10000-19999 > idmap gid = 10000-19999 > winbind nested groups = yes > winbind separator = + > >[theshare] > path=/smbroot/theshare > read only=no >----------------------- > >------ nsswitch.conf --- >passwd: files winbind >group: files winbind >------------------------ > >------ pam.d/samba ---- >auth required pam_winbind.so debug >account required pam_winbind.so >----------------------- > > pam_winbind.so is only present in pam.d/samba > >wbinfo -u >wbinfo -g > > work fine > >pw user show -a # this lists all the user account in a passwd format > > shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...) > >Then I log into an XP machine as domuser@WINDOM >I open the network location: \\samba\theshare >I create some file, and I edit its properties I find in the ACL and as the owner >of the file: > > domuser(SAMBA\domuser) > >Then I log on the console of the Samba server as root, and > >$ ls -ln /smbroot/theshare/dummyfile.txt > > gives a UID of 10034 as the owner > >pw user show -u 10034 > > returns: > >domuser:*:10034:65534::0:0:domuser:/none/:/sbin/nologin > >again I type: pw user show -a > > all the domain users are present but domuser:*:10034 does not > appear in the list > >When I turn on: winbind trusted domains only = yes > > I get a login screen when I want to connect to the share > and log.smbd tells: > smbd/sesssetup.c:reply_spnego_kerberos(248) > Username WINDOM+domuser is invalid on this system > > while log.winbind says: > nsswitch/winbindd_acct.c:winbindd_create_user(884) > winbindd_create_user: Refusing to create user that already exists >(domuser) > >It is not clear to me if it is a kerberos or a winbind problem. > >Has someone a clue? > >Thanks > >FX > > >
fx.cormontagne@howen.be
2004-Jun-20 14:36 UTC
[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain
Sorry that I've not posted my answer to the list... on FreeBSD "pw group show -a" and "pw user show -a" will respectively list group and passwd entries Both commands lits local an Windows groups or users. But a single user lookup like "pw user show domuser" fails. ======= Message d'origine =======De : "Jason C. Waters" <jwaters@h2os.com> À : fx.cormontagne@howen.be Sujet : Re: [Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain Does "getent group" and "getent passwd" return the users and groups?
Maybe Matching Threads
- A computer in the Domain got stuck with and old username
- A computer in the Domain got stuck with and old username
- Getting Samba 3 to communicate with Win2k3 ADS
- Is it possible to change the root/Administrator user to another username?
- winbindd_create_user: Refusing to create user that already exists