David Touzeau
2011-Aug-12 08:23 UTC
[Samba] Samba 3.6.0: unable to list Active Directoy users
Dear all I have upgraded my Samba from 3.5.x to a newest 3.6.0 version. My Samba is connected to an Active Directory 2008 R2 the "getent passwd" did not display any ActiveDirectoy Domains users. the "net ads group" display correctly the ActiveDirectory groups : net ads group Administrateurs Utilisateurs Invit?s Op?rateurs d?impression Op?rateurs de sauvegarde Duplicateurs Utilisateurs du Bureau ? distance Op?rateurs de configuration r?seau Utilisateurs de l?Analyseur de performances Utilisateurs du journal de performances Utilisateurs du mod?le COM distribu? IIS_IUSRS Op?rateurs de chiffrement Lecteurs des journaux d??v?nements Acc?s DCOM service de certificats Ordinateurs du domaine I think there is a misconfiguration in my setup but did not find any solution: Where i'm wrong ? [global] workgroup = TOUZEAU netbios name = bdc2 server string = %h server disable netbios =no max protocol = SMB2 name resolve order =host lmhosts wins bcast dns proxy = No wins support = No min protocol = NT1 syslog = 3 log level = 10 log file = /var/log/samba/log.%m debug timestamp = yes # Enable symbolics links ----------------------------------- follow symlinks = yes wide links = yes unix extensions = no usershare allow guests = no usershare max shares = 100 usershare owner only = true usershare path=/var/lib/samba/usershares/data #Guest access guest account = nobody map to guest = Bad Password template homedir = /home/%U template shell = /bin/false enable privileges = yes os level = 40 ldap passwd sync = no #WINBINDD ******************************************************* security = ADS realm = TOUZEAU.HOME idmap config TOUZEAU:backend = ad idmap config TOUZEAU:readonly = yes idmap config TOUZEAU:schema_mode = rfc2307 idmap config * : range = 16777216-33554431 client use spnego = No client use spnego principal = No encrypt passwords = Yes client ntlmv2 auth = Yes client lanman auth = No winbind normalize names = Yes winbind separator = / winbind use default domain = No winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind nss info = rfc2307 winbind offline logon = true winbind cache time = 5 winbind refresh tickets = true kerberos method = system keytab allow trusted domains = Yes server signing = mandatory client signing = mandatory lm announce = No ntlm auth = No lanman auth = No preferred master = No printing = bsd # VISTA/Windows7 compatibility # ACLs settings nt acl support=yes map acl inherit=yes acl check permissions=yes inherit permissions=no inherit acls=no acl map full control=yes dos filemode=yes force unknown acl user = no # LDAP settings ----------------------------------- ldap delete dn = no passdb backend = ldapsam:ldap://127.0.0.1:389 ldap admin dn = cn=Manager,dc=my-domain,dc=com ldap suffix = dc=my-domain,dc=com ldap group suffix = dc=organizations ldap user suffix = dc=organizations ldap machine suffix = ou=Computer,dc=samba,dc=organizations ldap delete dn = yes ldap ssl = off ldap idmap suffix ou=idmap,dc=samba,dc=organizations,dc=my-domain,dc=com
Marc Muehlfeld
2011-Aug-12 09:42 UTC
[Samba] Samba 3.6.0: unable to list Active Directoy users
Am 12.08.2011 10:23, schrieb David Touzeau:> the "getent passwd" did not display any ActiveDirectoy Domains users. > the "net ads group" display correctly the ActiveDirectory groups :Sounds a little bit like the bug I reported yesterday: https://bugzilla.samba.org/show_bug.cgi?id=8371
Michael Wood
2011-Aug-12 10:25 UTC
[Samba] Samba 3.6.0: unable to list Active Directoy users
Hi On 12 August 2011 10:23, David Touzeau <david at touzeau.eu> wrote:> Dear all > > I have upgraded my Samba from 3.5.x to a newest 3.6.0 version. > My Samba is connected to an Active Directory 2008 R2 > > > the "getent passwd" did not display any ActiveDirectoy Domains users. > the "net ads group" display correctly the ActiveDirectory groups : > > net ads group > Administrateurs > Utilisateurs > Invit?s > Op?rateurs d?impression > Op?rateurs de sauvegarde > Duplicateurs > Utilisateurs du Bureau ? distance > Op?rateurs de configuration r?seau > Utilisateurs de l?Analyseur de performances > Utilisateurs du journal de performances > Utilisateurs du mod?le COM distribu? > IIS_IUSRS > Op?rateurs de chiffrement > Lecteurs des journaux d??v?nements > Acc?s DCOM service de certificats > Ordinateurs du domaine > > > > I think there is a misconfiguration in my setup but did not find any > solution: > Where i'm wrong ? > > > [global] > ? ? ? ?workgroup = TOUZEAU > ? ? ? ?netbios name = bdc2 > ? ? ? ?server string = %h server > ? ? ? ?disable netbios =no > ? ? ? ?max protocol = SMB2 > ? ? ? ?name resolve order =host lmhosts wins bcast > ? ? ? ?dns proxy = No > ? ? ? ?wins support = No > ? ? ? ?min protocol = NT1 > ? ? ? ?syslog = 3 > ? ? ? ?log level = 10 > ? ? ? ?log file = /var/log/samba/log.%m > ? ? ? ?debug timestamp = yes > > # ? ? ? Enable symbolics links ----------------------------------- > ? ? ? ?follow symlinks = yes > ? ? ? ?wide links = yes > ? ? ? ?unix extensions = no > > ? ? ? ?usershare allow guests = no > ? ? ? ?usershare max shares = 100 > ? ? ? ?usershare owner only = true > ? ? ? ?usershare path=/var/lib/samba/usershares/data > > #Guest access > ? ? ? ?guest account = nobody > ? ? ? ?map to guest = Bad Password > ? ? ? ?template homedir = /home/%U > ? ? ? ?template shell = /bin/false > ? ? ? ?enable privileges = yes > ? ? ? ?os level = 40 > ? ? ? ?ldap passwd sync = no > > #WINBINDD ******************************************************* > ? ? ? ?security = ADS > ? ? ? ?realm = TOUZEAU.HOME > > ? ? ? ?idmap config TOUZEAU:backend = ad > ? ? ? ?idmap config TOUZEAU:readonly = yes > ? ? ? ?idmap config TOUZEAU:schema_mode = rfc2307 > ? ? ? ?idmap config * : range = 16777216-33554431The way idmap works was changed with 3.6.0. I don't know if the above is wrong, but perhaps it is something to consider. e.g. I don't know if "readonly" is supported. I've seen mention of "read only", but not in the idmap_ad code. But maybe I missed it. Also, the idmap_ad documentation implies that you need something like this: idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config TOUZEAU : backend = ad idmap config TOUZEAU : range = 1000-999999 idmap config TOUZEAU : schema_mode = rfc2307 I am not sure if the above is relevant to you :) but I hope it helps. -- Michael Wood <esiotrot at gmail.com>
Possibly Parallel Threads
- help: id user : non existant user using Active Directory connexion ( NT_STATUS_OBJECT_NAME_NOT_FOUND)
- Samba 3.6.0: unable to list Active Directoy users "WBC_ERR_DOMAIN_NOT_FOUND"
- Is it possible to lower the domain and forest functional level
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- ldbsearch does not accept escaped parenthesis in filter