We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. ------------ /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ---------- /etc/samba/smb.conf [global] security = ads realm = DOMAIN.COM password server = pdc.domain.com bdc.domain.com workgroup = DOMAIN idmap backend = rid:DOMAN=10000-20000 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /vhome/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 I've seen other posts out there with similar problems, but haven't seen a solution that works for me.
On 24/09/12 22:31, Steve Snedeker wrote:> We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 > > We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 > > I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. > > I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. > > ------------ > > /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind > group: files winbind > shadow: files winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > ---------- > > /etc/samba/smb.conf > > [global] > security = ads > realm = DOMAIN.COM > password server = pdc.domain.com bdc.domain.com > workgroup = DOMAIN > idmap backend = rid:DOMAN=10000-20000 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > template homedir = /vhome/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > > > I've seen other posts out there with similar problems, but haven't seen a solution that works for me.Hi, I use samba 3.6.3 to connect to a samba4 AD server, but my smb.conf looks nothing like yours. The idmap lines have changed to: idmap config HOME:schema_mode = rfc2307 idmap config HOME:range = 20000-3100000 idmap config HOME:backend = ad idmap config *:range = 1100-2000 idmap config *:backend = tdb You also should not use the password server line anymore, but you also seem to have a spelling mistake: idmap backend = rid:DOMAN=10000-20000 The final thing is, if there is no unix info on the windows server, winbind cannot pull it, you need the unix extension on the server Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Looks like you have a potentially conflicting idmap block here:
idmap backend = rid:DOMAN=10000-20000
and here:
idmap uid = 10000-20000
idmap gid = 10000-20000
This is more contemporary with Samba 3.6:
idmap config * : backend = tdb
idmap config * : range = 20001-30000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-20000
idmap config DOMAIN : base_rid = 0
[me at LINUX ~](14)$ wbinfo --user-info=testuser
testuser:*:13102:1513:Test User:/home/testuser:/bin/bash
[me at LINUX ~](15)$ getent passwd testuser
testuser:*:13102:1513:Test User:/home/testuser:/bin/bash
(My low-end range starts lower than 10000, btw).
Also, you sure you want to keep your idmap range within just 10000?
Seems quite low to me.
On 09/24/2012 04:31 PM, Steve Snedeker wrote:> We have a cross platform environment with a Windows 2008 server running
Active Directory and many of our workstations are running ubuntu 10.10 using
winbind for user authentication. The version of samba running on these boxes is
3.5.4
>
> We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3
>
> I am able to connect to the DC, and am able to see the users running the
wbinfo -u command, but when I run the getent passwd command I do not see the
domain users.
>
> I was able to successfully downgrade to samba 3.5.4 and after connecting to
the DC I ran the command getent passwd and was able to see the domain users, and
su to that particular user successfully. The only issue here was due to
dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being
downgraded which resulted in the removal of ubuntu-desktop.
>
> ------------
>
> /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd: files winbind
> group: files winbind
> shadow: files winbind
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> ----------
>
> /etc/samba/smb.conf
>
> [global]
> security = ads
> realm = DOMAIN.COM
> password server = pdc.domain.com bdc.domain.com
> workgroup = DOMAIN
> idmap backend = rid:DOMAN=10000-20000
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> template homedir = /vhome/%U
> template shell = /bin/bash
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> winbind use default domain = yes
> restrict anonymous = 2
>
>
> I've seen other posts out there with similar problems, but haven't
seen a solution that works for me.
On 01/10/12 21:47, Steve Snedeker wrote:> Getting closer! Thank You! I am able to see the users, but cannot see the groups. > > 10513 should be the "Domain Users" group. > > getent passwd works but getent group only shows the local groups. > > When I su into a domain user I get this error: groups: cannot find name for group ID 10513 > > > ----- Original Message ----- > From: "Heather Choi"<hceuterpe at gmail.com> > To: "Steve Snedeker"<steve at imninjas.com> > Cc: samba at lists.samba.org > Sent: Friday, September 28, 2012 11:12:11 PM > Subject: Re: [Samba] Winbind issue using samba 3.6.3 > > > Looks like you have a potentially conflicting idmap block here: > idmap backend = rid:DOMAN=10000-20000 and here: idmap uid = 10000-20000 > idmap gid = 10000-20000 This is more contemporary with Samba 3.6: > > idmap config * : backend = tdb > idmap config * : range = 20001-30000 > > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 10000-20000 > idmap config DOMAIN : base_rid = 0 > > [me at LINUX ~](14)$ wbinfo --user-info=testuser > testuser:*:13102:1513:Test User:/home/testuser:/bin/bash > [me at LINUX ~](15)$ getent passwd testuser > testuser:*:13102:1513:Test User:/home/testuser:/bin/bash > > (My low-end range starts lower than 10000, btw). > > Also, you sure you want to keep your idmap range within just 10000? Seems quite low to me. > > On 09/24/2012 04:31 PM, Steve Snedeker wrote: > > > We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 > > We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 > > I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. > > I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. > > ------------ > > /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files winbind > group: files winbind > shadow: files winbind > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > ---------- > > /etc/samba/smb.conf > > [global] > security = ads > realm = DOMAIN.COM > password server = pdc.domain.com bdc.domain.com > workgroup = DOMAIN > idmap backend = rid:DOMAN=10000-20000 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > template homedir = /vhome/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > > > I've seen other posts out there with similar problems, but haven't seen a solution that works for me.Hi, samba 3.6.3 on Ubuntu 12.04 using winbind does not show domain groups using 'getent group' but 'getent group <domain group> will, provided that the domain group has the posix objectclass 'posixGroup' and a gidNumber. If all is correct, it will work, try creating a file and chown <domainuser>:<domaingroup> it Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.