Hi, Thx Steve for pointing out the overlapping range issue I had in my conf. I changed the config, but still no success gentent passwd or getent groups is only showing local users/groups after showing the local users, there seems to be a timeout of 5 seconds and then back to shell. Accessing my share with a group that is situated in the group Valid Users isn't working either. No errors in smb or winbind log. (Although I get an error output if I make a mistake in my users's password on purpose I see an errorlog being created. as stated in my first post to the mailinglist) so there seems to be some form of authentication although I can't find out how to debug it My /share has been remounted with ACL too Any ideas ? My new config ---- [global] workgroup = INTRANET realm = ISPPC.BE server string = %h security = ADS ntlm auth = No kerberos method = system keytab log file = /var/log/samba/log.%m max log size = 1024 client signing = required server signing = required client use spnego = No load printers = No lm announce = No dns proxy = No ldap ssl = no template homedir = /dev/null template shell = /bin/true winbind separator = + winbind cache time = 5 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config * : range = 1000000-1999999 idmap config INTRANET:base_rid = 0 idmap config INTRANET:range = 50000-59999 idmap config INTRANET:read only = yes idmap config INTRANET:backend = rid idmap config * : backend = tdb invalid users = root cups options = raw [glims_share] comment = Glims Cluster Share path = /share valid users = @INTRANET+GRP_GLIMS_RDS_USERS read only = No Cheers, -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve Sent: donderdag 16 januari 2014 19:02 To: samba at lists.samba.org Subject: Re: [Samba] samba linux share vs AD On Thu, 2014-01-16 at 17:30 +0100, Benjamin Budts wrote:>> > . #getent passwd only shows local users it seems to wait 5seconds> after printing the local users and then times out to shell without anerror.> >Your ranges overlap. idmap config * : range = 1000000-1999999 idmap config INTRANET:range = 60000-50000000 Go for something like * 50000-59999 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Mon, 2014-01-20 at 00:16 +0100, Benjamin Budts wrote:> Hi, > > Thx Steve for pointing out the overlapping range issue I had in my conf. > > I changed the config, but still no success gentent passwd or getent groups > is only showing local users/groups after showing the local users, there > seems to be a timeout of 5 seconds and then back to shell.Guessing now. (Oh how I love winbind!) comment: # winbind separator = + And make sure that nscd is disabled. If you want it to just work: https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd A bit out of date but it will at least get you there. HTH Steve> > Accessing my share with a group that is situated in the group Valid Users > isn't working either. No errors in smb or winbind log. (Although I get an > error output if I make a mistake in my users's password on purpose I see an > errorlog being created. as stated in my first post to the mailinglist) so > there seems to be some form of authentication although I can't find out how > to debug it > > My /share has been remounted with ACL too > > Any ideas ? > > My new config > ---- > > [global] > workgroup = INTRANET > realm = ISPPC.BE > server string = %h > security = ADS > ntlm auth = No > kerberos method = system keytab > log file = /var/log/samba/log.%m > max log size = 1024 > client signing = required > server signing = required > client use spnego = No > load printers = No > lm announce = No > dns proxy = No > ldap ssl = no > template homedir = /dev/null > template shell = /bin/true > winbind separator = + > winbind cache time = 5 > winbind enum users = Yes > winbind enum groups = Yes > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = Yes > winbind normalize names = Yes > idmap config * : range = 1000000-1999999 > idmap config INTRANET:base_rid = 0 > idmap config INTRANET:range = 50000-59999 > idmap config INTRANET:read only = yes > idmap config INTRANET:backend = rid > idmap config * : backend = tdb > invalid users = root > cups options = raw > > [glims_share] > comment = Glims Cluster Share > path = /share > valid users = @INTRANET+GRP_GLIMS_RDS_USERS > read only = No > > > Cheers, > > > > -----Original Message----- > From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] > On Behalf Of steve > Sent: donderdag 16 januari 2014 19:02 > To: samba at lists.samba.org > Subject: Re: [Samba] samba linux share vs AD > > On Thu, 2014-01-16 at 17:30 +0100, Benjamin Budts wrote: > > > > > > > . #getent passwd only shows local users it seems to wait 5 > seconds > > after printing the local users and then times out to shell without an > error. > > > > > > Your ranges overlap. > idmap config * : range = 1000000-1999999 > idmap config INTRANET:range = 60000-50000000 > > Go for something like * 50000-59999 > HTH > Steve > >
Gents, Could this be the reason I get a timeout while trying to run getent ? the AD server +500 users and 100's of groups... winbind enum users and groups should be used with caution in active directories greater than 200 users or groups, as enumeration is an expensive process and likely to timeout and cause login failures. during login, the full passwd and group will be "enumerated" every time from your active directory server. enumeration is not required for a successful login. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Benjamin Budts Sent: maandag 20 januari 2014 0:16 To: samba at lists.samba.org Subject: Re: [Samba] AD share not accessible Hi, Thx Steve for pointing out the overlapping range issue I had in my conf. I changed the config, but still no success gentent passwd or getent groups is only showing local users/groups after showing the local users, there seems to be a timeout of 5 seconds and then back to shell. Accessing my share with a group that is situated in the group Valid Users isn't working either. No errors in smb or winbind log. (Although I get an error output if I make a mistake in my users's password on purpose I see an errorlog being created. as stated in my first post to the mailinglist) so there seems to be some form of authentication although I can't find out how to debug it My /share has been remounted with ACL too Any ideas ? My new config ---- [global] workgroup = INTRANET realm = ISPPC.BE server string = %h security = ADS ntlm auth = No kerberos method = system keytab log file = /var/log/samba/log.%m max log size = 1024 client signing = required server signing = required client use spnego = No load printers = No lm announce = No dns proxy = No ldap ssl = no template homedir = /dev/null template shell = /bin/true winbind separator = + winbind cache time = 5 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config * : range = 1000000-1999999 idmap config INTRANET:base_rid = 0 idmap config INTRANET:range = 50000-59999 idmap config INTRANET:read only = yes idmap config INTRANET:backend = rid idmap config * : backend = tdb invalid users = root cups options = raw [glims_share] comment = Glims Cluster Share path = /share valid users = @INTRANET+GRP_GLIMS_RDS_USERS read only = No Cheers, -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve Sent: donderdag 16 januari 2014 19:02 To: samba at lists.samba.org Subject: Re: [Samba] samba linux share vs AD On Thu, 2014-01-16 at 17:30 +0100, Benjamin Budts wrote:>> > . #getent passwd only shows local users it seems to wait 5seconds> after printing the local users and then times out to shell without anerror.> >Your ranges overlap. idmap config * : range = 1000000-1999999 idmap config INTRANET:range = 60000-50000000 Go for something like * 50000-59999 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba