Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5.
I've been bumping my head against GPO issues and am now wondering if its
connected to my BUILTIN groups not mapping on my DC.
For instance on DC:
sh-4.1# wbinfo --gid-info=544
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 544
But on a member:
sh-4.1# wbinfo --gid-info=544
BUILTIN\administrators:x:544:
Likewise `getent group BUILTIN\\administrators` fails on the DC.
Any ideas?
Here is my smb.conf:
[global]
workgroup = xxx
realm = xxx
netbios name = SERVER
server role = active directory domain controller
wins support = yes
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
template shell = /bin/sh
dns forwarder = x.x.x.x
server services = -smb +s3fs
dcerpc endpoint servers = -winreg -srvsvc
vfs objects = netatalk
unix extensions = no
tls enabled = yes
tls keyfile = tls/server_AD_DC.key
tls certfile = tls/server_AD_DC.crt
tls cafile = tls/xxx_CA.crt
[netlogon]
path = /var/lib/samba/sysvol/xxx/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Also had GPO issues related to BUILTIN Users and Groups. Fixed the issues with different uid's gid's beeing assigend to the by winbind by manually editing uid's and gid's in idmap.ldb with ldbedit. Tried rid mapping for BUILDIN but it did not work on the ADDC's. achim~ Am 25.04.2014 21:58, schrieb Ryan Bair:> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5. > > I've been bumping my head against GPO issues and am now wondering if its > connected to my BUILTIN groups not mapping on my DC. > > For instance on DC: > sh-4.1# wbinfo --gid-info=544 > failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for gid 544 > > But on a member: > sh-4.1# wbinfo --gid-info=544 > BUILTIN\administrators:x:544: > > Likewise `getent group BUILTIN\\administrators` fails on the DC. > > Any ideas? > > Here is my smb.conf: > > [global] > workgroup = xxx > realm = xxx > netbios name = SERVER > server role = active directory domain controller > wins support = yes > idmap_ldb:use rfc2307 = yes > winbind nss info = rfc2307 > template shell = /bin/sh > dns forwarder = x.x.x.x > server services = -smb +s3fs > dcerpc endpoint servers = -winreg -srvsvc > vfs objects = netatalk > unix extensions = no > tls enabled = yes > tls keyfile = tls/server_AD_DC.key > tls certfile = tls/server_AD_DC.crt > tls cafile = tls/xxx_CA.crt > > [netlogon] > path = /var/lib/samba/sysvol/xxx/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No
Hi! Attached is a patch that fixes --gid-info and hence "getent group" for builtins on the DC. Note that this will not produce the same GIDs as on a member. I need to do more testing with this but wanted to share it for those who are interested. (And also remember that you should not use a range below 1000 for id mapping on a member on modern linux/unix systems, because you risk clashes with system groups.) Cheers - Michael Note: cross-posting to samba-technical since this involves a patch... On 2014-04-25 at 15:58 -0400, Ryan Bair wrote:> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5. > > I've been bumping my head against GPO issues and am now wondering if its > connected to my BUILTIN groups not mapping on my DC. > > For instance on DC: > sh-4.1# wbinfo --gid-info=544 > failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for gid 544 > > But on a member: > sh-4.1# wbinfo --gid-info=544 > BUILTIN\administrators:x:544: > > Likewise `getent group BUILTIN\\administrators` fails on the DC. > > Any ideas? > > Here is my smb.conf: > > [global] > workgroup = xxx > realm = xxx > netbios name = SERVER > server role = active directory domain controller > wins support = yes > idmap_ldb:use rfc2307 = yes > winbind nss info = rfc2307 > template shell = /bin/sh > dns forwarder = x.x.x.x > server services = -smb +s3fs > dcerpc endpoint servers = -winreg -srvsvc > vfs objects = netatalk > unix extensions = no > tls enabled = yes > tls keyfile = tls/server_AD_DC.key > tls certfile = tls/server_AD_DC.crt > tls cafile = tls/xxx_CA.crt > > [netlogon] > path = /var/lib/samba/sysvol/xxx/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140429/7bb9e025/attachment.pgp>
Am 25.04.2014 21:58, schrieb Ryan Bair:> Running 4.1.6-SerNet-RedHat-7.el6 on CentOS 6.5. > > [global] > workgroup = xxx > realm = xxx > netbios name = SERVER > server role = active directory domain controller > wins support = yes > idmap_ldb:use rfc2307 = yes > winbind nss info = rfc2307 > template shell = /bin/sh > dns forwarder = x.x.x.x > server services = -smb +s3fs > dcerpc endpoint servers = -winreg -srvsvc > vfs objects = netatalk >I think you must add the default objects. vfs objects = netatalk, dfs_samba4, acl_xattr