Hi, I successfully set up an AD DC, and now, I want to join a file server as member in this domain. I followed this tutorial : wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server All works fine, my server join my AD without problem, samba starts fine and winbind too. But when I look at my domain users, the uid/gid returned by winbind are in the TDB range instead of the AD range..... This is my smb.conf : [global] netbios name = filzen workgroup = SAMDOM security = ADS realm = SAMDOM.FR encrypt passwords = yes log level = 10 template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap config SAMDOM:backend = ad idmap config SAMDOM:range = 20001-70000 idmap config SAMDOM:default = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 If I type : # wbinfo -i administrator I get : administrator:*:70001:70001::/home/administrator:/bin/bash If I create a user (foo) and trying to obtain his informations : # wbinfo -i foo I get: foo:*:70002:70001::/home/foo:/bin/bash Why winbind doen't use AD range instead of TBD range ? And even if I must use TDB range is there a certainty that this uid/gid are the same over all members ? Another clue : If I use SAMDOM:backend = rid the users receive a uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad backend ?) Thanks for any answers Regards, Bruno. -- Bruno MACADRE ------------------------------------------------------------------- Ing?nieur Syst?mes et R?seau | Systems and Network Engineer D?partement Informatique | Department of computer science Responsable Info SER | SER IT Manager Universit? de Rouen | University of Rouen ------------------------------------------------------------------- Coordonn?es / Contact : Universit? de Rouen Facult? des Sciences et Techniques - Madrillet Avenue de l'Universit? CS 70012 76801 St Etienne du Rouvray CEDEX FRANCE T?l : +33 (0)2-32-95-51-86 Mob : +33 (0)6-74-71-45-64 -------------------------------------------------------------------
I am having this EXACT same issue right now on a production domain. You need to check your winbind idmap log. On my systems this is "/var/log/samba/log.winbindd-idmap". See if you have these errors also. [2014/08/06 00:18:06.337996, 3] ../source3/winbindd/idmap.c:235(idmap_init_domain) Could not probe idmap module ad [2014/08/06 00:18:06.345631, 3] ../source3/winbindd/idmap.c:230(idmap_init_domain) idmap backend ad not found [2014/08/06 00:18:06.346979, 3] ../source3/winbindd/idmap.c:235(idmap_init_domain) Could not probe idmap module ad [2014/08/06 00:18:06.361724, 3] ../source3/winbindd/idmap.c:230(idmap_init_domain) idmap backend ad not found [2014/08/06 00:18:06.363064, 3] ../source3/winbindd/idmap.c:235(idmap_init_domain) Could not probe idmap module ad [2014/08/06 12:42:28.991266, 3] ../source3/winbindd/idmap.c:230(idmap_init_domain) idmap backend ad not found [2014/08/06 12:42:28.992717, 3] ../source3/winbindd/idmap.c:235(idmap_init_domain) Could not probe idmap module ad [2014/08/06 13:44:13.408318, 0] ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler) It appears to me that the AD backend is missing, but I compiled this from source and maybe there is something I did wrong. If you have the same errors maybe we can either discover a bug or a solution. On 08/11/2014 10:21 AM, Bruno MACADR? wrote:> Hi, > > I successfully set up an AD DC, and now, I want to join a file server > as member in this domain. > > I followed this tutorial : > wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > All works fine, my server join my AD without problem, samba starts > fine and winbind too. But when I look at my domain users, the uid/gid > returned by winbind are in the TDB range instead of the AD range..... > > This is my smb.conf : > [global] > > netbios name = filzen > workgroup = SAMDOM > security = ADS > realm = SAMDOM.FR > encrypt passwords = yes > > log level = 10 > > template homedir = /home/%U > template shell = /bin/bash > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:range = 20001-70000 > idmap config SAMDOM:default = yes > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > > If I type : > # wbinfo -i administrator > > I get : > administrator:*:70001:70001::/home/administrator:/bin/bash > > If I create a user (foo) and trying to obtain his informations : > # wbinfo -i foo > > I get: > foo:*:70002:70001::/home/foo:/bin/bash > > Why winbind doen't use AD range instead of TBD range ? And even if I > must use TDB range is there a certainty that this uid/gid are the same > over all members ? > > Another clue : If I use SAMDOM:backend = rid the users receive a > uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad > backend ?) > > Thanks for any answers > Regards, > Bruno. >
I forgot to tell you, if you are pulling from the TDB range, your ID numbers will NOT be the same across member servers. That is what I have been working on for a month now. I have two member servers and they keep pulling from the TDB range, causing a user to have an ID of 70001 on one member server but 70004 on the other. Both servers claim they cannot probe the idmap ad module. On 08/11/2014 10:21 AM, Bruno MACADR? wrote:> Hi, > > I successfully set up an AD DC, and now, I want to join a file server > as member in this domain. > > I followed this tutorial : > wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > All works fine, my server join my AD without problem, samba starts > fine and winbind too. But when I look at my domain users, the uid/gid > returned by winbind are in the TDB range instead of the AD range..... > > This is my smb.conf : > [global] > > netbios name = filzen > workgroup = SAMDOM > security = ADS > realm = SAMDOM.FR > encrypt passwords = yes > > log level = 10 > > template homedir = /home/%U > template shell = /bin/bash > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:range = 20001-70000 > idmap config SAMDOM:default = yes > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > > If I type : > # wbinfo -i administrator > > I get : > administrator:*:70001:70001::/home/administrator:/bin/bash > > If I create a user (foo) and trying to obtain his informations : > # wbinfo -i foo > > I get: > foo:*:70002:70001::/home/foo:/bin/bash > > Why winbind doen't use AD range instead of TBD range ? And even if I > must use TDB range is there a certainty that this uid/gid are the same > over all members ? > > Another clue : If I use SAMDOM:backend = rid the users receive a > uid/gid in SAMDOM range and not in TDB range (maybe a bug in ad > backend ?) > > Thanks for any answers > Regards, > Bruno. >