Doug Meredith
2014-Oct-30 11:29 UTC
[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values
I've done a lot of research on this and haven't been able to solve the problem. Hopefully someone here has a better understanding of this than I do. The problem is that the UIDs and GIDs are not being fetched from AD. For example "getent passwd doug" returns: doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false My full name has correctly been pulled from AD but the UID specified in AD is 20001 and the group is 10000. The values shown above are obviously coming from the wildcard idmap specified in my smb.conf, but I'm at a loss as to why. This occurs for all users and all groups. Platform is FreeBSD 10 and I'm using Samba 4.1.13. Full smb.conf is bellow. Any help would be very much appreciated. [global] workgroup = DSTRC security = ADS realm = DSTRC.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config DSTRC:backend = ad idmap config DSTRC:schema_mode = rfc2307 idmap config DSTRC:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = zfsacl map acl inherit = Yes store dos attributes = Yes printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd [media]] path = /pool1/media comment = Movies, TV and music read only = no
Peter Serbe
2014-Oct-30 12:20 UTC
[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values
Doug Meredith schrieb am 30.10.2014 12:29:> "getent passwd doug" returns: > > doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/falseI presume this is "getent passwd" on the member server... Does "getent passwd" on the DC work in the right manner?> Platform is FreeBSD 10 and I'm using Samba 4.1.13. Full smb.conf is > bellow.This configuration looks OK. Is the nsswitch.conf also OK? Does wbinfo -p/u/g work? Kerberos kinit/klist OK? Furthermore the smb.conf on the DC: ist rfc2307 working? Do You see the rfc2307 fake yp_server in ldb (as described in the wiki)? There are still a lot of questions open...
Rowland Penny
2014-Oct-30 12:31 UTC
[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values
On 30/10/14 11:29, Doug Meredith wrote:> I've done a lot of research on this and haven't been able to solve the > problem. Hopefully someone here has a better understanding of this than I > do. > > The problem is that the UIDs and GIDs are not being fetched from AD. For > example "getent passwd doug" returns: > > doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false > > My full name has correctly been pulled from AD but the UID specified in AD > is 20001 and the group is 10000.Is the computer joined to the domain ? what is the AD DC ? any chance of seeing the users entry in AD ? smb.conf appears OK except that what is being pulled from AD doesn't seem to include the users unixHomeDirectory & loginShell. I wonder if you are mistaking the 'uid' attribute for the 'uidNumber' attribute ? Rowland> The values shown above are obviously > coming from the wildcard idmap specified in my smb.conf, but I'm at a loss > as to why. This occurs for all users and all groups. > > Platform is FreeBSD 10 and I'm using Samba 4.1.13. Full smb.conf is > bellow. Any help would be very much appreciated. > > [global] > workgroup = DSTRC > security = ADS > realm = DSTRC.ORG > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config DSTRC:backend = ad > idmap config DSTRC:schema_mode = rfc2307 > idmap config DSTRC:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > vfs objects = zfsacl > map acl inherit = Yes > store dos attributes = Yes > > printcap name = /dev/null > load printers = no > disable spoolss = yes > printing = bsd > > [media]] > path = /pool1/media > comment = Movies, TV and music > read only = no
Possibly Parallel Threads
- [LLVMdev] TableGen Register Class not matching for MI in 3.6
- [LLVMdev] TableGen Register Class not matching for MI in 3.6
- [LLVMdev] TableGen Register Class not matching for MI in 3.6
- [LLVMdev] TableGen Register Class not matching for MI in 3.6
- [LLVMdev] TableGen Register Class not matching for MI in 3.6