Rowland Penny
2014-Dec-01 09:11 UTC
[Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
On 01/12/14 00:08, ?? wrote:> Rowland Penny,??: > I test id Administrator as the wiki. > I run > chown Administrator(or other DomainUser) file I got > invalid User :Administrator > > ------------------ > ?? > 2014-12-01 > > ------------------------------------------------------------- > ????Rowland Penny > ?????2014-11-28 17:59:18 > ?????? > ???samba > ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. > > On 28/11/14 01:33, ?? wrote: >> Rowland Penny,??: >> I had test to setup >> username map = /etc/samba/smbmap >> and I got the same error >> >> winbindd -V >> Version 4.1.11-Ubuntu >> >> >> ------------------ >> ?? >> 2014-11-28 >> >> ------------------------------------------------------------- >> ????Rowland Penny >> ?????2014-11-25 17:51:13 >> ????samba >> ??? >> ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. >> >> On 25/11/14 03:47, ?? wrote: >>> samba,??: >>> I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems: >>> net ads join -U adminsitrator is OK except the DNS update. >>> run the command: >>> wbinfo -u >>> show the user list as follow: >>> SWAP10\jz >>> SWAP10\root >>> TEST\administrator >>> TEST\krbtgt >>> TEST\guest >>> TEST\root >>> TEST\jz >>> >>> When run the command: >>> id administrator >>> show >>> id: administrator: no such user >>> When run the command: >>> id 'TEST\administrator' >>> show >>> id: TEST\administrator: no such user >>> >>> Run chown and chgrp also get error. >>> >>> Here is my smb.conf >>> >>> [global] >>> netbios name = swap10 >>> workgroup = TEST >>> security = ADS >>> realm = TEST.TESTDOMAIN.COM >>> encrypt passwords = yes >>> >>> kerberos method = secrets only >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 70001-80000 >>> idmap config TEST:backend = ad >>> idmap config TEST:schema_mode = rfc2307 >>> idmap config TEST:range = 500-40000 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = false >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind offline logon = false >>> template shell = /sbin/nologin >>> >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> store dos attributes = yes >>> auth methods = winbind >>> log level = 3 >>> [demo] >>> path = /home/samba/demo >>> read only = no >>> [install$] >>> path = /home/samba/install >>> read only = no >>> guest ok = no >>> >>> Any suggestions >>> Sorry for my poor english. >>> >>> Regards >>> Jiangzhi >>> -------------- >>> 2014-11-25 >> OK, you are using the winbind 'ad' backend, this will only pull users >> from AD that have a uidNumber that is between (in your case) 500-40000. >> Administrator does not have a uidNumber and before you rush off to give >> Administrator a uidNumber, don't , this is not recommended, it just >> turns Administrator into a normal user on Unix. >> >> I take it that you have only one Samba4 AD DC, it is recommended that >> you use this for authentication only and use a separate file or member >> server, if you do this, you can then map Administrator to root by adding >> a line to smb.conf: >> >> username map = /etc/samba/smbmap >> >> And then creating the smbmap file >> >> !root = EXAMPLE\Administrator Administrator administrator >> >> Where EXAMPLE is your netbios/workgroup name. >> >> I would you suggest you have a read through the samba wiki: >> >> https://wiki.samba.org/index.php/Main_Page >> >> Rowland >> > Why do want Administrator to login? Administrator is the **WINDOWS** > admin user, you use 'root' on Unix. > > Rowland >OK, Administrator is a 'SPECIAL' windows user and as such, does not and should not exist on Unix. You can map Administrator to the Unix root user, this will allow Administrator to do the things that need doing from windows, change ACL's etc. It actually says 'chown DomainUser:DomainGroup file' on the wiki and if this is not working, then there is something wrong with your setup!. This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine. Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ? Rowland
Rowland Penny,??: When I run wbinfo -i TEST\\test I got the log: [2014/12/04 15:39:50.169934, 3] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore [2014/12/04 15:39:50.171240, 3] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) [2014/12/04 15:39:50.188252, 3] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 05 Dec 2014 01:39:51 CST [2014/12/04 15:39:50.296664, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) Could not get unix ID for SID S-1-5-21-1425680026-858952690-2224761852-1107 [2014/12/04 15:40:34.583374, 1] ../source3/winbindd/idmap.c:201(idmap_init_domain) idmap range not specified for domain SWAP10 SID S-1-5-21-1425680026-858952690-2224761852-1107 is the sid of test ------------------ ?? 2014-12-04 ------------------------------------------------------------- ????Rowland Penny ?????2014-12-01 17:14:56 ?????? ???samba ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. On 01/12/14 00:08, ?? wrote:> Rowland Penny,??: > I test id Administrator as the wiki. > I run > chown Administrator(or other DomainUser) file I got > invalid User :Administrator > > ------------------ > ?? > 2014-12-01 > > ------------------------------------------------------------- > ????Rowland Penny > ?????2014-11-28 17:59:18 > ?????? > ???samba > ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. > > On 28/11/14 01:33, ?? wrote: >> Rowland Penny,??: >> I had test to setup >> username map = /etc/samba/smbmap >> and I got the same error >> >> winbindd -V >> Version 4.1.11-Ubuntu >> >> >> ------------------ >> ?? >> 2014-11-28 >> >> ------------------------------------------------------------- >> ????Rowland Penny >> ?????2014-11-25 17:51:13 >> ????samba >> ??? >> ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. >> >> On 25/11/14 03:47, ?? wrote: >>> samba,??: >>> I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems: >>> net ads join -U adminsitrator is OK except the DNS update. >>> run the command: >>> wbinfo -u >>> show the user list as follow: >>> SWAP10\jz >>> SWAP10\root >>> TEST\administrator >>> TEST\krbtgt >>> TEST\guest >>> TEST\root >>> TEST\jz >>> >>> When run the command: >>> id administrator >>> show >>> id: administrator: no such user >>> When run the command: >>> id 'TEST\administrator' >>> show >>> id: TEST\administrator: no such user >>> >>> Run chown and chgrp also get error. >>> >>> Here is my smb.conf >>> >>> [global] >>> netbios name = swap10 >>> workgroup = TEST >>> security = ADS >>> realm = TEST.TESTDOMAIN.COM >>> encrypt passwords = yes >>> >>> kerberos method = secrets only >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 70001-80000 >>> idmap config TEST:backend = ad >>> idmap config TEST:schema_mode = rfc2307 >>> idmap config TEST:range = 500-40000 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = false >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind offline logon = false >>> template shell = /sbin/nologin >>> >>> vfs objects = acl_xattr >>> map acl inherit = yes >>> store dos attributes = yes >>> auth methods = winbind >>> log level = 3 >>> [demo] >>> path = /home/samba/demo >>> read only = no >>> [install$] >>> path = /home/samba/install >>> read only = no >>> guest ok = no >>> >>> Any suggestions >>> Sorry for my poor english. >>> >>> Regards >>> Jiangzhi >>> -------------- >>> 2014-11-25 >> OK, you are using the winbind 'ad' backend, this will only pull users >> from AD that have a uidNumber that is between (in your case) 500-40000. >> Administrator does not have a uidNumber and before you rush off to give >> Administrator a uidNumber, don't , this is not recommended, it just >> turns Administrator into a normal user on Unix. >> >> I take it that you have only one Samba4 AD DC, it is recommended that >> you use this for authentication only and use a separate file or member >> server, if you do this, you can then map Administrator to root by adding >> a line to smb.conf: >> >> username map = /etc/samba/smbmap >> >> And then creating the smbmap file >> >> !root = EXAMPLE\Administrator Administrator administrator >> >> Where EXAMPLE is your netbios/workgroup name. >> >> I would you suggest you have a read through the samba wiki: >> >> https://wiki.samba.org/index.php/Main_Page >> >> Rowland >> > Why do want Administrator to login? Administrator is the **WINDOWS** > admin user, you use 'root' on Unix. > > Rowland >OK, Administrator is a 'SPECIAL' windows user and as such, does not and should not exist on Unix. You can map Administrator to the Unix root user, this will allow Administrator to do the things that need doing from windows, change ACL's etc. It actually says 'chown DomainUser:DomainGroup file' on the wiki and if this is not working, then there is something wrong with your setup!. This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine. Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ? Rowland
Rowland Penny
2014-Dec-04 10:25 UTC
[Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
On 04/12/14 08:22, ?? wrote:> Rowland Penny,??: > When I run wbinfo -i TEST\\test > I got the log: > [2014/12/04 15:39:50.169934, 3] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore > [2014/12/04 15:39:50.171240, 3] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) > [2014/12/04 15:39:50.188252, 3] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 05 Dec 2014 01:39:51 CST > [2014/12/04 15:39:50.296664, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids) > Could not get unix ID for SID S-1-5-21-1425680026-858952690-2224761852-1107 > [2014/12/04 15:40:34.583374, 1] ../source3/winbindd/idmap.c:201(idmap_init_domain) > idmap range not specified for domain SWAP10 > > SID S-1-5-21-1425680026-858952690-2224761852-1107 is the sid of test > ------------------ > ?? > 2014-12-04 > > ------------------------------------------------------------- > ????Rowland Penny > ?????2014-12-01 17:14:56 > ?????? > ???samba > ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. > > On 01/12/14 00:08, ?? wrote: >> Rowland Penny,??: >> I test id Administrator as the wiki. >> I run >> chown Administrator(or other DomainUser) file I got >> invalid User :Administrator >> >> ------------------ >> ?? >> 2014-12-01 >> >> ------------------------------------------------------------- >> ????Rowland Penny >> ?????2014-11-28 17:59:18 >> ?????? >> ???samba >> ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. >> >> On 28/11/14 01:33, ?? wrote: >>> Rowland Penny,??: >>> I had test to setup >>> username map = /etc/samba/smbmap >>> and I got the same error >>> >>> winbindd -V >>> Version 4.1.11-Ubuntu >>> >>> >>> ------------------ >>> ?? >>> 2014-11-28 >>> >>> ------------------------------------------------------------- >>> ????Rowland Penny >>> ?????2014-11-25 17:51:13 >>> ????samba >>> ??? >>> ???Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user. >>> >>> On 25/11/14 03:47, ?? wrote: >>>> samba,??: >>>> I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems: >>>> net ads join -U adminsitrator is OK except the DNS update. >>>> run the command: >>>> wbinfo -u >>>> show the user list as follow: >>>> SWAP10\jz >>>> SWAP10\root >>>> TEST\administrator >>>> TEST\krbtgt >>>> TEST\guest >>>> TEST\root >>>> TEST\jz >>>> >>>> When run the command: >>>> id administrator >>>> show >>>> id: administrator: no such user >>>> When run the command: >>>> id 'TEST\administrator' >>>> show >>>> id: TEST\administrator: no such user >>>> >>>> Run chown and chgrp also get error. >>>> >>>> Here is my smb.conf >>>> >>>> [global] >>>> netbios name = swap10 >>>> workgroup = TEST >>>> security = ADS >>>> realm = TEST.TESTDOMAIN.COM >>>> encrypt passwords = yes >>>> >>>> kerberos method = secrets only >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 70001-80000 >>>> idmap config TEST:backend = ad >>>> idmap config TEST:schema_mode = rfc2307 >>>> idmap config TEST:range = 500-40000 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = false >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind offline logon = false >>>> template shell = /sbin/nologin >>>> >>>> vfs objects = acl_xattr >>>> map acl inherit = yes >>>> store dos attributes = yes >>>> auth methods = winbind >>>> log level = 3 >>>> [demo] >>>> path = /home/samba/demo >>>> read only = no >>>> [install$] >>>> path = /home/samba/install >>>> read only = no >>>> guest ok = no >>>> >>>> Any suggestions >>>> Sorry for my poor english. >>>> >>>> Regards >>>> Jiangzhi >>>> -------------- >>>> 2014-11-25 >>> OK, you are using the winbind 'ad' backend, this will only pull users >>> from AD that have a uidNumber that is between (in your case) 500-40000. >>> Administrator does not have a uidNumber and before you rush off to give >>> Administrator a uidNumber, don't , this is not recommended, it just >>> turns Administrator into a normal user on Unix. >>> >>> I take it that you have only one Samba4 AD DC, it is recommended that >>> you use this for authentication only and use a separate file or member >>> server, if you do this, you can then map Administrator to root by adding >>> a line to smb.conf: >>> >>> username map = /etc/samba/smbmap >>> >>> And then creating the smbmap file >>> >>> !root = EXAMPLE\Administrator Administrator administrator >>> >>> Where EXAMPLE is your netbios/workgroup name. >>> >>> I would you suggest you have a read through the samba wiki: >>> >>> https://wiki.samba.org/index.php/Main_Page >>> >>> Rowland >>> >> Why do want Administrator to login? Administrator is the **WINDOWS** >> admin user, you use 'root' on Unix. >> >> Rowland >> > OK, Administrator is a 'SPECIAL' windows user and as such, does not and > should not exist on Unix. You can map Administrator to the Unix root > user, this will allow Administrator to do the things that need doing > from windows, change ACL's etc. > > It actually says 'chown DomainUser:DomainGroup file' on the wiki and if > this is not working, then there is something wrong with your setup!. > > This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine. > > Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ? > > Rowland > >I repeat, have you given **ANY** of your users a 'uidNumber' ???? Rowland
Apparently Analagous Threads
- Setup_a_Samba_AD_Member_Server can get the id of user.
- Setup_a_Samba_AD_Member_Server can get the id of user.
- Compiling 4.1.0 with krb5 1.12 deprecated krb5_auth_con_getlocalsubkey warning
- Member server - winbind unable to resolve users/groups
- Domain member seems to work, wbinfo -u not