That's what I tried to say. I set the gid/uid attribs in Unix tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 15:40, Tim wrote: >> When I switch back to backend ad, getent passwd returns nothing - >> getent group only returns by adding a dedicated group name. >> There is at least one user and one group with Id set in ad. >> > >Yes, but do *any* of your AD users have a uidNumber attribute. > >Rowland > >> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:19, Tim wrote: >> >> I switched to rid module of idmapping and now winbind offers >> all groups and I can set SeDiskOperatorPrivilege. getent >group >> and getent passwd are now working! Am 9. Januar 2015 15:21:32 >> MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: On >> 09/01/15 13:47, Tim wrote: Hello all, I have a AD DC based on >> CentOS7 with sernet samba 4.1.14 with rfc2307 and function >> level 2008_R2. This one works so far and I can manage the AD >> from a windows client. Now I setup a member server based on >> CentOS7 with sernet samba 4.1.14 just like the wiki advises >> with the same smb.conf (realm etc is configured to my needs. >I >> joined the AD and configured nsswitch. wbinfo works so far >but >> getent passwd or getent group doesn't list domain objects. >> getent group testgroup1 works, but getent passwd testuser1 >> does not. I created a share in smb.conf. Now I want to set >the >> SeDiskOperatorPrivilege like the wiki advises. But it doesn't >> work. It says that it can't connect to server 127.0.0.1 >> <http://127.0.0.1> <http://127.0.0.1>. I tried it with net >rpc >> rights grant 'DOM\Domain Admins' SeDiskOperatorPrivilege >> -U'DOM\administrator' Now I can not access the server from >> windows to set share permissions. What to do? The wiki told >> nothing about kerberos so I did not do anything to it. Thanks >> in advance Hi, you appear to be the second person in two days >> having a similar, if not the same problem with the sernet >> packages. I don't think it is a kerberos problem, can you >> check if you have 'libnss_winbind.so <http://winbind.so> >> <http://winbind.so>.2' anywhere. Rowland >> >> >> >> I take it from this, that you do not have any uidNumber or >gidNumber >> attributes in AD. >> >> Rowland >>
On 09/01/15 15:45, Tim wrote:> That's what I tried to say. I set the gid/uid attribs in Unix tab. > > Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: > > On 09/01/15 15:40, Tim wrote: >> When I switch back to backend ad, getent passwd returns nothing - >> getent group only returns by adding a dedicated group name. >> There is at least one user and one group with Id set in ad. >> > > Yes, but do *any* of your AD users have a uidNumber attribute. > > Rowland > >> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:19, Tim wrote: >> >> I switched to rid module of idmapping and now winbind >> offers all groups and I can set SeDiskOperatorPrivilege. >> getent group and getent passwd are now working! Am 9. >> Januar 2015 15:21:32 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 13:47, Tim >> wrote: Hello all, I have a AD DC based on CentOS7 with >> sernet samba 4.1.14 with rfc2307 and function level >> 2008_R2. This one works so far and I can manage the AD >> from a windows client. Now I setup a member server based >> on CentOS7 with sernet samba 4.1.14 just like the wiki >> advises with the same smb.conf (realm etc is configured >> to my needs. I joined the AD and configured nsswitch. >> wbinfo works so far but getent passwd or getent group >> doesn't list domain objects. getent group testgroup1 >> works, but getent passwd testuser1 does not. I created a >> share in smb.conf. Now I want to set the >> SeDiskOperatorPrivilege like the wiki advises. But it >> doesn't work. It says that it can't connect to server >> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>. I tried >> it with net rpc rights grant 'DOM\Domain Admins' >> SeDiskOperatorPrivilege -U'DOM\administrator' Now I can >> not access the server from windows to set share >> permissions. What to do? The wiki told nothing about >> kerberos so I did not do anything to it. Thanks in >> advance Hi, you appear to be the second person in two >> days having a similar, if not the same problem with the >> sernet packages. I don't think it is a kerberos problem, >> can you check if you have 'libnss_winbind.so >> <http://winbind.so> <http://winbind.so>.2' anywhere. Rowland >> >> >> >> I take it from this, that you do not have any uidNumber or gidNumber >> attributes in AD. >> >> Rowland >> >OK, then where they inside the range set in smb.conf i.e. idmap config DOMAIN : range = 10000-999999 Rowland
Definitely. With backend=ad only two user can be seen by getent passwd. Then changing backend=rid, all users are resolved by getent passwd Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 15:45, Tim wrote: >> That's what I tried to say. I set the gid/uid attribs in Unix tab. >> >> Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:40, Tim wrote: >>> When I switch back to backend ad, getent passwd returns nothing >- >>> getent group only returns by adding a dedicated group name. >>> There is at least one user and one group with Id set in ad. >>> >> >> Yes, but do *any* of your AD users have a uidNumber attribute. >> >> Rowland >> >>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: >>> >>> On 09/01/15 15:19, Tim wrote: >>> >>> I switched to rid module of idmapping and now winbind >>> offers all groups and I can set SeDiskOperatorPrivilege. >>> getent group and getent passwd are now working! Am 9. >>> Januar 2015 15:21:32 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: On 09/01/15 13:47, Tim >>> wrote: Hello all, I have a AD DC based on CentOS7 with >>> sernet samba 4.1.14 with rfc2307 and function level >>> 2008_R2. This one works so far and I can manage the AD >>> from a windows client. Now I setup a member server based >>> on CentOS7 with sernet samba 4.1.14 just like the wiki >>> advises with the same smb.conf (realm etc is configured >>> to my needs. I joined the AD and configured nsswitch. >>> wbinfo works so far but getent passwd or getent group >>> doesn't list domain objects. getent group testgroup1 >>> works, but getent passwd testuser1 does not. I created a >>> share in smb.conf. Now I want to set the >>> SeDiskOperatorPrivilege like the wiki advises. But it >>> doesn't work. It says that it can't connect to server >>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>. I tried >>> it with net rpc rights grant 'DOM\Domain Admins' >>> SeDiskOperatorPrivilege -U'DOM\administrator' Now I can >>> not access the server from windows to set share >>> permissions. What to do? The wiki told nothing about >>> kerberos so I did not do anything to it. Thanks in >>> advance Hi, you appear to be the second person in two >>> days having a similar, if not the same problem with the >>> sernet packages. I don't think it is a kerberos problem, >>> can you check if you have 'libnss_winbind.so >>> <http://winbind.so> <http://winbind.so>.2' anywhere. >Rowland >>> >>> >>> >>> I take it from this, that you do not have any uidNumber or >gidNumber >>> attributes in AD. >>> >>> Rowland >>> >> > >OK, then where they inside the range set in smb.conf i.e. idmap config >DOMAIN : range = 10000-999999 > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba