Definitely. With backend=ad only two user can be seen by getent passwd. Then changing backend=rid, all users are resolved by getent passwd Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 15:45, Tim wrote: >> That's what I tried to say. I set the gid/uid attribs in Unix tab. >> >> Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:40, Tim wrote: >>> When I switch back to backend ad, getent passwd returns nothing >- >>> getent group only returns by adding a dedicated group name. >>> There is at least one user and one group with Id set in ad. >>> >> >> Yes, but do *any* of your AD users have a uidNumber attribute. >> >> Rowland >> >>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: >>> >>> On 09/01/15 15:19, Tim wrote: >>> >>> I switched to rid module of idmapping and now winbind >>> offers all groups and I can set SeDiskOperatorPrivilege. >>> getent group and getent passwd are now working! Am 9. >>> Januar 2015 15:21:32 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: On 09/01/15 13:47, Tim >>> wrote: Hello all, I have a AD DC based on CentOS7 with >>> sernet samba 4.1.14 with rfc2307 and function level >>> 2008_R2. This one works so far and I can manage the AD >>> from a windows client. Now I setup a member server based >>> on CentOS7 with sernet samba 4.1.14 just like the wiki >>> advises with the same smb.conf (realm etc is configured >>> to my needs. I joined the AD and configured nsswitch. >>> wbinfo works so far but getent passwd or getent group >>> doesn't list domain objects. getent group testgroup1 >>> works, but getent passwd testuser1 does not. I created a >>> share in smb.conf. Now I want to set the >>> SeDiskOperatorPrivilege like the wiki advises. But it >>> doesn't work. It says that it can't connect to server >>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>. I tried >>> it with net rpc rights grant 'DOM\Domain Admins' >>> SeDiskOperatorPrivilege -U'DOM\administrator' Now I can >>> not access the server from windows to set share >>> permissions. What to do? The wiki told nothing about >>> kerberos so I did not do anything to it. Thanks in >>> advance Hi, you appear to be the second person in two >>> days having a similar, if not the same problem with the >>> sernet packages. I don't think it is a kerberos problem, >>> can you check if you have 'libnss_winbind.so >>> <http://winbind.so> <http://winbind.so>.2' anywhere. >Rowland >>> >>> >>> >>> I take it from this, that you do not have any uidNumber or >gidNumber >>> attributes in AD. >>> >>> Rowland >>> >> > >OK, then where they inside the range set in smb.conf i.e. idmap config >DOMAIN : range = 10000-999999 > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 09/01/15 16:48, Tim wrote:> Definitely. > > With backend=ad only two user can be seen by getent passwd. Then > changing backend=rid, all users are resolved by getent passwd > > Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: > > On 09/01/15 15:45, Tim wrote: > > That's what I tried to say. I set the gid/uid attribs in Unix > tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: > > When I switch back to backend ad, getent passwd returns > nothing - getent group only returns by adding a dedicated > group name. There is at least one user and one group with > Id set in ad. > > Yes, but do *any* of your AD users have a uidNumber attribute. > Rowland > > Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim > wrote: I switched to rid module of idmapping and now > winbind offers all groups and I can set > SeDiskOperatorPrivilege. getent group and getent passwd > are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb > Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 > 13:47, Tim wrote: Hello all, I have a AD DC based on > CentOS7 with sernet samba 4.1.14 with rfc2307 and function > level 2008_R2. This one works so far and I can manage the > AD from a windows client. Now I setup a member server > based on CentOS7 with sernet samba 4.1.14 just like the > wiki advises with the same smb.conf (realm etc is > configured to my needs. I joined the AD and configured > nsswitch. wbinfo works so far but getent passwd or getent > group doesn't list domain objects. getent group testgroup1 > works, but getent passwd testuser1 does not. I created a > share in smb.conf. Now I want to set the > SeDiskOperatorPrivilege like the wiki advises. But it > doesn't work. It says that it can't connect to server > 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> > <http://127.0.0.1>. I tried it with net rpc rights grant > 'DOM\Domain Admins' SeDiskOperatorPrivilege > -U'DOM\administrator' Now I can not access the server from > windows to set share permissions. What to do? The wiki > told nothing about kerberos so I did not do anything to > it. Thanks in advance Hi, you appear to be the second > person in two days having a similar, if not the same > problem with the sernet packages. I don't think it is a > kerberos problem, can you check if you have > 'libnss_winbind.so <http://winbind.so> <http://winbind.so> > <http://winbind.so>.2' anywhere. Rowland I take it from > this, that you do not have any uidNumber or gidNumber > attributes in AD. Rowland > > > OK, then where they inside the range set in smb.conf i.e. idmap config > DOMAIN : range = 10000-999999 > > Rowland >That is strange, if you use the winbind 'ad' backend and have AD users with a uidNumber, then all the users with uidNumbers should be shown by getent passwd, but any users without a uidNumber will not be shown. The 'rid' backend works differently, it allocates id numbers to each and every user. Rowland
Full ack, Rowland. Really strange. I also downgraded sernet-samba packages to 4.1.13 - all the same. Possibly the ad module is broken? With ad module winbind resolves two users. But these two users aren't different to the others. I also could not set permission via windows as the wiki advises. Always permission denied. I needed to chown the share dir first to the right group. But this worked only with rid module. I'll give ad module another try. Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 16:48, Tim wrote: >> Definitely. >> >> With backend=ad only two user can be seen by getent passwd. Then >> changing backend=rid, all users are resolved by getent passwd >> >> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:45, Tim wrote: >> >> That's what I tried to say. I set the gid/uid attribs in Unix >> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: >> >> When I switch back to backend ad, getent passwd returns >> nothing - getent group only returns by adding a dedicated >> group name. There is at least one user and one group with >> Id set in ad. >> >> Yes, but do *any* of your AD users have a uidNumber >attribute. >> Rowland >> >> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >> wrote: I switched to rid module of idmapping and now >> winbind offers all groups and I can set >> SeDiskOperatorPrivilege. getent group and getent passwd >> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb >> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 >> 13:47, Tim wrote: Hello all, I have a AD DC based on >> CentOS7 with sernet samba 4.1.14 with rfc2307 and >function >> level 2008_R2. This one works so far and I can manage the >> AD from a windows client. Now I setup a member server >> based on CentOS7 with sernet samba 4.1.14 just like the >> wiki advises with the same smb.conf (realm etc is >> configured to my needs. I joined the AD and configured >> nsswitch. wbinfo works so far but getent passwd or getent >> group doesn't list domain objects. getent group >testgroup1 >> works, but getent passwd testuser1 does not. I created a >> share in smb.conf. Now I want to set the >> SeDiskOperatorPrivilege like the wiki advises. But it >> doesn't work. It says that it can't connect to server >> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >> <http://127.0.0.1>. I tried it with net rpc rights grant >> 'DOM\Domain Admins' SeDiskOperatorPrivilege >> -U'DOM\administrator' Now I can not access the server >from >> windows to set share permissions. What to do? The wiki >> told nothing about kerberos so I did not do anything to >> it. Thanks in advance Hi, you appear to be the second >> person in two days having a similar, if not the same >> problem with the sernet packages. I don't think it is a >> kerberos problem, can you check if you have >> 'libnss_winbind.so <http://winbind.so> ><http://winbind.so> >> <http://winbind.so>.2' anywhere. Rowland I take it from >> this, that you do not have any uidNumber or gidNumber >> attributes in AD. Rowland >> >> >> OK, then where they inside the range set in smb.conf i.e. idmap >config >> DOMAIN : range = 10000-999999 >> >> Rowland >> > >That is strange, if you use the winbind 'ad' backend and have AD users >with a uidNumber, then all the users with uidNumbers should be shown by > >getent passwd, but any users without a uidNumber will not be shown. > >The 'rid' backend works differently, it allocates id numbers to each >and >every user. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem. Bug? Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 16:48, Tim wrote: >> Definitely. >> >> With backend=ad only two user can be seen by getent passwd. Then >> changing backend=rid, all users are resolved by getent passwd >> >> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:45, Tim wrote: >> >> That's what I tried to say. I set the gid/uid attribs in Unix >> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: >> >> When I switch back to backend ad, getent passwd returns >> nothing - getent group only returns by adding a dedicated >> group name. There is at least one user and one group with >> Id set in ad. >> >> Yes, but do *any* of your AD users have a uidNumber >attribute. >> Rowland >> >> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >> wrote: I switched to rid module of idmapping and now >> winbind offers all groups and I can set >> SeDiskOperatorPrivilege. getent group and getent passwd >> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb >> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 >> 13:47, Tim wrote: Hello all, I have a AD DC based on >> CentOS7 with sernet samba 4.1.14 with rfc2307 and >function >> level 2008_R2. This one works so far and I can manage the >> AD from a windows client. Now I setup a member server >> based on CentOS7 with sernet samba 4.1.14 just like the >> wiki advises with the same smb.conf (realm etc is >> configured to my needs. I joined the AD and configured >> nsswitch. wbinfo works so far but getent passwd or getent >> group doesn't list domain objects. getent group >testgroup1 >> works, but getent passwd testuser1 does not. I created a >> share in smb.conf. Now I want to set the >> SeDiskOperatorPrivilege like the wiki advises. But it >> doesn't work. It says that it can't connect to server >> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >> <http://127.0.0.1>. I tried it with net rpc rights grant >> 'DOM\Domain Admins' SeDiskOperatorPrivilege >> -U'DOM\administrator' Now I can not access the server >from >> windows to set share permissions. What to do? The wiki >> told nothing about kerberos so I did not do anything to >> it. Thanks in advance Hi, you appear to be the second >> person in two days having a similar, if not the same >> problem with the sernet packages. I don't think it is a >> kerberos problem, can you check if you have >> 'libnss_winbind.so <http://winbind.so> ><http://winbind.so> >> <http://winbind.so>.2' anywhere. Rowland I take it from >> this, that you do not have any uidNumber or gidNumber >> attributes in AD. Rowland >> >> >> OK, then where they inside the range set in smb.conf i.e. idmap >config >> DOMAIN : range = 10000-999999 >> >> Rowland >> > >That is strange, if you use the winbind 'ad' backend and have AD users >with a uidNumber, then all the users with uidNumbers should be shown by > >getent passwd, but any users without a uidNumber will not be shown. > >The 'rid' backend works differently, it allocates id numbers to each >and >every user. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba