samba - Feb 2015 - Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Hi,
I've successfully configure idmap_rid to read id mappings from our AD
servers:

        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        winbind offline logon = false
        idmap config *:backend = rid
        idmap config *:range = 50000-99999
        idmap config *:schema_mode = rfc2307

But when I configure idmap_ad  I'm not able to get the uidNumber and
gidNumber from the AD servers:

        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind separator = +
        winbind offline logon = false
        idmap config ARRI:backend = ad
        idmap config ARRI:range = 1000-999999
        idmap config ARRI:schema_mode = rfc2307

[root at supermdc ~]# id schafha
uid=4294967295 gid=4294967295 groups=4294967295

This user "schafha" actually has a uidNumber 10000 and gidNumber
10000. Changing "idmap config ARRI" to "idmap config *" does
not help:

[root at supermdc ~]# id schafha
id: markert1: No such user

Setup:
AD: Windows Server 2008 RC2 with Windows Services for UNIX
AD member: CentOS 6.6, sernet-samba-4.1.14-9

Please note: not all users and groups listed in AD have got a uidNumber and
gidNumber? Is this a problem?

Kind regards,
Martin


Martin Markert
Systems Integrator
 

Tuerkenstr. 89, 80799 M?nchen / Germany
Phone +49 89 3809-1848

EMail MMarkert at arri.de

  Visit us on Facebook!________________________________
 [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>

Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>

ARRI Film & TV Services GmbH
Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
Handelsregisternummer: HRB 69396
Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger

On 27/02/15 14:04, Markert, Martin wrote:
> Hi,
> I've successfully configure idmap_rid to read id mappings from our AD
servers:
>
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nested groups = Yes
>          winbind separator = +
>          winbind offline logon = false
>          idmap config *:backend = rid
>          idmap config *:range = 50000-99999
>          idmap config *:schema_mode = rfc2307
>
> But when I configure idmap_ad  I'm not able to get the uidNumber and
gidNumber from the AD servers:
>
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nested groups = Yes
>          winbind separator = +
>          winbind offline logon = false
>          idmap config ARRI:backend = ad
>          idmap config ARRI:range = 1000-999999
>          idmap config ARRI:schema_mode = rfc2307
>
> [root at supermdc ~]# id schafha
> uid=4294967295 gid=4294967295 groups=4294967295
>
> This user "schafha" actually has a uidNumber 10000 and gidNumber
10000. Changing "idmap config ARRI" to "idmap config *" does
not help:
>
> [root at supermdc ~]# id schafha
> id: markert1: No such user
>
> Setup:
> AD: Windows Server 2008 RC2 with Windows Services for UNIX
> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>
> Please note: not all users and groups listed in AD have got a uidNumber and
gidNumber? Is this a problem?
>
> Kind regards,
> Martin
>
>
> Martin Markert
> Systems Integrator
>   
>
> Tuerkenstr. 89, 80799 M?nchen / Germany
> Phone +49 89 3809-1848
>
> EMail MMarkert at arri.de
>
>    Visit us on Facebook!________________________________
>  
[http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>
>
> Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>
> ARRI Film & TV Services GmbH
> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
> Handelsregisternummer: HRB 69396
> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
OK, try this:

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config ARRI : backend = ad
    idmap config ARRI : schema_mode = rfc2307
    idmap config ARRI : range = 10000-99999

also are you using sssd on the AD member ?

Rowland

Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
:
> On 27/02/15 14:04, Markert, Martin wrote:
>> Hi,
>> I've successfully configure idmap_rid to read id mappings from our
AD servers:
>> 
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind use default domain = Yes
>>         winbind nested groups = Yes
>>         winbind separator = +
>>         winbind offline logon = false
>>         idmap config *:backend = rid
>>         idmap config *:range = 50000-99999
>>         idmap config *:schema_mode = rfc2307
>> 
>> But when I configure idmap_ad  I'm not able to get the uidNumber
and gidNumber from the AD servers:
>> 
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind use default domain = Yes
>>         winbind nested groups = Yes
>>         winbind separator = +
>>         winbind offline logon = false
>>         idmap config ARRI:backend = ad
>>         idmap config ARRI:range = 1000-999999
>>         idmap config ARRI:schema_mode = rfc2307
>> 
>> [root at supermdc ~]# id schafha
>> uid=4294967295 gid=4294967295 groups=4294967295
>> 
>> This user "schafha" actually has a uidNumber 10000 and
gidNumber 10000. Changing "idmap config ARRI" to "idmap config
*" does not help:
>> 
>> [root at supermdc ~]# id schafha
>> id: markert1: No such user
>> 
>> Setup:
>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>> 
>> Please note: not all users and groups listed in AD have got a uidNumber
and gidNumber? Is this a problem?
>> 
>> Kind regards,
>> Martin
>> 
>> 
>> Martin Markert
>> Systems Integrator
>>  
>> Tuerkenstr. 89, 80799 M?nchen / Germany
>> Phone +49 89 3809-1848
>> 
>> EMail MMarkert at arri.de
>> 
>>   Visit us on Facebook!________________________________
>> 
[http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>
>> 
>> Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>> 
>> ARRI Film & TV Services GmbH
>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
>> Handelsregisternummer: HRB 69396
>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
> 
> OK, try this:
> 
>   idmap config * : backend = tdb
>   idmap config * : range = 2000-9999
>   idmap config ARRI : backend = ad
>   idmap config ARRI : schema_mode = rfc2307
>   idmap config ARRI : range = 10000-99999
Thank you for your answer, Roland.
I've changed the configuration but it doesn't help:

[root at supermdc ~]# id schafha
id: schafha: No such user

[root at supermdc ~]# winbindd -i -d9
...
accepted socket 21
[19077]: request interface version
[19077]: request location of privileged pipe
accepted socket 23
closing socket 21, client exited
getpwnam schafha
Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934:
NT_STATUS_NONE_MAPPED
closing socket 23, client exited
> 
> also are you using sssd on the AD member ?
No, I've configured smb.conf, krb5.conf, nsswitch.conf, system-auth-ac.
That's it.

Martin

> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba