samba - Feb 2015 - Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
:
> On 27/02/15 14:28, Markert, Martin wrote:
>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
>> :
>> 
>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>> Hi,
>>>> I've successfully configure idmap_rid to read id mappings
from our AD servers:
>>>> 
>>>>         winbind enum users = Yes
>>>>         winbind enum groups = Yes
>>>>         winbind use default domain = Yes
>>>>         winbind nested groups = Yes
>>>>         winbind separator = +
>>>>         winbind offline logon = false
>>>>         idmap config *:backend = rid
>>>>         idmap config *:range = 50000-99999
>>>>         idmap config *:schema_mode = rfc2307
>>>> 
>>>> But when I configure idmap_ad  I'm not able to get the
uidNumber and gidNumber from the AD servers:
>>>> 
>>>>         winbind enum users = Yes
>>>>         winbind enum groups = Yes
>>>>         winbind use default domain = Yes
>>>>         winbind nested groups = Yes
>>>>         winbind separator = +
>>>>         winbind offline logon = false
>>>>         idmap config ARRI:backend = ad
>>>>         idmap config ARRI:range = 1000-999999
>>>>         idmap config ARRI:schema_mode = rfc2307
>>>> 
>>>> [root at supermdc ~]# id schafha
>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>> 
>>>> This user "schafha" actually has a uidNumber 10000
and gidNumber 10000. Changing "idmap config ARRI" to "idmap
config *" does not help:
>>>> 
>>>> [root at supermdc ~]# id schafha
>>>> id: markert1: No such user
>>>> 
>>>> Setup:
>>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>> 
>>>> Please note: not all users and groups listed in AD have got a
uidNumber and gidNumber? Is this a problem?
>>>> 
>>>> Kind regards,
>>>> Martin
>>>> 
>>>> 
>>>> Martin Markert
>>>> Systems Integrator
>>>>  Tuerkenstr. 89, 80799 M?nchen / Germany
>>>> Phone +49 89 3809-1848
>>>> 
>>>> EMail MMarkert at arri.de
>>>> 
>>>>   Visit us on Facebook!________________________________
>>>> 
[http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>
>>>> 
>>>> Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>> 
>>>> ARRI Film & TV Services GmbH
>>>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
>>>> Handelsregisternummer: HRB 69396
>>>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef Reidinger
>>> OK, try this:
>>> 
>>>   idmap config * : backend = tdb
>>>   idmap config * : range = 2000-9999
>>>   idmap config ARRI : backend = ad
>>>   idmap config ARRI : schema_mode = rfc2307
>>>   idmap config ARRI : range = 10000-99999
>> Thank you for your answer, Roland.
>> I've changed the configuration but it doesn't help:
>> 
>> [root at supermdc ~]# id schafha
>> id: schafha: No such user
>> 
>> [root at supermdc ~]# winbindd -i -d9
>> ...
>> accepted socket 21
>> [19077]: request interface version
>> [19077]: request location of privileged pipe
>> accepted socket 23
>> closing socket 21, client exited
>> getpwnam schafha
>> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934:
NT_STATUS_NONE_MAPPED
>> closing socket 23, client exited
>> 
>>> also are you using sssd on the AD member ?
>> No, I've configured smb.conf, krb5.conf, nsswitch.conf,
system-auth-ac. That's it.
>> 
>> Martin
>> 
>> 
>>> Rowland
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> Does 'getent passwd schafha' show anything ?
No, it shows nothing.

idmap_ad:
[root at supermdc ~]# getent passwd schafha
[root at supermdc ~]# getent passwd schafha

Idmap_rid:
[root at supermdc ~]# getent passwd schafha
schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false
> has 'Domain Users' got a 'gidNumber' ?
No, it does nat have a gidNumber.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 27/02/15 14:59, Markert, Martin wrote:
> Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
> :
>
>> On 27/02/15 14:28, Markert, Martin wrote:
>>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
>>> :
>>>
>>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>>> Hi,
>>>>> I've successfully configure idmap_rid to read id
mappings from our AD servers:
>>>>>
>>>>>          winbind enum users = Yes
>>>>>          winbind enum groups = Yes
>>>>>          winbind use default domain = Yes
>>>>>          winbind nested groups = Yes
>>>>>          winbind separator = +
>>>>>          winbind offline logon = false
>>>>>          idmap config *:backend = rid
>>>>>          idmap config *:range = 50000-99999
>>>>>          idmap config *:schema_mode = rfc2307
>>>>>
>>>>> But when I configure idmap_ad  I'm not able to get the
uidNumber and gidNumber from the AD servers:
>>>>>
>>>>>          winbind enum users = Yes
>>>>>          winbind enum groups = Yes
>>>>>          winbind use default domain = Yes
>>>>>          winbind nested groups = Yes
>>>>>          winbind separator = +
>>>>>          winbind offline logon = false
>>>>>          idmap config ARRI:backend = ad
>>>>>          idmap config ARRI:range = 1000-999999
>>>>>          idmap config ARRI:schema_mode = rfc2307
>>>>>
>>>>> [root at supermdc ~]# id schafha
>>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>>>
>>>>> This user "schafha" actually has a uidNumber
10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap
config *" does not help:
>>>>>
>>>>> [root at supermdc ~]# id schafha
>>>>> id: markert1: No such user
>>>>>
>>>>> Setup:
>>>>> AD: Windows Server 2008 RC2 with Windows Services for UNIX
>>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>>>
>>>>> Please note: not all users and groups listed in AD have got
a uidNumber and gidNumber? Is this a problem?
>>>>>
>>>>> Kind regards,
>>>>> Martin
>>>>>
>>>>>
>>>>> Martin Markert
>>>>> Systems Integrator
>>>>>   Tuerkenstr. 89, 80799 M?nchen / Germany
>>>>> Phone +49 89 3809-1848
>>>>>
>>>>> EMail MMarkert at arri.de
>>>>>
>>>>>    Visit us on Facebook!________________________________
>>>>>  
[http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>
>>>>>
>>>>> Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>>>
>>>>> ARRI Film & TV Services GmbH
>>>>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
>>>>> Handelsregisternummer: HRB 69396
>>>>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef
Reidinger
>>>> OK, try this:
>>>>
>>>>    idmap config * : backend = tdb
>>>>    idmap config * : range = 2000-9999
>>>>    idmap config ARRI : backend = ad
>>>>    idmap config ARRI : schema_mode = rfc2307
>>>>    idmap config ARRI : range = 10000-99999
>>> Thank you for your answer, Roland.
>>> I've changed the configuration but it doesn't help:
>>>
>>> [root at supermdc ~]# id schafha
>>> id: schafha: No such user
>>>
>>> [root at supermdc ~]# winbindd -i -d9
>>> ...
>>> accepted socket 21
>>> [19077]: request interface version
>>> [19077]: request location of privileged pipe
>>> accepted socket 23
>>> closing socket 21, client exited
>>> getpwnam schafha
>>> Could not convert sid S-1-5-21-1085031214-682003330-725345543-5934:
NT_STATUS_NONE_MAPPED
>>> closing socket 23, client exited
>>>
>>>> also are you using sssd on the AD member ?
>>> No, I've configured smb.conf, krb5.conf, nsswitch.conf,
system-auth-ac. That's it.
>>>
>>> Martin
>>>
>>>
>>>> Rowland
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> Does 'getent passwd schafha' show anything ?
> No, it shows nothing.
>
> idmap_ad:
> [root at supermdc ~]# getent passwd schafha
> [root at supermdc ~]# getent passwd schafha
>
> Idmap_rid:
> [root at supermdc ~]# getent passwd schafha
> schafha:*:15934:10513:Schafhauser, Florian:/home/ARRI/schafha:/bin/false
>
>> has 'Domain Users' got a 'gidNumber' ?
> No, it does nat have a gidNumber.
>
>> Rowland
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
ok, 'Domain Users' not having a 'gidNumber' could well be your
problem :-)

Try giving 'Domain Users' a 'gidNumber' with ADUC and then try
'getent
passwd schafha' again.

Rowland

Am 27.02.2015 um 16:06 schrieb Rowland Penny <rowlandpenny at
googlemail.com>:
> On 27/02/15 14:59, Markert, Martin wrote:
>> Am 27.02.2015 um 15:48 schrieb Rowland Penny <rowlandpenny at
googlemail.com>
>> :
>> 
>>> On 27/02/15 14:28, Markert, Martin wrote:
>>>> Am 27.02.2015 um 15:17 schrieb Rowland Penny <rowlandpenny
at googlemail.com>
>>>> :
>>>> 
>>>>> On 27/02/15 14:04, Markert, Martin wrote:
>>>>>> Hi,
>>>>>> I've successfully configure idmap_rid to read id
mappings from our AD servers:
>>>>>> 
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind separator = +
>>>>>>         winbind offline logon = false
>>>>>>         idmap config *:backend = rid
>>>>>>         idmap config *:range = 50000-99999
>>>>>>         idmap config *:schema_mode = rfc2307
>>>>>> 
>>>>>> But when I configure idmap_ad  I'm not able to get
the uidNumber and gidNumber from the AD servers:
>>>>>> 
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind separator = +
>>>>>>         winbind offline logon = false
>>>>>>         idmap config ARRI:backend = ad
>>>>>>         idmap config ARRI:range = 1000-999999
>>>>>>         idmap config ARRI:schema_mode = rfc2307
>>>>>> 
>>>>>> [root at supermdc ~]# id schafha
>>>>>> uid=4294967295 gid=4294967295 groups=4294967295
>>>>>> 
>>>>>> This user "schafha" actually has a uidNumber
10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap
config *" does not help:
>>>>>> 
>>>>>> [root at supermdc ~]# id schafha
>>>>>> id: markert1: No such user
>>>>>> 
>>>>>> Setup:
>>>>>> AD: Windows Server 2008 RC2 with Windows Services for
UNIX
>>>>>> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>>>>>> 
>>>>>> Please note: not all users and groups listed in AD have
got a uidNumber and gidNumber? Is this a problem?
>>>>>> 
>>>>>> Kind regards,
>>>>>> Martin
>>>>>> 
>>>>>> 
>>>>>> Martin Markert
>>>>>> Systems Integrator
>>>>>>  Tuerkenstr. 89, 80799 M?nchen / Germany
>>>>>> Phone +49 89 3809-1848
>>>>>> 
>>>>>> EMail MMarkert at arri.de
>>>>>> 
>>>>>>   Visit us on Facebook!________________________________
>>>>>> 
[http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg]
<http://www.arri.de/filmtv>
>>>>>> 
>>>>>> Get all the latest information from
www.arri.de/filmtv<http://www.arri.de/filmtv>,
Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>>>>>> 
>>>>>> ARRI Film & TV Services GmbH
>>>>>> Sitz: M?nchen - Registergericht: Amtsgericht M?nchen
>>>>>> Handelsregisternummer: HRB 69396
>>>>>> Gesch?ftsf?hrer: Franz Kraus; Dr. J?rg Pohlman; Josef
Reidinger
>>>>> OK, try this:
>>>>> 
>>>>>   idmap config * : backend = tdb
>>>>>   idmap config * : range = 2000-9999
>>>>>   idmap config ARRI : backend = ad
>>>>>   idmap config ARRI : schema_mode = rfc2307
>>>>>   idmap config ARRI : range = 10000-99999
>>>> Thank you for your answer, Roland.
>>>> I've changed the configuration but it doesn't help:
>>>> 
>>>> [root at supermdc ~]# id schafha
>>>> id: schafha: No such user
>>>> 
>>>> [root at supermdc ~]# winbindd -i -d9
>>>> ...
>>>> accepted socket 21
>>>> [19077]: request interface version
>>>> [19077]: request location of privileged pipe
>>>> accepted socket 23
>>>> closing socket 21, client exited
>>>> getpwnam schafha
>>>> Could not convert sid
S-1-5-21-1085031214-682003330-725345543-5934: NT_STATUS_NONE_MAPPED
>>>> closing socket 23, client exited
>>>> 
>>>>> also are you using sssd on the AD member ?
>>>> No, I've configured smb.conf, krb5.conf, nsswitch.conf,
system-auth-ac. That's it.
>>>> 
>>>> Martin
>>>> 
>>>> 
>>>>> Rowland
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/options/samba
>>> Does 'getent passwd schafha' show anything ?
>> No, it shows nothing.
>> 
>> idmap_ad:
>> [root at supermdc ~]# getent passwd schafha
>> [root at supermdc ~]# getent passwd schafha
>> 
>> Idmap_rid:
>> [root at supermdc ~]# getent passwd schafha
>> schafha:*:15934:10513:Schafhauser,
Florian:/home/ARRI/schafha:/bin/false
>> 
>>> has 'Domain Users' got a 'gidNumber' ?
>> No, it does nat have a gidNumber.
>> 
>>> Rowland
>>> 
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> ok, 'Domain Users' not having a 'gidNumber' could well be
your problem :-)
> 
> Try giving 'Domain Users' a 'gidNumber' with ADUC and then
try 'getent passwd schafha' again.
Ahh, okay! I will give it a try. Our domain administrator has to add this. After
that I will report.

Thank you, Rowland.
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba