samba - Apr 2015 - Member server - winbind unable to resolve users/groups

Hi,

On Fri, Apr 3, 2015 at 7:22 AM, Andrey Repin <anrdaemon at yandex.ru>
wrote:
> Greetings, All!
>
> > I'm trying to get the former PDC back into domain after performing
a
> classic
> > migration.
> > AD DC is running fine... if you can call it that.
> > I've edited the smb.conf and nsswitch.conf as suggested in Wiki
article,
> and
> > rejoined the domain. Went fine apart from failed DNS update with local
> zone.
>
> > # net ads testjoin
> > Join is OK
>
> > But there's no data in getent, and domain users are unable to
> authenticate on
> > the server.
>
> > So, where do I start looking?
>
Please check your  /etc/nsswitch.conf file, it should look contains this,

passwd: compat winbind
group:    compat winbind

For more information, please go through Samba Wiki first,

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server


--Regards
Ashishkumar S. Yadav

Greetings, Ashish Yadav!
>> > I'm trying to get the former PDC back into domain after
performing a
>> classic
>> > migration.
>> > AD DC is running fine... if you can call it that.
>> > I've edited the smb.conf and nsswitch.conf as suggested in
Wiki article,
>> and
>> > rejoined the domain. Went fine apart from failed DNS update with
local
>> zone.
>>
>> > # net ads testjoin
>> > Join is OK
>>
>> > But there's no data in getent, and domain users are unable to
>> authenticate on
>> > the server.
>>
>> > So, where do I start looking?
>>
> Please check your  /etc/nsswitch.conf file, it should look contains this,
> passwd: compat winbind
> group:    compat winbind
> For more information, please go through Samba Wiki first,
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Please read the message - I explicitly stated that nsswitch.conf is amended as
suggested on the wiki.


-- 
With best regards,
Andrey Repin
Friday, April 3, 2015 15:04:41

Sorry for my terrible english...

On 03/04/15 13:05, Andrey Repin wrote:
> Greetings, Ashish Yadav!
>
>>>> I'm trying to get the former PDC back into domain after
performing a
>>> classic
>>>> migration.
>>>> AD DC is running fine... if you can call it that.
>>>> I've edited the smb.conf and nsswitch.conf as suggested in
Wiki article,
>>> and
>>>> rejoined the domain. Went fine apart from failed DNS update
with local
>>> zone.
>>>
>>>> # net ads testjoin
>>>> Join is OK
>>>> But there's no data in getent, and domain users are unable
to
>>> authenticate on
>>>> the server.
>>>> So, where do I start looking?
>> Please check your  /etc/nsswitch.conf file, it should look contains
this,
>> passwd: compat winbind
>> group:    compat winbind
>> For more information, please go through Samba Wiki first,
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> Please read the message - I explicitly stated that nsswitch.conf is amended
as
> suggested on the wiki.
>
>
OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain 
classicupgrade', this should have given you users with uidNumber 
attributes and groups with gidNumber attributes.

If,as you said, you used the smb.conf from the member server wiki page, 
you will have something like this in your smb.conf:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-99999

Two questions:
Did you change 'SAMDOM' to your workgroup name ?
Are your users & groups uidNumber & gidNumber attributes inside the 
'10000=99999' range ?

Rowland