Rowland Penny
2015-Apr-05 09:57 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 00:59, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>> OK, what does running this command on the DC show: >>>> ldbsearch -H /var/lib/samba/private/sam.ldb >>>> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep >>>> 'uidNumber' >>>> This relies on ldb-tools being installed and sam.ldb being in >>>> '/var/lib/samba/private' if yours is somewhere else, change the path. >>> I have the urge to say "nothing" before even checking first, as I have no >>> RID's that high. But it appears the RID's were all changed after migration. >>> >>> ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber >>> >>> # record 1 >>> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan >>> uidNumber: 30000 >>> >>> Before migration, all users had RID=uidNumber, except one. >>> Why they have been changed? >>> >>> >> I have no idea why they have changed, but it is there and it is inside >> the range set in your member server smb.conf, so getent should fetch the >> users info. >> Have you got the winbind links in the correct place, see the member >> server wiki page >> do you have 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf > Since Winbind is actually trying to resolve the names from getent, the > requests are passed correctly to it. > I did not made any links, because I'm not compiling anything myself. > I'm using distributed version of Samba. > >> Can you check that Domain Users has a 'gidNumber' > # ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' objectSID gidNumber > # record 1 > dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan > objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 > gidNumber: 513 > >I think that could very well be your problem, you have these lines in the smb.conf on your member server: idmap config CCENTER : backend = ad idmap config CCENTER : schema_mode = rfc2307 idmap config CCENTER : range = 1000-50000 What they mean is, use the winbind 'ad' backend with rfc2307 attributes and ignore any uidNumbers & gidNumbers that fall outside the range '1000-50000' '513' is less than '1000' so will be ignored, and as 'Domain Users' is the users primary group and must have a valid gidNumber, all users are ignored. Try this, give 'Domain Users' a larger gidNumber: ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' Change 'gidNumber: 513' To 'gidNumber: 10513' Now try 'getent passwd domainuser' Rowland
Luca Olivetti
2015-Apr-05 12:10 UTC
[Samba] Member server - winbind unable to resolve users/groups
El 05/04/15 a les 11:57, Rowland Penny ha escrit:>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 >> gidNumber: 513 >> >> > > I think that could very well be your problem, you have these lines in > the smb.conf on your member server: > > idmap config CCENTER : backend = ad > idmap config CCENTER : schema_mode = rfc2307 > idmap config CCENTER : range = 1000-50000 > > What they mean is, use the winbind 'ad' backend with rfc2307 attributes > and ignore any uidNumbers & gidNumbers that fall outside the range > '1000-50000' > > '513' is less than '1000' so will be ignored, and as 'Domain Users' is > the users primary group and must have a valid gidNumber, all users are > ignored. > > Try this, give 'Domain Users' a larger gidNumber: > > ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' > > Change 'gidNumber: 513' > > To 'gidNumber: 10513' > > Now try 'getent passwd domainuser'Wouldn't it be better to simply change the range to 500-50000? If he's like me, he'll have many hundreds gigabites of files with those uids/gids Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
Rowland Penny
2015-Apr-05 12:25 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 13:10, Luca Olivetti wrote:> El 05/04/15 a les 11:57, Rowland Penny ha escrit: > >>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 >>> gidNumber: 513 >>> >>> >> I think that could very well be your problem, you have these lines in >> the smb.conf on your member server: >> >> idmap config CCENTER : backend = ad >> idmap config CCENTER : schema_mode = rfc2307 >> idmap config CCENTER : range = 1000-50000 >> >> What they mean is, use the winbind 'ad' backend with rfc2307 attributes >> and ignore any uidNumbers & gidNumbers that fall outside the range >> '1000-50000' >> >> '513' is less than '1000' so will be ignored, and as 'Domain Users' is >> the users primary group and must have a valid gidNumber, all users are >> ignored. >> >> Try this, give 'Domain Users' a larger gidNumber: >> >> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' >> >> Change 'gidNumber: 513' >> >> To 'gidNumber: 10513' >> >> Now try 'getent passwd domainuser' > Wouldn't it be better to simply change the range to 500-50000? > If he's like me, he'll have many hundreds gigabites of files with those > uids/gids > > Bye >Well yes, but I wanted to show the OP the relation between what the uidNumber attribute holds and the range set in smb.conf. If what I propose works (and I sure it will), I would have then advised the OP to reset Domain Users back to 513, but I would also have pointed out that you now cannot have *ANY* local users or groups! I would also have pointed out that the lowest uid on Debian/Ubuntu, that is not a system user, is 1000, so using the range '500-50000' is not a good idea. Rowland
Apparently Analagous Threads
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups