Hello everybody,
for a while I am running a Samba 4.1 AD server under FreeBSD (from the
FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops.
I wanted to add a Samba 4.1 file server as a member server, was able to
joint the domain and see AD users via "winbind -u"
but "getent password" or "id <user>" does not work.
The smb4.conf is following
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
I added RFC2307 attributes to the AD server according to
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix
Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP
dump.
In /etc/nsswitch.conf I have
passwd: compat winbind
group: compat winbind
To the library.. the port installed
nss_winbind.so.1
but it did not appear in "ldconfig -r".. Just for the purpose of
testing I
moved it to
libnss_winbind.so.1
so ldconfig finds it.. Is this a bug? Someting to do with
https://bugzilla.samba.org/show_bug.cgi?id=9704 ?
Anyway, no getent entries, no id..
Here the smb4.conf:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.FDA
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind expand groups = 4
winbind normalize names = Yes
..
Do you have any advice which could help me to get it working?
Thanks
Peter
I've got the same problem and my solution was install winbind, libnss-winbind and libpam-winbind. After the v4.2 i think is not necessary. Greetings!! 2015-04-22 8:14 GMT+02:00 Peter Ross <Peter.Ross at alumni.tu-berlin.de>:> Hello everybody, > > for a while I am running a Samba 4.1 AD server under FreeBSD (from the > FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops. > > I wanted to add a Samba 4.1 file server as a member server, was able to > joint the domain and see AD users via "winbind -u" > > but "getent password" or "id <user>" does not work. > > The smb4.conf is following > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > I added RFC2307 attributes to the AD server according to > > https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC > > and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix > Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP > dump. > > In /etc/nsswitch.conf I have > > passwd: compat winbind > group: compat winbind > > To the library.. the port installed > > nss_winbind.so.1 > > but it did not appear in "ldconfig -r".. Just for the purpose of testing I > moved it to > > libnss_winbind.so.1 > > so ldconfig finds it.. Is this a bug? Someting to do with > https://bugzilla.samba.org/show_bug.cgi?id=9704 ? > > Anyway, no getent entries, no id.. > > Here the smb4.conf: > > [global] > > workgroup = DOMAIN > security = ADS > realm = DOMAIN.FDA > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > > .. > > Do you have any advice which could help me to get it working? > > Thanks > Peter > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Greetings, Peter Ross!> for a while I am running a Samba 4.1 AD server under FreeBSD (from the > FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops.> I wanted to add a Samba 4.1 file server as a member server, was able to > joint the domain and see AD users via "winbind -u"> but "getent password" or "id <user>" does not work.Sounds quite familiar...> The smb4.conf is following> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server> I added RFC2307 attributes to the AD server according to> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC> and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix > Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP > dump.> In /etc/nsswitch.conf I have> passwd: compat winbind > group: compat winbind> To the library.. the port installed> nss_winbind.so.1> but it did not appear in "ldconfig -r".. Just for the purpose of testing I > moved it to> libnss_winbind.so.1> so ldconfig finds it.. Is this a bug? Someting to do with > https://bugzilla.samba.org/show_bug.cgi?id=9704 ?To know if this is a bug or not, increase logging level for winbind (to 3 at least) and see if it at all tries to resolve the names. For idmap to work, both users and their primary groups need to have correct uid/gid assigned, and uid/gid needs to be in range specified by idmap config for domain. To see the list of all assigned uid/gid ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(|(gidnumber=*)(uidnumber=*))' gidnumber uidnumber | grep -i "^.idnumber" | cut -d" " -f 2 | sort -un Ignore uid 0 and 65534, though.> Anyway, no getent entries, no id..> Here the smb4.conf:> [global]> workgroup = DOMAIN > security = ADS > realm = DOMAIN.FDA > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab> idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999> winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes> ..> Do you have any advice which could help me to get it working?-- With best regards, Andrey Repin Wednesday, April 22, 2015 14:51:22 Sorry for my terrible english...
On Wed, 22 Apr 2015, Andrey Repin wrote:> Greetings, Peter Ross!Greetings, Andrey!>> for a while I am running a Samba 4.1 AD server under FreeBSD (from the >> FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops. > >> I wanted to add a Samba 4.1 file server as a member server, was able to >> joint the domain and see AD users via "winbind -u" > >> but "getent password" or "id <user>" does not work. > > Sounds quite familiar... > >> The smb4.conf is following > >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > >> I added RFC2307 attributes to the AD server according to > >> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC > >> and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix >> Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP >> dump. > >> In /etc/nsswitch.conf I have > >> passwd: compat winbind >> group: compat winbindMoved back (tried before) to passwd: files winbind group: files winbind because of this in auth.log: 2015-04-23T11:50:42.800676+10:00 filetest1.vv.fda sshd[98179]: NSSWITCH(nsparser): /etc/nsswitch.conf line 16: 'compat' used with sources, other than 'cache' but the later does not work either. 2015-04-23T12:05:31.804932+10:00 filetest1.vv.fda sshd[99725]: NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no fallback provided "getent passwd" and "id pross" do not bother to ask winbind, it seems. Only "winbind -u" initiates network traffic to the AD server, to ask for the list. The name of the NSS library bothers me, really "nss_winbind.so.1" without a "lib"? Given there was a bug before (https://bugzilla.samba.org/show_bug.cgi?id=9704) Or does it have to do with the path (under FreeBSD ports install under /usr/local)? I will dig into NSS a bit. It was "just works" until now so I never bothered to look for details there. The IDs in AD seem to be okay, I see them in ldsearch and they are in the right range. Regards peter