On 13 June 2015 at 09:34, buhorojo <buhorojo.lcb at gmail.com>
wrote:>> On 12 June 2015 at 08:55, Jonathan Hunter <jmhunter1 at
gmail.com> wrote:
>> Sadly, even though sssd is now running and I'm no longer reliant on
>> winbind, the rest of samba doesn't seem to be taking notice of
these
>> mappings - again, only after a period of time (it's OK at first,
but
>> then switches to the wrong mappings).
>
> Then you must have some winbind(d) nonsense stlll. Remove the .tdb s and
> killall winbindd processes. Make sure the idmap_ldb line is removed. Make
> sure only winbind is running at samba start up (I think it's +winbind,
> -winbindd) and lose all refrences to winbind in nsswitch.conf. net cache
> flush doesn't work. You need to remove the databases.
> HTH
Thank you!
I now set in smb.conf:
server services = -dns +winbind -winbindd
I stopped samba, then removed databases:
# rm /usr/local/samba/var/cache/gencache.tdb \
/usr/local/samba/var/lock/gencache_notrans.tdb \
/usr/local/samba/private/idmap.ldb
However I must have done something wrong... no users can connect to
shares at all, this way:
[root at dc1 ~]# smbstatus
Samba version 4.2.2
PID Username Group Machine Protocol Version
------------------------------------------------------------------------------
27024 -1 -1 1.2.3.4 (ipv4:1.2.3.4:2394) NT1
Service pid machine Connected at
-------------------------------------------------------
No locked files
I've restored the defaults (+winbindd, -winbind) but by this point,
that didn't allow users to connect, either - this time coming up with
the following (many times) in the logs:
Jun 13 09:52:06 dc1 smbd[9628]: [2015/06/13 09:52:06.129760, 0]
../source4/auth/unix_token.c:107(security_token_to_unix_token)
Jun 13 09:52:06 dc1 smbd[9628]: Unable to convert SID (S-1-1-0) at
index 5 in user token to a GID. Conversion was returned as type 0,
full token:
Jun 13 09:52:06 dc1 smbd[9628]: [2015/06/13 09:52:06.129880, 0]
../libcli/security/security_token.c:63(security_token_debug)
Jun 13 09:52:06 dc1 smbd[9628]: Security token SIDs (10):
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 0]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1138
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 1]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-513
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 2]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2613
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 3]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2615
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 4]:
S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1168
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 5]: S-1-1-0
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 6]: S-1-5-2
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 7]: S-1-5-11
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 8]: S-1-5-32-545
Jun 13 09:52:06 dc1 smbd[9628]: SID[ 9]: S-1-5-32-554
Jun 13 09:52:06 dc1 smbd[9628]: Privileges (0x 800000):
Jun 13 09:52:06 dc1 smbd[9628]: Privilege[ 0]: SeChangeNotifyPrivilege
Jun 13 09:52:06 dc1 smbd[9628]: Rights (0x 400):
Jun 13 09:52:06 dc1 smbd[9628]: Right[ 0]: SeRemoteInteractiveLogonRight
Jun 13 09:52:06 dc1 rsyslogd-2177: imuxsock begins to drop messages
from pid 9628 due to rate-limiting
>From what I can tell, samba isn't able to resolve S-1-1-0 which is
"Everyone".
I have copied idmap.ldb back over from another DC and restarted samba;
all works now - but I'm sure that this should be created by samba
somehow if idmap.ldb has been removed and does not exist.
What's the mechanism through which idmap.ldb is created - what am I
missing there? I initially thought it might be something to do with
rfc2307 and missing attributes, but I can't find 'Everybody' in AD
(I
thought it might be in the 'Builtin' container) to add attributes to
it. I have added rfc2307 UIDs to the other 'Builtin' groups e.g.
Administrators.
Cheers
J
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein