Hi Jonathan, Thank you for that, that solved the issue. Unfortunately I get another issue: on one DC id <user> gives "no such user". Adding domain (id ad.domain\\<user>) does not help. Adding the whole domain (id ad.domain.tld\\<user>) does not help more. I did checked PAM, NSS and Samba configurations, this server is using same configurations as the two working DC. I'm puzzled. 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at gmail.com>:> You can try "net cache flush" (if you want to inspect the cache, use "net > cache list") > > On 21 April 2016 at 10:40, mathias dufresne <infractory at gmail.com> wrote: > > > Hi all, > > > > Back on playing winbind I first configure PAM and NSS then tried id > > <my_user_name> without setting for that user uidNumber. > > > > This user get UID from idmap. > > > > I set up uidNumber into LDAP tree for that user but this user still get > uid > > from idmap rather than from uidNumber attribute. > > > > I set up another user with uidNumber into LDAP tree and after doing that > I > > tried "id <my_second_user>". Here id returns the content of uidNumber > LDAP > > attribute as user UID. > > > > Question: how to make the first user to get rid of idmaped UID? > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > "If we knew what it was we were doing, it would not be called research, > would it?" > - Albert Einstein > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, Does "wbinfo -i <user>" work, and return the same results, on all the DCs? Are the DCs running the distribution & versions (e.g. CentOS, Debian, whatever) or are there differences there, also? On 21 April 2016 at 11:16, mathias dufresne <infractory at gmail.com> wrote:> Hi Jonathan, > > Thank you for that, that solved the issue. > > Unfortunately I get another issue: on one DC id <user> gives "no such > user". > Adding domain (id ad.domain\\<user>) does not help. > Adding the whole domain (id ad.domain.tld\\<user>) does not help more. > > I did checked PAM, NSS and Samba configurations, this server is using same > configurations as the two working DC. I'm puzzled. > > 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at gmail.com>: > >> You can try "net cache flush" (if you want to inspect the cache, use "net >> cache list") >> >> On 21 April 2016 at 10:40, mathias dufresne <infractory at gmail.com> wrote: >> >> > Hi all, >> > >> > Back on playing winbind I first configure PAM and NSS then tried id >> > <my_user_name> without setting for that user uidNumber. >> > >> > This user get UID from idmap. >> > >> > I set up uidNumber into LDAP tree for that user but this user still get >> uid >> > from idmap rather than from uidNumber attribute. >> > >> > I set up another user with uidNumber into LDAP tree and after doing >> that I >> > tried "id <my_second_user>". Here id returns the content of uidNumber >> LDAP >> > attribute as user UID. >> > >> > Question: how to make the first user to get rid of idmaped UID? >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> >> >> >> -- >> "If we knew what it was we were doing, it would not be called research, >> would it?" >> - Albert Einstein >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
All DC are running same Samba version : 4.4.2. All DC are hosted on same
Centos 7.
On broken server(s):
wbinfo -i mdufresne
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user mdufresne
On working servers:
wbinfo -i mdufresne
AD.DOMAIN\mdufresne:*:12104:100:Mathias Dufresne
(TEMP):/home/AD.DGFIP/mdufresne:/bin/false
The smb.conf is:
---------------------------------------------------------------------
# Global parameters
[global]
workgroup = AD.DOMAIN
realm = AD.DOMAIN.TLD
netbios name = DNS20
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
acl_xattr:ignore system acls = yes
winbind nss info = rfc2307
[netlogon]
path = /var/lib/samba/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
---------------------------------------------------------------------
krb5.conf is:
---------------------------------------------------------------------
[libdefaults]
default_realm = AD.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
---------------------------------------------------------------------
nsswitch.conf winbind related is:
---------------------------------------------------------------------
passwd: files winbind
shadow: files winbind
group: files winbind
---------------------------------------------------------------------
And finally PAM configuration (only winbind related stuffs):
---------------------------------------------------------------------
/etc/pam.d/fingerprint-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth-ac:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth:auth sufficient pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/password-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth:password sufficient pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/password-auth:session optional pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING
/etc/pam.d/password-auth-ac:auth sufficient pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth-ac:password sufficient pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/password-auth-ac:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth-ac:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/system-auth-ac:auth sufficient pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/system-auth-ac:password sufficient pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/system-auth-ac:session optional pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
---------------------------------------------------------------------
This PAM configuration was obtained using RH authconfig tool:
authconfig --enablewinbindkrb5 --enablewinbindauth --update
2016-04-21 12:25 GMT+02:00 Jonathan Hunter <jmhunter1 at gmail.com>:
> Hi,
>
> Does "wbinfo -i <user>" work, and return the same results,
on all the DCs?
>
> Are the DCs running the distribution & versions (e.g. CentOS, Debian,
> whatever) or are there differences there, also?
>
> On 21 April 2016 at 11:16, mathias dufresne <infractory at gmail.com>
wrote:
>
> > Hi Jonathan,
> >
> > Thank you for that, that solved the issue.
> >
> > Unfortunately I get another issue: on one DC id <user> gives
"no such
> > user".
> > Adding domain (id ad.domain\\<user>) does not help.
> > Adding the whole domain (id ad.domain.tld\\<user>) does not help
more.
> >
> > I did checked PAM, NSS and Samba configurations, this server is using
> same
> > configurations as the two working DC. I'm puzzled.
> >
> > 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at
gmail.com>:
> >
> >> You can try "net cache flush" (if you want to inspect
the cache, use
> "net
> >> cache list")
> >>
> >> On 21 April 2016 at 10:40, mathias dufresne <infractory at
gmail.com>
> wrote:
> >>
> >> > Hi all,
> >> >
> >> > Back on playing winbind I first configure PAM and NSS then
tried id
> >> > <my_user_name> without setting for that user uidNumber.
> >> >
> >> > This user get UID from idmap.
> >> >
> >> > I set up uidNumber into LDAP tree for that user but this user
still
> get
> >> uid
> >> > from idmap rather than from uidNumber attribute.
> >> >
> >> > I set up another user with uidNumber into LDAP tree and after
doing
> >> that I
> >> > tried "id <my_second_user>". Here id returns
the content of uidNumber
> >> LDAP
> >> > attribute as user UID.
> >> >
> >> > Question: how to make the first user to get rid of idmaped
UID?
> >> > --
> >> > To unsubscribe from this list go to the following URL and
read the
> >> > instructions: https://lists.samba.org/mailman/options/samba
> >> >
> >>
> >>
> >>
> >> --
> >> "If we knew what it was we were doing, it would not be called
research,
> >> would it?"
> >> - Albert Einstein
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
>
> --
> "If we knew what it was we were doing, it would not be called
research,
> would it?"
> - Albert Einstein
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>