On Tue, Aug 9, 2016 at 12:29 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 9 Aug 2016 11:58:42 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > > > $ smbclient -L //debian2 -U username > > Enter username's password: > > session setup failed: NT_STATUS_UNSUCCESSFUL > > > > > > > When I do a wbinfo look up on my user with a UID of 1000, it has > > > > this: > > > > > > > > theusername:*:16777216:16777220:The > > > > Username:/home/MYDOM/theusername:/bin/false > > > > > I think I might have spotted something here, your user doesn't seem to > exist on the client and you are relying on wbinfo to tell you it exists. > Only problem with that, wbinfo checks AD but this doesn't mean the > local Unix OS knows the user. > > What does 'getent passwd username' show when run on 'debian2'? > > Until it produces something like this: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > it will not work. > <https://lists.samba.org/mailman/options/samba> >getent passwd username (or "theusername") is not the literal command. I substitute 'username' here to protect the user id. genent passwd on the user does work and it returns uid and gui of 1000, exactly what we see in the /etc/passwd file. It is the same output as grep 'username' on /etc/passwd Remember, when winbind is off, it works. This is certainly bug 10604 by all measures.
On Tue, 9 Aug 2016 13:37:18 -0300 francis picabia <fpicabia at gmail.com> wrote:> > getent passwd username > > (or "theusername") is not the literal command. I substitute > 'username' here to protect the user id. > genent passwd on the user does work and it returns uid and gui of > 1000, exactly what we see in the /etc/passwd file. It is the same > output as grep 'username' on /etc/passwd > > Remember, when winbind is off, it works. This is certainly bug 10604 > by all measures.And I think you have just posted your problem! Lets use 'fred' as one of your users, replace 'fred' with a real users name Do you have a user called 'fred' in /etc/passwd *and* in AD ? If so, choose one and then delete the other, you cannot have them in both. Rowland
On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 9 Aug 2016 13:37:18 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > > > > getent passwd username > > > > (or "theusername") is not the literal command. I substitute > > 'username' here to protect the user id. > > genent passwd on the user does work and it returns uid and gui of > > 1000, exactly what we see in the /etc/passwd file. It is the same > > output as grep 'username' on /etc/passwd > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > by all measures. > > And I think you have just posted your problem! > > Lets use 'fred' as one of your users, replace 'fred' with a real users > name > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > If so, choose one and then delete the other, you cannot have them in > both. >I don't think you've done this before. Have you used security = ads? I have dozens of servers and hundreds of users running just fine with this. Having the same user defined in both Linux and AD, and mapping it for authentication is the whole point.
On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote:> On Tue, 9 Aug 2016 13:37:18 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > > > > getent passwd username > > > > (or "theusername") is not the literal command. I substitute > > 'username' here to protect the user id. > > genent passwd on the user does work and it returns uid and gui of > > 1000, exactly what we see in the /etc/passwd file. It is the same > > output as grep 'username' on /etc/passwd > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > by all measures. > > And I think you have just posted your problem! > > Lets use 'fred' as one of your users, replace 'fred' with a real users > name > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > If so, choose one and then delete the other, you cannot have them in > both.*Not* setting 'winbind use default domain = yes' will allow you to have them both. And they will be what they shoult be: two different users. With different unix IDs. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/9d71cc2b/signature.sig>