Hello, No it's a AD classicupgraded from a Samba 3 PDC Here's a user example from my DC uid=1116(MYDOM\begr00) gid=513(MYDOM\domain users) groupes=513(MYDOM\domain us ers),1151(MYDOM\evaluation),1214(MYDOM\procedures),12021(MYDOM\s13cadre),12041 (MYDOM\s13-grh),1264(MYDOM\zsbw),1001(MYDOM\s13),3000005(BUILTIN\users) my first user start at uid 1001 (1000 was the administrator account on the S3 PDC) and groups start at 1000, AD and old PDC have exactly the same uid/gid except for specific AD builtin groups. On Dec 5 2016, at 6:07 pm, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 05 Dec 2016 15:43:09 +0000contact--- via samba <samba at lists.samba.org> wrote:>> > Hello, > > > > I'm currently stuck with a QNAP NAS appliance (don't buy this !) > > > > I have a Sernet Samba 4.5 as an AD controller and my QNAP have a > Samba 4.0.25 (latest update) > > > > All i want is to join the QNAP to the AD, the QNAP will act as the > file server. > > > > The join in the official way is okay but the uid / gid mapping is > f*cked. > > > > I tried almost everything, change the idmap, manual join, ad / rid / > autoid mode ect ... when it work, i have bad uid/gids > > > > When i set the idmap to start from 0 my gid 515 is good but other uid > are bad. > > > > For now, i changed the settings to match the wiki page of samba > "Setup samba as an AD Domain Member" with ad backend rfc2307, winbind > return the correct user list, the SID are good but when wbinfo try to > convert them to uid/gid i have an error. > > > > Exemple : > > > > [/etc/config] # wbinfo -n begr00 > S-1-5-21-xxxxxx-xxxxxx-xxxxxx-3232 SID_USER (1) > > > > [/etc/config] # wbinfo -S S-1-5-21-xxxxxx-xxxxxx-xxxxxx-3232 > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-xxxxxx-xxxxxx-xxxxxx-3232 to uid > > > > the winbind log, nothing really interesting > > > > [2016/12/05 16:04:30.745570, 0] > ../source3/winbindd/winbindd.c:204(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > [2016/12/05 16:08:31.349762, 0] > ../lib/util/charset/codepoints.c:292(get_conv_handle) > dos charset 'CP850' unavailable - using ASCII > [2016/12/05 16:09:13.256148, 0] > ../source3/winbindd/winbindd.c:204(winbindd_sig_term_handler) > Got sig[15] terminate (is_parent=0) > > > > > > Here is my winbind/idmap config > > > > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 3600 > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 10000-999999 > > > > > > Can someone help me ? > > > > Thank you, have a good day ! >>> Does 'Domain users' have a gidNumber attribute containing a numberbetween '10000-999999' ?>> Rowland>> \--To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, 06 Dec 2016 08:13:03 +0000 "contact at makz.me" <contact at makz.me> wrote:> On Dec 5 2016, at 6:07 pm, Rowland Penny via samba > <samba at lists.samba.org> wrote:> > > Does 'Domain users' have a gidNumber attribute containing a number > between '10000-999999' ? > > > No it's a AD classicupgraded from a Samba 3 PDC > > Here's a user example from my DC > > uid=1116(MYDOM\begr00) gid=513(MYDOM\domain users) > groupes=513(MYDOM\domain us > ers),1151(MYDOM\evaluation),1214(MYDOM\procedures),12021(MYDOM\s13cadre),12041 > (MYDOM\s13-grh),1264(MYDOM\zsbw),1001(MYDOM\s13),3000005(BUILTIN\users) > > my first user start at uid 1001 (1000 was the administrator account > on the S3 PDC) > > and groups start at 1000, AD and old PDC have exactly the same > uid/gid except for specific AD builtin groups. >How did you upgrade ? Whatever way you upgraded, it isn't going to work! With lines like these in smb.conf: idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 10000-999999 Your users & groups in AD need to have uidNumber or gidNumber attributes containing a number between 10000-999999, any number outside this range will be ignored and therefore the user or group will be invisible to Unix. The 'Domain Users' group MUST have a gidNumber containing a number inside the range or ALL users will be ignored From what you have posted, your DOMAIN range needs to start at '500', but this will mean that you CANNOT have any local Unix users and the builtin range will need to start above '999999' Rowland
I've upgraded in the classic way described in the wiki https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_do main_(classic_upgrade) I don't have any unix users between 99 and 65534 so i think can set the range to start from 500. However, this still won't work :( On Dec 6 2016, at 10:01 am, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 06 Dec 2016 08:13:03 +0000"contact at makz.me" <contact at makz.me> wrote:>> > On Dec 5 2016, at 6:07 pm, Rowland Penny via samba > <samba at lists.samba.org> wrote:>> > > > Does 'Domain users' have a gidNumber attribute containing a number > between '10000-999999' ? > > > No it's a AD classicupgraded from a Samba 3 PDC > > Here's a user example from my DC > > uid=1116(MYDOM\begr00) gid=513(MYDOM\domain users) > groupes=513(MYDOM\domain us >ers),1151(MYDOM\evaluation),1214(MYDOM\procedures),12021(MYDOM\s13cadre),12041> (MYDOM\s13-grh),1264(MYDOM\zsbw),1001(MYDOM\s13),3000005(BUILTIN\users) > > my first user start at uid 1001 (1000 was the administrator account > on the S3 PDC) > > and groups start at 1000, AD and old PDC have exactly the same > uid/gid except for specific AD builtin groups. >>> How did you upgrade ?>> Whatever way you upgraded, it isn't going to work!>> With lines like these in smb.conf:idmap config MYDOM:backend = ad idmap config MYDOM:schema_mode = rfc2307 idmap config MYDOM:range = 10000-999999>> Your users & groups in AD need to have uidNumber or gidNumberattributes containing a number between 10000-999999, any number outside this range will be ignored and therefore the user or group will be invisible to Unix. The 'Domain Users' group MUST have a gidNumber containing a number inside the range or ALL users will be ignored>> From what you have posted, your DOMAIN range needs to start at '500',but this will mean that you CANNOT have any local Unix users and the builtin range will need to start above '999999'>> Rowland>> \--To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba