Stefan G. Weichinger
2017-Jan-01 14:40 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
googled and tried stuff: # net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName uidNumber gidNumber -P | grep uidN | sort -n ... shows me uidNumbers: uidNumber: 0 uidNumber: 1000 .. up to 1077 So my idmap range was completely wrong, I assume. I now have on the member server: # cat /etc/samba/smb.conf [global] security = ADS workgroup = ARBEITSGRUPPE realm = arbeitsgruppe.secret.tld log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb #idmap config * : range = 2000-2999 ## idmap config for the ARBEITSGRUPPE domain idmap config ARBEITSGRUPPE:backend = ad idmap config ARBEITSGRUPPE:range = 1000-9999 username map = /etc/samba/user.map winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes Now I get wbinfo -i again: # wbinfo -i sgw sgw:*:4294967295:4294967295:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false But the group is wrong. # wbinfo --group-info 'domain users' domain users:x:4294967295: What to correct here, please?
On Sun, 1 Jan 2017 15:40:53 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > googled and tried stuff: > > # net ads search '(|(uidNumber=*)(gidNumber=*))' sAMAccountName > uidNumber gidNumber -P | grep uidN | sort -n > > ... shows me uidNumbers: > > uidNumber: 0You definitely shouldn't have a user with the ID of '0' (in my opinion) Is this Administrator ?> uidNumber: 1000 > > .. up to 1077So it looks like you only have 77 users, but cannot have any local Unix users because your Unix users start at 1000. How do feel about changing the uidNumbers ? if so, the easiest way will be to open the AD database with ldbedit: ldbedit -e nano -H /usr/local/samba/private/sam.ldb Then search through the file for 'uidNumber' and then change the contents, I would just add a '0' after the first digit i.e. '1077' would become '10077' Remove the uidNumber that contains '0' check that Domain Users has a gidNumber attribute and that it contains a number in the 10000 range finally change 'idmap config ARBEITSGRUPPE:range = 1000-9999' to 'idmap config ARBEITSGRUPPE:range = 10000-99999' and put the 'idmap config SAMDOM : schema_mode = rfc2307' line back. restart the Samba deamons, run 'net cache flush' again then run 'getent passwd sgw'> > So my idmap range was completely wrong, I assume. > > I now have on the member server: > > # cat /etc/samba/smb.conf > [global] > security = ADS > workgroup = ARBEITSGRUPPE > realm = arbeitsgruppe.secret.tld > log file = /var/log/samba/%m.log > log level = 1 > > idmap config * : backend = tdb > #idmap config * : range = 2000-2999 > > ## idmap config for the ARBEITSGRUPPE domain > idmap config ARBEITSGRUPPE:backend = ad > idmap config ARBEITSGRUPPE:range = 1000-9999 > > username map = /etc/samba/user.map > > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > > > Now I get wbinfo -i again: > > # wbinfo -i sgw > sgw:*:4294967295:4294967295:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false > > But the group is wrong. > > # wbinfo --group-info 'domain users' > domain users:x:4294967295: > > What to correct here, please? > >What is in the 'user.map' ? Rowland
Stefan G. Weichinger
2017-Jan-01 15:37 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
Am 2017-01-01 um 16:04 schrieb Rowland Penny via samba:> So it looks like you only have 77 users, but cannot have any local Unix > users because your Unix users start at 1000. How do feel about changing > the uidNumbers ?feels scary and I'd like to avoid that :-)> if so, the easiest way will be to open the AD database > with ldbedit: > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb > > Then search through the file for 'uidNumber' and then change the > contents, I would just add a '0' after the first digit i.e. '1077' > would become '10077'And that won't break things??> Remove the uidNumber that contains '0'I just have a look via ldbedit, yes, that points to: distinguishedName: CN=root,CN=Users,DC=arbeitsgruppe,......> check that Domain Users has a gidNumber attribute and that it contains > a number in the 10000 rangeI doesn't have that attribute as far as I see. Do i just add that line?> finally change 'idmap config ARBEITSGRUPPE:range = 1000-9999' to 'idmap > config ARBEITSGRUPPE:range = 10000-99999' and put the 'idmap config > SAMDOM : schema_mode = rfc2307' line back. > > restart the Samba deamons, run 'net cache flush' again then run 'getent > passwd sgw'Feeling like a blind brain surgeon already ;-) I have to prepare myself mentally :-)>> But the group is wrong. >> >> # wbinfo --group-info 'domain users' >> domain users:x:4294967295: >> >> What to correct here, please? >> >> > > What is in the 'user.map' ?I followed https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User # cat user.map !root = ARBEITSGRUPPE\Administrator
Stefan G. Weichinger
2017-Jan-01 16:05 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
ok, edited etc
all uidNumber now > 10000
except that "root", I was unsure now (?)
gidNumber:
# ldbsearch -H /var/lib/samba/private/sam.ldb cn=Domain\ Users | grep
'gidNumber'
gidNumber: 10001
-
smb.conf on member:
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config ARBEITSGRUPPE:backend = ad
idmap config ARBEITSGRUPPE:range = 10000-99999
idmap config ARBEITSGRUPPE:schema_mode = rfc2307
username map = /etc/samba/user.map
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
-
restarted all samba daemons on DC and member server, flushed cache
On DC:
# wbinfo -i sgw
sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
# getent passwd sgw
sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
(good, afaik)
On member server:# wbinfo -i sgw
sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
main samba # getent passwd sgw
sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
- nice, correct??
I even did an additional change and set the gidNumber to 10513 to match
the former gid (in the shared directory the group-id was 10513, now it
is displayed as "domain users" as well).
so now I have:
# getent passwd sgw
sgw:*:10000:10513:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
*phew*
Any idea what else might be missing? ;-)
thanks!