Rowland Penny
2017-Feb-18 17:03 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
On Sat, 18 Feb 2017 17:41:06 +0100 Emmanuel Florac <eflorac at intellique.com> wrote:> > OK, but getent and id return with error (id: no such user, getent: > return code 2). On the systems I've previously set up similarly > (Wheezy/Samba 3.6), id and getent work. >Is this before or after you tried my proposed smb.conf ?> > > > > > I've found in the FAQ a mention of this, however it's obsolete: > > > > Which FAQ, where ? > > > > This one: > https://wiki.samba.org/index.php/FAQYes, but which part ?> > > > > > > I have set up a domain member using the idmap_ad backend, but > > > getent passwd and getent group does not show users or groups > > > > This is correct, think about it, what if you 500,000 users or more ? > > What about 'getent passwd SOMEUSER' ? shouldn't it work?Actually both should work on your version. But only if your users have a uidNumber attribute and Domain Users has a gidNumber attribute.>> > Obviously not in the standard Debian stable version (4.2.14) at least: >Yes, now I have checked, it wasn't Rowland
Emmanuel Florac
2017-Feb-18 17:13 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
Le Sat, 18 Feb 2017 17:03:33 +0000 Rowland Penny via samba <samba at lists.samba.org> écrivait:> On Sat, 18 Feb 2017 17:41:06 +0100 > Emmanuel Florac <eflorac at intellique.com> wrote: > > > > > OK, but getent and id return with error (id: no such user, getent: > > return code 2). On the systems I've previously set up similarly > > (Wheezy/Samba 3.6), id and getent work. > > > > Is this before or after you tried my proposed smb.conf ?Both, alas. I'll retry by entering everything as you proposed instead of editing the existing file.> > > > > > > > I've found in the FAQ a mention of this, however it's > > > > obsolete: > > > > > > Which FAQ, where ? > > > > > > > This one: > > https://wiki.samba.org/index.php/FAQ > > Yes, but which part ? >Here: https://wiki.samba.org/index.php/FAQ#I_have_set_up_a_domain_member_using_the_idmap_ad_backend.2C_but_getent_passwd_and_getent_group_do_not_show_users_or_groups> > > > > > > > > > I have set up a domain member using the idmap_ad backend, but > > > > getent passwd and getent group does not show users or groups > > > > > > This is correct, think about it, what if you 500,000 users or > > > more ? > > > > What about 'getent passwd SOMEUSER' ? shouldn't it work? > > Actually both should work on your version. > But only if your users have a uidNumber attribute and Domain > Users has a gidNumber attribute. >You mean from the ADC? The ADC is W2K8R2, not Samba. -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique | Intellique | <eflorac at intellique.com> | +33 1 78 94 84 02 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20170218/07f19dca/attachment.sig>
Emmanuel Florac
2017-Feb-18 17:31 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
Le Sat, 18 Feb 2017 17:03:33 +0000 Rowland Penny via samba <samba at lists.samba.org> écrivait:> On Sat, 18 Feb 2017 17:41:06 +0100 > Emmanuel Florac <eflorac at intellique.com> wrote: > > > > > OK, but getent and id return with error (id: no such user, getent: > > return code 2). On the systems I've previously set up similarly > > (Wheezy/Samba 3.6), id and getent work. > > > > Is this before or after you tried my proposed smb.conf ? ># smbstatus Samba version 4.2.14-Debian PID Username Group Machine Protocol Version ------------------------------------------------------------------------------ 23015 -1 -1 192.168.138.19 (ipv4:192.168.138.19:37058) NT1 Service pid machine Connected at ------------------------------------------------------- No locked files OK, so I've set it up exactly as per your example. I've changed "map to guest" to "Never", and then I can't login anymore even with smbclient (well it sort of freezes): # smbstatus Samba version 4.2.14-Debian PID Username Group Machine Protocol Version ------------------------------------------------------------------------------ 23015 -1 -1 192.168.138.19 (ipv4:192.168.138.19:37058) NT1 Service pid machine Connected at ------------------------------------------------------- No locked files So that's the "map to guest" that maps everyone to nobody. So it looks like not even samba authorization goes through winbind. I don't understand at all what's happening... -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique | Intellique | <eflorac at intellique.com> | +33 1 78 94 84 02 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20170218/055ea157/attachment.sig>
Rowland Penny
2017-Feb-18 17:36 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
On Sat, 18 Feb 2017 18:13:39 +0100 Emmanuel Florac <eflorac at intellique.com> wrote:> > Both, alas. I'll retry by entering everything as you proposed instead > of editing the existing file.Please do, it should work> Here: > https://wiki.samba.org/index.php/FAQ#I_have_set_up_a_domain_member_using_the_idmap_ad_backend.2C_but_getent_passwd_and_getent_group_do_not_show_users_or_groupsNope, that isn't obsolete, I should know, I wrote it ;-)> > But only if your users have a uidNumber attribute and Domain > > Users has a gidNumber attribute. > > > > You mean from the ADC? The ADC is W2K8R2, not Samba. >Just because your DC is a windows one doesn't mean you don't have to add the uidNumber & gidNumber attributes if you use the windbind 'ad' backend, but if you use the smb.conf I suggested, you will be using the 'rid' backend and this doesn't need anything adding to AD. I Can you check the join 'net ads testjoin' it should return 'Join is OK' does the domain member use the DC as its nameserver What is in /etc/krb5.conf What does 'pam-auth-update' show as authentication methods Rowland
Rowland Penny
2017-Feb-18 17:37 UTC
[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
On Sat, 18 Feb 2017 18:31:16 +0100 Emmanuel Florac <eflorac at intellique.com> wrote:> Le Sat, 18 Feb 2017 17:03:33 +0000 > Rowland Penny via samba <samba at lists.samba.org> écrivait: > > > On Sat, 18 Feb 2017 17:41:06 +0100 > > Emmanuel Florac <eflorac at intellique.com> wrote: > > > > > > > > OK, but getent and id return with error (id: no such user, getent: > > > return code 2). On the systems I've previously set up similarly > > > (Wheezy/Samba 3.6), id and getent work. > > > > > > > Is this before or after you tried my proposed smb.conf ? > > > > # smbstatus > > Samba version 4.2.14-Debian > PID Username Group Machine Protocol > Version > ------------------------------------------------------------------------------ > 23015 -1 -1 192.168.138.19 > (ipv4:192.168.138.19:37058) NT1 > > Service pid machine Connected at > ------------------------------------------------------- > > No locked files > > OK, so I've set it up exactly as per your example. I've changed "map > to guest" to "Never", and then I can't login anymore even with > smbclient (well it sort of freezes): > > # smbstatus > > Samba version 4.2.14-Debian > PID Username Group Machine Protocol > Version > ------------------------------------------------------------------------------ > 23015 -1 -1 192.168.138.19 > (ipv4:192.168.138.19:37058) NT1 > > Service pid machine Connected at > ------------------------------------------------------- > > No locked files > > So that's the "map to guest" that maps everyone to nobody. So it looks > like not even samba authorization goes through winbind. I don't > understand at all what's happening... > >Is 'winbind' installed and running ? Rowland
Apparently Analagous Threads
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
- wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all