Stefan Schäfer
2017-Mar-18 12:23 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
Am 18.03.2017 um 10:43 schrieb Rowland Penny via samba:> On Sat, 18 Mar 2017 07:48:27 +0100 > Stefan Schäfer via samba <samba at lists.samba.org> wrote: > >> Hi List, >> >> I found some threads here in the list with similar problems, but >> nothing helped to solve my problem. >> >> We have a very much to old Samba DC (Version 4.1.x) and a new Samba >> 4.5.6 which should act as a member server. > Don't suppose you can update the DC to a newer Samba version ?I know, I have to....> > >> smbclient -L 127.0.0.1 -U administrator at baettenhausen.local >> Enter administrator at baettenhausen.local's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> > You should be able to fix this by adding this line to smb.conf: > > username map = /etc/samba/user.map > > Then create the user.map: > > nano /etc/samba/user.map > !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator > Administrator administratorThis works for the Administrator account, but I have this Problem with all users. It's a user mapping problem?> >> Here the krb5.conf > You only need: > > [libdefaults] > default_realm = BAETTENHAUSEN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueI tested this before, makes no difference.> If your TLD really is '.local' turn off Avahi on the domain memberAvahi isn't running.> > Rowland >Stefan
Rowland Penny
2017-Mar-18 12:32 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
On Sat, 18 Mar 2017 13:23:29 +0100 Stefan Schäfer via samba <samba at lists.samba.org> wrote:> This works for the Administrator account, but I have this Problem > with all users. > It's a user mapping problem?You are using the winbind 'ad' backend, Have you given Domain Users a gidNumber attribute containing a number inside the '500-30000' range? (by the way, this range isn't a good idea, no space for ANY local Unix users). Have you also given your users a uidNumber attribute containing a unique number inside the same range ? Rowland
Stefan Schäfer
2017-Mar-18 13:18 UTC
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
Got it! There was "pam-32bit" installed on the server but without "/lib/security/pam_winbind.so". Removing pam-32bit was the solution. Thanx for your help Rowland. Stefan Am 18.03.2017 um 13:32 schrieb Rowland Penny via samba:> On Sat, 18 Mar 2017 13:23:29 +0100 > Stefan Schäfer via samba <samba at lists.samba.org> wrote: > > >> This works for the Administrator account, but I have this Problem >> with all users. >> It's a user mapping problem? > You are using the winbind 'ad' backend, Have you given Domain Users a > gidNumber attribute containing a number inside the '500-30000' range? > (by the way, this range isn't a good idea, no space for ANY local Unix > users). > > Have you also given your users a uidNumber attribute containing a > unique number inside the same range ? > > Rowland >