>>
>> This is my nsswitch file:
>>
>>
>> passwd: files ldap compat winbind
>> group: files ldap compat winbind
>> shadow: files ldap compat
>
> Do you have anything that needs to connect via LDAP ?
> If you have what it is it ?
> I would remove 'ldap'
>
> 'files' and 'compat' basically mean the same thing, so I
would remove
> 'compat'
>
>>
>>
>> When i use wbinfo i see names and groups.
>
> 'wbinfo' show windows users and groups, just because windows users
and
> groups are shown doesn't mean the Unix OS knows who they are. This is
> where Samba comes in.
>
>> >
>> >>
>> >> idmap config * : unix_primary_group = yes
>> >
>> > I think you can only use the above line with the 'ad'
backend.
>>
>> When i set backet to 'ad' i can't start winbindd
>>
>> Output: "main: FATAL: Invalid idmap backend ad configured as the
>> default backend!"
>
> Yes, I missed that, focussed on 'idmap config' and
> 'unix_primary_group', what I meant was you can only use
> 'unix_primary_group' with 'idmap config DOMAIN' and the
'ad' backend,
> so you should have removed it. Your 'idmap config block should look
> something like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
>
>
I changed nsswitch to:
passwd: files winbind
group: files winbind
shadow: files
gshadow: files
hosts: files resolve [!UNAVAIL=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
New version of smb.conf:
[global]
workgroup = XYZ
server string = %h server (Samba, Ubuntu)
realm = XYZ.LOCAL
interfaces = lo, eth0
kerberos method = secrets and keytab
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
security = ads
domain master = no
local master = no
preferred master = no
domain logons = no
allow trusted domains = yes
idmap config * : range = 2000-49999
idmap config * : backend = tdb
idmap config XYZ : range = 50000-60000
idmap config XYZ : backend = rid
map acl inherit = yes
store dos attributes = yes
inherit acls = yes
inherit permissions = yes
acl group control = yes
acl map full control = true
nt acl support = yes
ea support = yes
idmap_ldb:use rfc2307 = yes
template homedir = /home/%U
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
full_audit:prefix = %u|%I|%M|%S
full_audit:priority = notice
full_audit:facility = local5
map archive = No
map readonly = no
username map = /etc/samba/user.map
client use spnego = yes
client ntlmv2 auth = yes
load printers = no
[share]
comment = share
path = /share
browseable = Yes
read only = No
force create mode = 0660
force directory mode = 0660
vfs objects = dfs_samba4 acl_xattr full_audit
acl_xattr:ignore system acls = yes
full_audit:success = connect opendir disconnect unlink mkdir
rmdir open rename
full_audit:failure = connect opendir disconnect unlink mkdir
rmdir open rename
I deleted all files *tdb and reconnected to domain.
Log from samba:
[2017/06/05 20:30:58.650182, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 50500
Primary group is 50513 and contains 13 supplementary groups
Group[ 0]: 50500
Group[ 1]: 50513
Group[ 2]: 50518
Group[ 3]: 50572
Group[ 4]: 50519
Group[ 5]: 50512
Group[ 6]: 59426
Group[ 7]: 50520
Group[ 8]: 50002
Group[ 9]: 50003
Group[ 10]: 50004
Group[ 11]: 2001
Group[ 12]: 2000
[2017/06/05 20:30:50.906441, 5]
../source3/smbd/uid.c:363(change_to_user_internal)
Impersonated user: uid=(50500,50500), gid=(0,50513)
[2017/06/05 20:30:50.906526, 4] ../source3/smbd/vfs.c:874(vfs_ChDir)
vfs_ChDir to /tmp
[2017/06/05 20:30:50.906552, 4] ../source3/smbd/vfs.c:885(vfs_ChDir)
vfs_ChDir got /tmp
[2017/06/05 20:30:50.906578, 5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 1 for /var/lock/samba/smbXsrv_open_global.tdb
[2017/06/05 20:30:50.906626, 5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 1 for /var/lock/samba/smbXsrv_open_global.tdb
[2017/06/05 20:30:50.906640, 5] ../source3/smbd/files.c:128(file_new)
allocated file structure fnum 293231795 (4 used)
[2017/06/05 20:30:50.906722, 4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(50500, 50513) : sec_ctx_stack_ndx = 1
[2017/06/05 20:30:50.906737, 4]
../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(544753224) : conn_ctx_stack_ndx = 0
[2017/06/05 20:30:50.906746, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/06/05 20:30:50.906755, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2017/06/05 20:30:50.906763, 5]
../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2017/06/05 20:30:50.906854, 4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (50500, 50513) - sec_ctx_stack_ndx = 0
[2017/06/05 20:30:50.906870, 2]
../source3/rpc_server/rpc_ncacn_np.c:770(make_external_rpc_pipe)
tstream_npa_connect_recv to /var/run/samba/ncalrpc/np for pipe lsarpc
and user XYZ\Admin failed: No such file or directory
[2017/06/05 20:30:50.906906, 5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
check lock order 1 for /var/lock/samba/smbXsrv_open_global.tdb
[2017/06/05 20:30:50.906924, 5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
release lock order 1 for /var/lock/samba/smbXsrv_open_global.tdb
[2017/06/05 20:30:50.906937, 5] ../source3/smbd/files.c:565(file_free)
freed files structure 293231795 (3 used)
[2017/06/05 20:30:50.906949, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at
../source3/smbd/smb2_create.c:293
Nothing changed. Is is possible that config file is wrong ?
Best regards,
Supporter 3eb