Martin Decker
2017-Aug-18 12:40 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Dear List,
I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to provide
unix file shares to windows users.
I can successfully list groups and users with wbinfo -u / wbinfo -g,
but I do not get any data with "getent group" or "getent
passwd". In AD, we
have set "gidNumber" Attribute for Group "Domain Users" to a
value in the
specified range (100-999999). Also, for my account "mdecker", we have
set
uidNumber in AD to a value in the range.
e.g.:
wbinfo -u | grep mdecker
mdecker
wbinfo -g |grep -i "dom"
domänencomputer
domänen-benutzer
..
For getent commands, when I enable debug level for winbindd, I can see:
getent passwd "MYDOM\\mdecker"
... no output
Winbind Trace:
accepted socket 23
process_request: request fn INTERFACE_VERSION
[ 1414]: request interface version
winbind_client_response_written[1414:INTERFACE_VERSION]: delivered
response to client
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[ 1414]: request location of privileged pipe
winbind_client_response_written[1414:WINBINDD_PRIV_PIPE_DIR]: delivered
response to client
accepted socket 24
closing socket 23, client exited
process_request: Handling async request 1414:GETPWNAM
getpwnam mdecker
winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
wb_request_done[1414:GETPWNAM]: NT_STATUS_NO_SUCH_USER
winbind_client_response_written[1414:GETPWNAM]: delivered response to
client
closing socket 24, client exited
getent group "MYDOM\\Domain Users"
... no output
Winbind Trace:
process_request: Handling async request 3067:GETGRNAM
getgrnam MARABU\Domain Users
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'MYDOM'
name : *
name : 'DOMAIN USERS'
flags : 0x00000000 (0)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USE_NONE (0)
sid : *
sid : S-0-0
result : NT_STATUS_NONE_MAPPED
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
wb_request_done[3067:GETGRNAM]: NT_STATUS_NONE_MAPPED
winbind_client_response_written[3067:GETGRNAM]: delivered response to
client
Any hints are greatly appreciated.
Best regards,
Martin
For reference, this is the smb.conf:
[global]
workgroup = MYDOM
realm = MYDOM.ADS
server string = Samba Server
security = ADS
log level = 2
log file = /var/samba/log/log.%m
max log size = 50
unix extensions = No
client signing = Yes
local master = No
domain master = No
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
# So we remove the "MYDOMAIN\" part from MYDOMAIN\userid
winbind trusted domains only = Yes
idmap config * :backend = tdb
idmap config * : range = 1000-1999999
idmap config MYDOM : backend = ad
idmap config MYDOM : range = 100-999999
idmap config MYDOM : schema_mode = rfc2307
winbind nss info = rfc2307
inherit permissions = Yes
map acl inherit = Yes
# We do not run NETBIOS
disable netbios = Yes
# Printers
load printers = no
# Set up our ZFS shares so that ACL work correctly from Windows
[homes]
comment = Home Directories
read only = No
inherit acls = Yes
map archive = No
map readonly = no
vfs objects = zfsacl
zfsacl: acesort = dontcare
nfs4:chown = yes
nfs4:acedup = merge
nfs4:mode = special
[SHARE1]
comment = Verzeichnis fuer Rezepturen
read only = No
path = /share1
available = yes
browsable = yes
guest ok = yes
writable = yes
--
--
Martin Decker
Rowland Penny
2017-Aug-18 13:00 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
See inline comments: On Fri, 18 Aug 2017 14:40:54 +0200 Martin Decker via samba <samba at lists.samba.org> wrote:> Dear List, > > I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to > provide unix file shares to windows users. > > I can successfully list groups and users with wbinfo -u / wbinfo > -g, but I do not get any data with "getent group" or "getent passwd". > In AD, we have set "gidNumber" Attribute for Group "Domain Users" to > a value in the specified range (100-999999). Also, for my account > "mdecker", we have set uidNumber in AD to a value in the range. > > getent group "MYDOM\\Domain Users" > ... no output > > For reference, this is the smb.conf: > > [global] > workgroup = MYDOM > realm = MYDOM.ADS > server string = Samba Server > security = ADS > log level = 2 > log file = /var/samba/log/log.%m > max log size = 50 > unix extensions = No > client signing = Yes > local master = No > domain master = No > dns proxy = No > winbind enum users = Yes > winbind enum groups = Yes > # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid > winbind trusted domains only = YesThe above line doesn't remove the DOMAIN from the username, you need: winbind use default domain = yes to do that> idmap config * :backend = tdb > idmap config * : range = 1000-1999999 > idmap config MYDOM : backend = ad > idmap config MYDOM : range = 100-999999 > idmap config MYDOM : schema_mode = rfc2307Your ranges overlap and you don't really need '1,998,999' IDs for the '*' range. Rowland
Martin Decker
2017-Aug-18 15:32 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Thank you for your feedback. I have changed the parameters, but still no
success.
winbind use default domain = yes
idmap config * : range = 1000000-1999999
idmap config MYDOM : range = 100-999999
Regards,
Martin
2017-08-18 15:00 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
>
> See inline comments:
>
> On Fri, 18 Aug 2017 14:40:54 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Dear List,
> >
> > I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to
> > provide unix file shares to windows users.
> >
> > I can successfully list groups and users with wbinfo -u / wbinfo
> > -g, but I do not get any data with "getent group" or
"getent passwd".
> > In AD, we have set "gidNumber" Attribute for Group
"Domain Users" to
> > a value in the specified range (100-999999). Also, for my account
> > "mdecker", we have set uidNumber in AD to a value in the
range.
> >
> > getent group "MYDOM\\Domain Users"
> > ... no output
> >
> > For reference, this is the smb.conf:
> >
> > [global]
> > workgroup = MYDOM
> > realm = MYDOM.ADS
> > server string = Samba Server
> > security = ADS
> > log level = 2
> > log file = /var/samba/log/log.%m
> > max log size = 50
> > unix extensions = No
> > client signing = Yes
> > local master = No
> > domain master = No
> > dns proxy = No
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > # So we remove the "MYDOMAIN\" part from
MYDOMAIN\userid
> > winbind trusted domains only = Yes
>
> The above line doesn't remove the DOMAIN from the username, you need:
> winbind use default domain = yes
> to do that
>
> > idmap config * :backend = tdb
> > idmap config * : range = 1000-1999999
> > idmap config MYDOM : backend = ad
> > idmap config MYDOM : range = 100-999999
> > idmap config MYDOM : schema_mode = rfc2307
>
> Your ranges overlap and you don't really need '1,998,999' IDs
for the
> '*' range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
--
Martin Decker
Reasonably Related Threads
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users