Martin Decker
2017-Aug-18 12:40 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Dear List, I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to provide unix file shares to windows users. I can successfully list groups and users with wbinfo -u / wbinfo -g, but I do not get any data with "getent group" or "getent passwd". In AD, we have set "gidNumber" Attribute for Group "Domain Users" to a value in the specified range (100-999999). Also, for my account "mdecker", we have set uidNumber in AD to a value in the range. e.g.: wbinfo -u | grep mdecker mdecker wbinfo -g |grep -i "dom" domänencomputer domänen-benutzer .. For getent commands, when I enable debug level for winbindd, I can see: getent passwd "MYDOM\\mdecker" ... no output Winbind Trace: accepted socket 23 process_request: request fn INTERFACE_VERSION [ 1414]: request interface version winbind_client_response_written[1414:INTERFACE_VERSION]: delivered response to client process_request: request fn WINBINDD_PRIV_PIPE_DIR [ 1414]: request location of privileged pipe winbind_client_response_written[1414:WINBINDD_PRIV_PIPE_DIR]: delivered response to client accepted socket 24 closing socket 23, client exited process_request: Handling async request 1414:GETPWNAM getpwnam mdecker winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER wb_request_done[1414:GETPWNAM]: NT_STATUS_NO_SUCH_USER winbind_client_response_written[1414:GETPWNAM]: delivered response to client closing socket 24, client exited getent group "MYDOM\\Domain Users" ... no output Winbind Trace: process_request: Handling async request 3067:GETGRNAM getgrnam MARABU\Domain Users wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : 'MYDOM' name : * name : 'DOMAIN USERS' flags : 0x00000000 (0) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USE_NONE (0) sid : * sid : S-0-0 result : NT_STATUS_NONE_MAPPED Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED wb_request_done[3067:GETGRNAM]: NT_STATUS_NONE_MAPPED winbind_client_response_written[3067:GETGRNAM]: delivered response to client Any hints are greatly appreciated. Best regards, Martin For reference, this is the smb.conf: [global] workgroup = MYDOM realm = MYDOM.ADS server string = Samba Server security = ADS log level = 2 log file = /var/samba/log/log.%m max log size = 50 unix extensions = No client signing = Yes local master = No domain master = No dns proxy = No winbind enum users = Yes winbind enum groups = Yes # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid winbind trusted domains only = Yes idmap config * :backend = tdb idmap config * : range = 1000-1999999 idmap config MYDOM : backend = ad idmap config MYDOM : range = 100-999999 idmap config MYDOM : schema_mode = rfc2307 winbind nss info = rfc2307 inherit permissions = Yes map acl inherit = Yes # We do not run NETBIOS disable netbios = Yes # Printers load printers = no # Set up our ZFS shares so that ACL work correctly from Windows [homes] comment = Home Directories read only = No inherit acls = Yes map archive = No map readonly = no vfs objects = zfsacl zfsacl: acesort = dontcare nfs4:chown = yes nfs4:acedup = merge nfs4:mode = special [SHARE1] comment = Verzeichnis fuer Rezepturen read only = No path = /share1 available = yes browsable = yes guest ok = yes writable = yes -- -- Martin Decker
Rowland Penny
2017-Aug-18 13:00 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
See inline comments: On Fri, 18 Aug 2017 14:40:54 +0200 Martin Decker via samba <samba at lists.samba.org> wrote:> Dear List, > > I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to > provide unix file shares to windows users. > > I can successfully list groups and users with wbinfo -u / wbinfo > -g, but I do not get any data with "getent group" or "getent passwd". > In AD, we have set "gidNumber" Attribute for Group "Domain Users" to > a value in the specified range (100-999999). Also, for my account > "mdecker", we have set uidNumber in AD to a value in the range. > > getent group "MYDOM\\Domain Users" > ... no output > > For reference, this is the smb.conf: > > [global] > workgroup = MYDOM > realm = MYDOM.ADS > server string = Samba Server > security = ADS > log level = 2 > log file = /var/samba/log/log.%m > max log size = 50 > unix extensions = No > client signing = Yes > local master = No > domain master = No > dns proxy = No > winbind enum users = Yes > winbind enum groups = Yes > # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid > winbind trusted domains only = YesThe above line doesn't remove the DOMAIN from the username, you need: winbind use default domain = yes to do that> idmap config * :backend = tdb > idmap config * : range = 1000-1999999 > idmap config MYDOM : backend = ad > idmap config MYDOM : range = 100-999999 > idmap config MYDOM : schema_mode = rfc2307Your ranges overlap and you don't really need '1,998,999' IDs for the '*' range. Rowland
Martin Decker
2017-Aug-18 15:32 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Thank you for your feedback. I have changed the parameters, but still no success. winbind use default domain = yes idmap config * : range = 1000000-1999999 idmap config MYDOM : range = 100-999999 Regards, Martin 2017-08-18 15:00 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> > See inline comments: > > On Fri, 18 Aug 2017 14:40:54 +0200 > Martin Decker via samba <samba at lists.samba.org> wrote: > > > Dear List, > > > > I am trying to set up Samba 3.6.25 (solaris 11.3 packaged) to > > provide unix file shares to windows users. > > > > I can successfully list groups and users with wbinfo -u / wbinfo > > -g, but I do not get any data with "getent group" or "getent passwd". > > In AD, we have set "gidNumber" Attribute for Group "Domain Users" to > > a value in the specified range (100-999999). Also, for my account > > "mdecker", we have set uidNumber in AD to a value in the range. > > > > getent group "MYDOM\\Domain Users" > > ... no output > > > > For reference, this is the smb.conf: > > > > [global] > > workgroup = MYDOM > > realm = MYDOM.ADS > > server string = Samba Server > > security = ADS > > log level = 2 > > log file = /var/samba/log/log.%m > > max log size = 50 > > unix extensions = No > > client signing = Yes > > local master = No > > domain master = No > > dns proxy = No > > winbind enum users = Yes > > winbind enum groups = Yes > > # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid > > winbind trusted domains only = Yes > > The above line doesn't remove the DOMAIN from the username, you need: > winbind use default domain = yes > to do that > > > idmap config * :backend = tdb > > idmap config * : range = 1000-1999999 > > idmap config MYDOM : backend = ad > > idmap config MYDOM : range = 100-999999 > > idmap config MYDOM : schema_mode = rfc2307 > > Your ranges overlap and you don't really need '1,998,999' IDs for the > '*' range. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- -- Martin Decker
Seemingly Similar Threads
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users