thr3ads.net - samba - [Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users [Aug 2017]

If this information is useful, please help other people find it:
Share via:

Martin Decker

2017-Aug-22 09:58 UTC

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Thanks Rowland and Louis,

after changing from ad to rid, i get all users listed with "getent
passwd",
not just the ones with uidNumber - which is good. But "getent passwd
MYDOM\\mdecker" still does not resolve. In addition, no groups are listed
with "getent group". Looking at winbindd debug, it seems that after
trying
getgrsid on the very first group "Exchange  All Hosted Organizations",
it
stops to retrieve other groups.

       out: struct wbint_QueryGroupList
            groups                   : *
                groups: struct wbint_Principals
                    num_principals           : 545
                    principals: ARRAY(545)
                        principals: struct wbint_Principal
                            sid                      :
S-1-5-21-1585417398-3384821309-2524188735-2571
                            type                     : SID_NAME_DOM_GRP (2)
                            name                     : *
                                name                     : 'Exchange All
Hosted Organizations'


winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-2571
getgrent failed: NT_STATUS_NO_SUCH_GROUP
wb_request_done[13813:GETGRENT]: NT_STATUS_NO_SUCH_GROUP
winbind_client_response_written[13813:GETGRENT]: delivered response to
client
process_request: Handling async request 13813:ENDGRENT

This is the current smb.conf:

[global]
    workgroup = MYDOM
    realm = MYDOM.ADS
    server string = Samba Server
    security = ADS
    log level = 1 smb:10 passdb:10 auth:10 winbind:10 idmap:10
    log file = /var/samba/log/log.%m
    max log size = 50
    unix extensions = No
    client signing = Yes
    local master = No
    domain master = No
    dns proxy = No
    winbind enum users = Yes
    winbind enum groups = Yes
    # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid
    winbind use default domain = yes
    winbind trusted domains only = Yes
    idmap config * : backend = tdb
    idmap config * : range = 1000000-1999999
    idmap config MYDOM : backend = rid
    idmap config MYDOM : range = 100-999999
    winbind nss info = template
    template shell = /bin/bash
    template homedir = /home/%U
    inherit permissions = Yes
    map acl inherit = Yes
    # We do not run NETBIOS
    disable netbios = Yes
    # Printers
    load printers = no

Authentication on windows to access share (connect network drive) is still
not possible.

getpwnam MDECKER
winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\MDECKER.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
wb_request_done[14662:GETPWNAM]: NT_STATUS_NO_SUCH_USER


Authentication with "kinit at MYDOM.ADS" is working.

This is after "net cache flush" and restarting winbind and samba
multiple
times....

Best regards,
Martin


2017-08-21 18:15 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 21 Aug 2017 17:25:31 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Dear Rowland,
> >
> > our windows admin assured me that they have set uidNumber and
> > gidNumber in the range. I have requested screenshots for confirmation.
> >
> > Now we are one step further: "getent passwd | grep mdecker"
now lists
> > the AD account.
> >
> > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
> >
> > With "getent passwd mdecker" however, it shows
> > "NT_STATUS_NO_SUCH_USER".
> >
> > getent passwd mdecker
> >
> > winbindd_getpwnam: My domain -- rejecting getpwnam() for
> > MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
> >
> > Also not working:
> >
> > getnet passwd mdecker
> > getent passwd "MYDOM\\mdecker"
> >
> > What is working though is when i give REALM Suffix ".ADS"
> >
> > getent passwd "MYDOM.ADS\\mdecker"
> > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
> >
>
> If I run:
> getent passwd rowland
> getent passwd "SAMDOM\rowland"
> getent passwd "SAMDOM.EXAMPLE.COM\rowland"
>
> They all produce the same output:
>
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Lets step back a bit here, is this just one Unix fileserver?
> It also looks like you will not be using most of the RFC2307
> attributes, just UidNumber & gidNumber.
>
> if this is the case, have you considered the rid backend ?
> With this, you do not need anything in AD, it uses the RID to calculate
> the users or groups ID.
>
> If you change:
>
>     idmap config * :backend = tdb
>     idmap config * : range = 1000000-1999999
>     idmap config MYDOM : backend = ad
>     idmap config MYDOM : range = 100-999999
>     idmap config MYDOM : schema_mode = rfc2307
>
> To:
>     idmap config * :backend = tdb
>     idmap config * : range = 1000000-1999999
>     idmap config MYDOM : backend = rid
>     idmap config MYDOM : range = 100-999999
>
> You should get everything to work.
> If it does, it proves that the problem is in AD
> If it doesn't, then there must be a problem on your Unix domain member.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
--
Martin Decker

Rowland Penny

2017-Aug-22 10:20 UTC

head link

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

On Tue, 22 Aug 2017 11:58:37 +0200
Martin Decker via samba <samba at lists.samba.org> wrote:
> Thanks Rowland and Louis,
> 
> after changing from ad to rid, i get all users listed with "getent
> passwd", not just the ones with uidNumber - which is good. But
> "getent passwd MYDOM\\mdecker" still does not resolve.
Does mdecker exist in AD ?
Does 'getent passwd mdecker' work ?
Does 'getent passwd "MYDOM\mdecker" ' work ?

Is 'mdecker' in /etc/passwd ?
> In addition,
> no groups are listed with "getent group".
Does 'getent group groupname' work ?

Rowland

Martin Decker

2017-Aug-22 10:44 UTC

head link

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Does mdecker exist in AD ?
=> Yes

root at solaris1:~# getent passwd "MYDOM.ADS\\mdecker"
mdecker:*:13767:613::/home/mdecker:/bin/bash


winbind log:

getpwnam MYDOM.ADS\mdecker
wb_request_done[24254:GETPWNAM]: NT_STATUS_OK


Does 'getent passwd mdecker' work ?
=> No

getent passwd mdecker

getpwnam mdecker
winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
wb_request_done[24164:GETPWNAM]: NT_STATUS_NO_SUCH_USER

Does 'getent passwd "MYDOM\mdecker" ' work ?
=> No


Is 'mdecker' in /etc/passwd ?
=> No

root at solaris1:~# grep mdecker /etc/passwd
root at solaris1:~#

Does 'getent group groupname' work ?
=> No

root at solaris1:~# getent group "MYDOM\\Domänen-Benutzer"
root at solaris1:~#


winbind debug log:

wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER ->
S-1-5-21-1585417398-3384821309-2524188735-513 (NT_STATUS_OK)
wcache_save_sid_to_name: S-1-5-21-1585417398-3384821309-2524188735-513 ->
domänen-benutzer (NT_STATUS_OK)
     wbint_LookupName: struct wbint_LookupName
        out: struct wbint_LookupName
            type                     : *
                type                     : SID_NAME_DOM_GRP (2)
            sid                      : *
                sid                      :
S-1-5-21-1585417398-3384821309-2524188735-513
            result                   : NT_STATUS_OK
Finished processing child request 59
Writing 3532 bytes to parent
timed_events_timeout: 94303/232621
     wbint_LookupName: struct wbint_LookupName
        out: struct wbint_LookupName
            type                     : *
                type                     : SID_NAME_DOM_GRP (2)
            sid                      : *
                sid                      :
S-1-5-21-1585417398-3384821309-2524188735-513
            result                   : NT_STATUS_OK
winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-513
Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513:
NT_STATUS_NO_SUCH_GROUP
wb_request_done[25512:GETGRNAM]: NT_STATUS_NO_SUCH_GROUP

Regards,
Martin


2017-08-22 12:20 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 22 Aug 2017 11:58:37 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Thanks Rowland and Louis,
> >
> > after changing from ad to rid, i get all users listed with
"getent
> > passwd", not just the ones with uidNumber - which is good. But
> > "getent passwd MYDOM\\mdecker" still does not resolve.
>
> Does mdecker exist in AD ?
> Does 'getent passwd mdecker' work ?
> Does 'getent passwd "MYDOM\mdecker" ' work ?
>
> Is 'mdecker' in /etc/passwd ?
>
> > In addition,
> > no groups are listed with "getent group".
>
> Does 'getent group groupname' work ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
--
Martin Decker

Reasonably Related Threads

Search for more apparently analagous threads

samba - Aug 2017 - Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Reasonably Related Threads