Rowland Penny
2017-Aug-25 14:28 UTC
[Samba] Windows pre-requisites for login with winbind?
On Fri, 25 Aug 2017 16:03:08 +0200 "Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote:> Rowland, > > > I'm following this thread because I'm trying to use Linux member > server (Debian 9) and use Windows AD users in Linux (filesystem etc). > > It seems I have working Kerberos and to a degree, Winbind too, > because both > > wbinfo -u > > wbinfo -g > > give me valid and complete results.This just shows that winbind can contact and connect to AD> > > However I'm stuck with NIS. > > First I attempted to use AD idmap with settings (smb.conf) > > idmap config * : backend = tdb > idmap config * : range = 3000-9999 > idmap config DOMAIN : backend = ad > idmap config DOMAIN : schema_mode = rfc2307 > idmap config DOMAIN : range = 10000-9999999The above looks okay> idmap_ldb:use rfc2307 = yesYou should only use the above line on a DC> > winbind nss info = rfc2307 > winbind use default domain = trueThe above two lines are okay> winbind enum users = yes > winbind enum groups = yesYou should only add the above two lines for testing purposes.> > > When I issue > > #getent group > > I get only few groups with nonempty gidnumber attribute. This I can > understand, but > > #getent passwd > > dosen't bring me any AD user, althought they all have valid uidnumber > attribute that is well inside the idmap range.Does 'Domain Users' have a gidNumber inside '10000-9999999' If it doesn't, then ALL your users will be ignored> > > Now, I also try to use RID, as it seems better to go this way, however > it dosen't work for me either, and it still displays only those groups > as before, and they still have gidnumber from AD, not the computed one > from RID. > > It seems I'm missing something.Try running 'net cache flush' The 'rid' backend should work without any changes to AD, as long as the user is in AD and isn't in /etc/passwd. Rowland> > >
tuharsky at misbb.sk
2017-Aug-25 16:37 UTC
[Samba] Windows pre-requisites for login with winbind?
Hi, Rowland You were right, it was the Domain Users issue. After setting the gidnumber to a number inside range, users are there. Thank You. And as of change from AD to RIS, the 'net cache flush' is not enough. For the record, I must have rebooted the server. Probably the records have been stored in some NIS cache or so too, that I don't know how to flush on-the-fly. After the reboot, the RIS works. Thank You Dňa 25.08.2017 o 16:28 Rowland Penny via samba napísal(a):> On Fri, 25 Aug 2017 16:03:08 +0200 > "Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote: > >> Rowland, >> >> >> I'm following this thread because I'm trying to use Linux member >> server (Debian 9) and use Windows AD users in Linux (filesystem etc). >> >> It seems I have working Kerberos and to a degree, Winbind too, >> because both >> >> wbinfo -u >> >> wbinfo -g >> >> give me valid and complete results. > This just shows that winbind can contact and connect to AD > >> >> However I'm stuck with NIS. >> >> First I attempted to use AD idmap with settings (smb.conf) >> >> idmap config * : backend = tdb >> idmap config * : range = 3000-9999 >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : schema_mode = rfc2307 >> idmap config DOMAIN : range = 10000-9999999 > The above looks okay > >> idmap_ldb:use rfc2307 = yes > You should only use the above line on a DC > >> winbind nss info = rfc2307 >> winbind use default domain = true > The above two lines are okay > >> winbind enum users = yes >> winbind enum groups = yes > You should only add the above two lines for testing purposes. > >> >> When I issue >> >> #getent group >> >> I get only few groups with nonempty gidnumber attribute. This I can >> understand, but >> >> #getent passwd >> >> dosen't bring me any AD user, althought they all have valid uidnumber >> attribute that is well inside the idmap range. > Does 'Domain Users' have a gidNumber inside '10000-9999999' > If it doesn't, then ALL your users will be ignored > >> >> Now, I also try to use RID, as it seems better to go this way, however >> it dosen't work for me either, and it still displays only those groups >> as before, and they still have gidnumber from AD, not the computed one >> from RID. >> >> It seems I'm missing something. > Try running 'net cache flush' > > The 'rid' backend should work without any changes to AD, as long as the > user is in AD and isn't in /etc/passwd. > > Rowland > >> >>
tuharsky at misbb.sk
2017-Aug-26 06:56 UTC
[Samba] Windows pre-requisites for login with winbind?
Please, could the documentation be enhanced so that it mentions this prerequisite? (Domain Users group must have gidnumber attribute set, and it must be inside idmap range)? Dňa 25.08.2017 o 18:37 tuharsky--- via samba napísal(a):> Hi, Rowland > > You were right, it was the Domain Users issue. After setting the > gidnumber to a number inside range, users are there. > > Thank You. > > > And as of change from AD to RIS, the 'net cache flush' is not enough. > > For the record, I must have rebooted the server. Probably the records > have been stored in some NIS cache or so too, that I don't know how to > flush on-the-fly. After the reboot, the RIS works. > > Thank You > > > Dňa 25.08.2017 o 16:28 Rowland Penny via samba napísal(a): >> On Fri, 25 Aug 2017 16:03:08 +0200 >> "Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote: >> >>> Rowland, >>> >>> >>> I'm following this thread because I'm trying to use Linux member >>> server (Debian 9) and use Windows AD users in Linux (filesystem etc). >>> >>> It seems I have working Kerberos and to a degree, Winbind too, >>> because both >>> >>> wbinfo -u >>> >>> wbinfo -g >>> >>> give me valid and complete results. >> This just shows that winbind can contact and connect to AD >> >>> >>> However I'm stuck with NIS. >>> >>> First I attempted to use AD idmap with settings (smb.conf) >>> >>> idmap config * : backend = tdb >>> idmap config * : range = 3000-9999 >>> idmap config DOMAIN : backend = ad >>> idmap config DOMAIN : schema_mode = rfc2307 >>> idmap config DOMAIN : range = 10000-9999999 >> The above looks okay >> >>> idmap_ldb:use rfc2307 = yes >> You should only use the above line on a DC >> >>> winbind nss info = rfc2307 >>> winbind use default domain = true >> The above two lines are okay >> >>> winbind enum users = yes >>> winbind enum groups = yes >> You should only add the above two lines for testing purposes. >> >>> >>> When I issue >>> >>> #getent group >>> >>> I get only few groups with nonempty gidnumber attribute. This I can >>> understand, but >>> >>> #getent passwd >>> >>> dosen't bring me any AD user, althought they all have valid uidnumber >>> attribute that is well inside the idmap range. >> Does 'Domain Users' have a gidNumber inside '10000-9999999' >> If it doesn't, then ALL your users will be ignored >> >>> >>> Now, I also try to use RID, as it seems better to go this way, however >>> it dosen't work for me either, and it still displays only those groups >>> as before, and they still have gidnumber from AD, not the computed one >>> from RID. >>> >>> It seems I'm missing something. >> Try running 'net cache flush' >> >> The 'rid' backend should work without any changes to AD, as long as the >> user is in AD and isn't in /etc/passwd. >> >> Rowland >> >>> >>> > >
Maybe Matching Threads
- Windows pre-requisites for login with winbind?
- Windows pre-requisites for login with winbind?
- Windows pre-requisites for login with winbind?
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error