Hi, We are having some issues with LDAP authentication. Here is our setup PDC and LDAP(samba classic) = dc01 SambaClassic domain = stdom Member server = fs01 We migrated from TDB to LDAP. The old TDB users are able to login to the domain and access file shares without issues. Any new user created in LDAP is not able to access the shares. When trying to create shared drives for the new users in fs01 we get chown: invalid user: `stdom\\ldaptest01:stdom\\domain users' the smb.conf for fs01 is Global parameters [global] workgroup = stdom netbios name = fs01 security = domain wins server = 192.168.1.18 # password server = 192.168.1.18 local master = no domain master = no preferred master = no domain logons = no passdb backend = ldapsam:ldap://192.168.1.18 ldap admin dn = cn=admin,dc=stdom ldap suffix = dc=stdom ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users idmap backend = ldap ldap idmap suffix = ou=idmap idmap config * : backend = ldap idmap config * : range = 20000-29999 idmap config * : ldap_url = ldap://192.168.1.18 idmap config * : ldap_base_dn = ou=idmap,dc=stdom idmap config * : ldap_user_dn = cn=admin,dc=stdom ldap delete dn = no #ldap password sync = yes ldap ssl = off #winbind expand groups = 1 #winbind trusted domains only = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes the /etc/nsswitch.conf is #passwd: compat #group: compat shadow: compat passwd: winbind files group: winbind files We have tried the files winbind too Other info: - fs01 is joined to the pdc using net rpc join. - getent password doesn't list the new users. - wbinfo -u list all the users in LDAP - we are using lib-nss in PDC to authenticate the users - ufw is disabled in both Any suggestions? Regards, Praveen Ghimire
On Fri, 6 Apr 2018 07:07:24 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > We are having some issues with LDAP authentication. Here is our setup > > PDC and LDAP(samba classic) = dc01 > SambaClassic domain = stdom > Member server = fs01 > > - fs01 is joined to the pdc using net rpc join. > - getent password doesn't list the new users. > - wbinfo -u list all the users in LDAP > - we are using lib-nss in PDC to authenticate the users > - ufw is disabled in both >I can confirm that a Unix domain member of an NT4-style domain doesn't work for users, groups yes, users no. I have tried every permutation of 'idmap config' lines I can think of including the deprecated 'idmap uid & idmap gid'. Most of the time 'winbind' crashed, but this probably down to the settings in smb.conf, even though 'testparm' showed no errors. One very strange thing I had to do (and I have never had to do before), I had to set the 'netbios name' to the same value as the 'workgroup' parameter. Without this, neither 'wbinfo -u' or 'wbinfo -g' worked. The reason seems to be that 'winbind' cannot find a Unix account for the users. Adding a Unix user doesn't help either. Rowland
Hi, I've gone through the following link about member server and also the samba 3 by example and can confirm that nsdc is not enabled. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member We are having some issues with LDAP authentication. Here is our setup PDC and LDAP(samba classic) = dc01 SambaClassic domain = stdom Member server = fs01 We migrated from TDB to LDAP. The old TDB users are able to login to the domain and access file shares without issues. Any new user created in LDAP is not able to access the shares. When trying to create shared drives for the new users in fs01 we get chown: invalid user: `stdom\\ldaptest01:stdom\\domain users' the smb.conf for fs01 is Global parameters [global] workgroup = stdom netbios name = fs01 security = domain wins server = 192.168.1.18 # password server = 192.168.1.18 local master = no domain master = no preferred master = no domain logons = no passdb backend = ldapsam:ldap://192.168.1.18 ldap admin dn = cn=admin,dc=stdom ldap suffix = dc=stdom ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users idmap backend = ldap ldap idmap suffix = ou=idmap idmap config * : backend = ldap idmap config * : range = 20000-29999 idmap config * : ldap_url = ldap://192.168.1.18 idmap config * : ldap_base_dn = ou=idmap,dc=stdom idmap config * : ldap_user_dn = cn=admin,dc=stdom ldap delete dn = no #ldap password sync = yes ldap ssl = off #winbind expand groups = 1 #winbind trusted domains only = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes the /etc/nsswitch.conf is #passwd: compat #group: compat shadow: compat passwd: winbind files group: winbind files We have tried the files winbind too Other info: - The getent passwd and group seem to be listing outputs from the local passwd and group - fs01 is joined to the pdc using net rpc join. - getent password doesn't list the new users. - wbinfo -u list all the users in LDAP - we are using lib-nss in PDC to authenticate the users - ufw is disabled in both Any suggestions? Regards, Praveen Ghimire
On Sun, 8 Apr 2018 05:55:18 +0000 Praveen Ghimire via samba <samba at lists.samba.org> wrote:> Hi, > > I've gone through the following link about member server and also the > samba 3 by example and can confirm that nsdc is not enabled. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > We are having some issues with LDAP authentication. Here is our setup > > > Any suggestions? >Hi, I take it you missed my post yesterday, where I agreed with you that using winbind on a Unix domain member doesn't work for users. You seem to have two options here, file a bug report about the problem and then wait to see if it gets fixed, or do the sensible thing and upgrade to an AD domain. Rowland
On Mon, 9 Apr 2018 11:17:25 +0000 Praveen Ghimire <PGhimire at sundata.com.au> wrote:> Hi Rowland, > > Will file a bug report even though we are upgrading to AD. Might help > others. Can you please confirm that it affects any Unix domain member > server using winbind regardless of tdb/ldap? >Never tried it against tdbsam, just ldapsam. Rowland