On Fri, 26 Oct 2018 17:38:55 +0200 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> > > Il 26/10/2018 17:18, Rowland Penny via samba ha scritto: > > gidNumber: 513 > [root at dc1 ~]# ldbsearch -Hldap://$(hostname -s) -k yes -P > '(&(samaccountname=Domain Users)(gidNumber=*))' gidNumber | grep > gidNumber | awk '{print $NF}' > 513 > > gid number is ok > but on member with testparm > idmap config lxcerruti : unix_nss_info = yes > idmap config lxcerruti : schema_mode = rfc2307 > idmap config lxcerruti : range = 500-7999 > idmap config lxcerruti : backend = ad > idmap config * : range = 9000-17999 > idmap config * : backend = tdb > > after net cache flush i see : > > drwxrwx-wx. 4 root 513 83 30 apr 2015 Titoli > drwxrwxrwx. 175 root 502 8192 25 ott 12.21 usr > > > :-( > i'm a little bit frustrating > >I take it that this is the result of something like 'ls -la /path/to/somewhere' This is a step forward, what does 'getent passwd ausername' show ? On a Unix domain member, with the 'idmap config' lines above, the primary group of all users will be Domain Users (513) What does 'getent group Domain\ Users' show ? What worries me is the group with the ID 502, which group is it ? I ask this because '502' is the RID for krbtgt. Rowland
Hello Rowland Il 26/10/2018 18:03, Rowland Penny via samba ha scritto:> what does 'getent passwd ausername' show ?nothing :-( [root at srvcerruti ~]# getent passwd administrator [root at srvcerruti ~]# wbinfo --group-info='Domain users' domain users:x:513:> On a Unix domain member, with the 'idmap config' lines above, the > primary group of all users will be Domain Users (513) > > What does 'getent group Domain\ Users' show ?nothing anymore> What worries me is the group with the ID 502, which group is it ?[root at srvcerruti ~]# wbinfo --gid-info 502 g_cerruti:x:502: g_cerruti is mapping of domain users -- *Corrado Ravinetto *
On Mon, 29 Oct 2018 09:41:40 +0100 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> Hello Rowland > > Il 26/10/2018 18:03, Rowland Penny via samba ha scritto: > > what does 'getent passwd ausername' show ? > nothing :-(is this on a DC or a Unix domain member ? If you are compiling Samba yourself, have you created the libnss_winbind links ? See here: https://wiki.samba.org/index.php/Libnss_winbind_Links Have you set up PAM ? See here: https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM> > [root at srvcerruti ~]# getent passwd administratorThis should only return anything on a DC or a Unix domain member using the winbind 'rid' backend, but you shouldn't use Administrator directly on a Unix machine.> [root at srvcerruti ~]# wbinfo --group-info='Domain users' > domain users:x:513:For you this is correct.> What does 'getent group Domain\ Users' show ? > nothing anymoreProbably/possibly connected with lack of links and PAM> > What worries me is the group with the ID 502, which group is it ? > [root at srvcerruti ~]# wbinfo --gid-info 502 > g_cerruti:x:502: > > g_cerruti is mapping of domain usersThen un-map it, You do not use group mappings in AD. Rowland