On Mon, 6 May 2019 09:08:10 +0200 Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:> Hi, > > sorry for the mistake, I meaned > > getent passwd vincent shows nothing and I got in the log file: > > winbindd_getpwnam: My domain -- rejecting getpwnam() for FOO\vincent. > > 'wbinfo -u | grep 'vincent' returns vincent, it's the good username. >Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will know the user, even if the smb.conf appears to be correct. You originally posted this: idmap config FOO:backend = ad idmap config FOO:schema_mode = rfc2307 idmap config FOO:range = 10000-999999 idmap config FOO:unix_nss_info = yes idmap config FOO:unix_primary_group = yes So, does 'vincent' have a uidNumber attribute containing a number inside the range '10000-99999999' AND either a gidnumber attribute containing the gidNumber of an AD group, or does Domain Users have gidNumber attribute ? The gidNumber must be inside the same range. Rowland
Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit :> On Mon, 6 May 2019 09:08:10 +0200 > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > >> Hi, >> >> sorry for the mistake, I meaned >> >> getent passwd vincent shows nothing and I got in the log file: >> >> winbindd_getpwnam: My domain -- rejecting getpwnam() for FOO\vincent. >> >> 'wbinfo -u | grep 'vincent' returns vincent, it's the good username. >> > Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will > know the user, even if the smb.conf appears to be correct. > > You originally posted this: > > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 10000-999999 > idmap config FOO:unix_nss_info = yes > idmap config FOO:unix_primary_group = yes > > So, does 'vincent' have a uidNumber attribute containing a number > inside the range '10000-99999999' AND either a gidnumber attribute > containing the gidNumber of an AD group, or does Domain > Users have gidNumber attribute ? The gidNumber must be inside the same > range. > > RowlandYes, user 'vincent' has uidNumber 10010, gidNumber 13010 and primaryGroupID 513. 513 corresponds to the group "Domain Users", which have gidNumber 13010 Vincent
On Mon, 6 May 2019 10:58:56 +0200 Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote:> Le 06/05/2019 à 10:46, Rowland Penny via samba a écrit : > > On Mon, 6 May 2019 09:08:10 +0200 > > Vincent Ducot <vincent.ducot at rubycat-labs.com> wrote: > > > >> Hi, > >> > >> sorry for the mistake, I meaned > >> > >> getent passwd vincent shows nothing and I got in the log file: > >> > >> winbindd_getpwnam: My domain -- rejecting getpwnam() for > >> FOO\vincent. > >> > >> 'wbinfo -u | grep 'vincent' returns vincent, it's the good > >> username. > > Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will > > know the user, even if the smb.conf appears to be correct. > > > > You originally posted this: > > > > idmap config FOO:backend = ad > > idmap config FOO:schema_mode = rfc2307 > > idmap config FOO:range = 10000-999999 > > idmap config FOO:unix_nss_info = yes > > idmap config FOO:unix_primary_group = yes > > > > So, does 'vincent' have a uidNumber attribute containing a number > > inside the range '10000-99999999' AND either a gidnumber attribute > > containing the gidNumber of an AD group, or does Domain > > Users have gidNumber attribute ? The gidNumber must be inside the > > same range. > > > > Rowland > > Yes, user 'vincent' has uidNumber 10010, gidNumber 13010 and > primaryGroupID 513. > > 513 corresponds to the group "Domain Users", which have gidNumber > 13010 > > Vincent >OK, can you try something as a test ? Change this: idmap config FOO:backend = ad idmap config FOO:schema_mode = rfc2307 idmap config FOO:range = 10000-999999 idmap config FOO:unix_nss_info = yes idmap config FOO:unix_primary_group = yes To this: idmap config FOO:backend = rid idmap config FOO:range = 10000-999999 Restart Samba and run: net cache flush Then run: getent passwd vincent This will test the connectivity between your Unix domain member and the DC. Don't worry if you get ID's that you don't expect, this is just a test, just change everything back after the test. Rowland