Edouard Guigné
2019-Jun-18 19:41 UTC
[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via samba <samba at lists.samba.org> R?pondre ??: Edouard Guign? <eguigne at pasteur-cayenne.fr> Pour?: samba at lists.samba.org And What about Domain Admins gid ? Should also be in the DOMAIN range ? Le 18/06/2019 ? 16:07, Rowland penny via samba a ?crit?:> On 18/06/2019 19:49, Edouard Guign? via samba wrote: >> ?gidNumber for 'Domain Users' is 513 >> >> not in range? '10000-14999' of uidNumber >> >> Is it a problem ? > > Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside > the DOMAIN range you set in smb.conf, if they aren't, all your users > WILL be ignored by Samba. > > Find the next available gidNumber in AD and change the 'Domain User' > gidNumber to this and I am very sure everything will then work. > > Rowland > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jun-18 20:06 UTC
[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 20:41, Edouard Guign? via samba wrote:> Is it possible to make start DOMAIN range from 500 instead of 10000 ?Classicupgrade ?> > I realized that all my gid are in range 500 to 600 and not in range > 10000 - 14999Looks like you are going to have to use 500 for your lower DOMAIN range start, but this will mean that you will not be able to have any local Unix users and could have problems with potential local system users or groups if their Unix ID is 500 or above.> I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN usersNo, you can use the same range for groups and users, the user with ID '10000' will never be mistaken for the group with the ID '10000' Have you read these Samba wiki pages: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_ad Rowland
Edouard Guigné
2019-Jun-19 14:50 UTC
[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Hello, I performed a test in order to get access to my samba share with winbindd (and not sssd). For that, 1. I change the gid of domain users from 513 to 15513 (to match with the domain range 10000 - 14999) And verify my test user is part of 15513 2. Stop sssd and change nsswitch.conf like this : /passwd:???? files winbind// //shadow:???? files// //group:????? files //winbind// / 3. Restart winbindd and smb, with # net cache flush Unfortunatly, I still cannot mount the share on my win7 test workstation. In log, I found : myw7worstation.log /2019/06/19 11:15:15.806577,? 1] ../source3/smbd/service.c:521(make_connection_snum)// //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED// //[2019/06/19 11:15:25.288729,? 1] ../source3/smbd/service.c:521(make_connection_snum)// //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED// //[2019/06/19 11:17:04.348099,? 1] ../source3/smbd/service.c:521(make_connection_snum)// //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/ log.winbindd-idmap /[2019/06/18 14:43:16.926952,? 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)// //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: transaction error pending// //[2019/06/18 14:43:16.926982,? 1] ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)// //? Error allocating a new GID// //[2019/06/18 14:43:16.927123,? 1] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)// //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: transaction error pending// //[2019/06/18 14:43:16.927140,? 1] ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)// //? Error allocating a new GID// //[2019/06/18 14:46:23.754692,? 0] ../source3/winbindd/winbindd.c:239(winbindd_sig_term_handler)/ From my win7 test workstation, The samba share is mounted with a script at logon, with the "net use" command, the command does not work and when I try to mount the share manually (same syntax than the one in the logon script), I get : net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest "invalid password for \\mysambaserver\groups" (I am sure of the password) What could be wrong ? In my smb.cnf, I set valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL" Can be the reason ? Edouard Le 18/06/2019 ? 17:06, Rowland penny via samba a ?crit?:> On 18/06/2019 20:41, Edouard Guign? via samba wrote: >> Is it possible to make start DOMAIN range from 500 instead of 10000 ? > Classicupgrade ? >> >> I realized that all my gid are in range 500 to 600 and not in range >> 10000 - 14999 > Looks like you are going to have to use 500 for your lower DOMAIN > range start, but this will mean that you will not be able to have any > local Unix users and could have problems with potential local system > users or groups if their Unix ID is 500 or above. > >> I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users > > No, you can use the same range for groups and users, the user with ID > '10000' will never be mistaken for the group with the ID '10000' > > Have you read these Samba wiki pages: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > https://wiki.samba.org/index.php/Idmap_config_ad > > Rowland >
Reasonably Related Threads
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication