samba - Dec 2019 - security = ads, backend = ad parameter not working in samba 4.10.10

On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 06:16, S?rgio Basto wrote:
> > Sorry , I spoke too soon getent passwd "a new user to this
server"
> > doesn't work .
> > But wbinfo -u or wbinfo -g always worked perfectly in any case ,
> > why
> > getent don't ?
> > 
> If 'wbinfo -u' works, 'getent passwd username' doesn't,
then it
> points 
> to a lack of, or wrong, rfc2307 attributes (if you are using the
> 'ad' 
> backend).
> 
> Any users you want to be visible to Unix, must have a uidNumber 
> attribute containing a unique number inside the DOMAIN range set in 
> smb.conf. You MUST also give Domain Users a gidNumber containing a 
> number inside the same range.
yes, I use backend = ad , if configure backend = ad with realm [1] (as
you said is wrong ) every 'getent passwd username' give me a new
uidNumber or make a new uidNumber in sequence [1].
when I  configure backend = ad with workgroup (as you said that must
have to be ) 'getent passwd username' don't produce any new id .
and in /var/log/samba/winbindd.log I see 
Could not convert sid S-1-5-21-2685600491-4108878147-961307473-2662:
NT_STATUS_NO_SUCH_USER


[1]
idmap config CORP.LOCAL : backend = ad

[2]
root at repo:~# getent passwd "vmjp01"
vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
root at repo:~# getent passwd "maa001"
maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
root at repo:~# getent passwd "tsdg01"
tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
root at repo:~# getent passwd "rmac01"
rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false


> Rowland
> 
> 
> 
-- 
S?rgio M. B.

On 05/12/2019 17:00, S?rgio Basto wrote:
> On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
>> On 05/12/2019 06:16, S?rgio Basto wrote:
>>> Sorry , I spoke too soon getent passwd "a new user to this
server"
>>> doesn't work .
>>> But wbinfo -u or wbinfo -g always worked perfectly in any case ,
>>> why
>>> getent don't ?
>>>
>> If 'wbinfo -u' works, 'getent passwd username'
doesn't, then it
>> points
>> to a lack of, or wrong, rfc2307 attributes (if you are using the
>> 'ad'
>> backend).
>>
>> Any users you want to be visible to Unix, must have a uidNumber
>> attribute containing a unique number inside the DOMAIN range set in
>> smb.conf. You MUST also give Domain Users a gidNumber containing a
>> number inside the same range.
> yes, I use backend = ad , if configure backend = ad with realm [1] (as
> you said is wrong ) every 'getent passwd username' give me a new
> uidNumber or make a new uidNumber in sequence [1].
> when I  configure backend = ad with workgroup (as you said that must
> have to be ) 'getent passwd username' don't produce any new id
.
> and in /var/log/samba/winbindd.log I see
> Could not convert sid S-1-5-21-2685600491-4108878147-961307473-2662:
> NT_STATUS_NO_SUCH_USER
>
>
> [1]
> idmap config CORP.LOCAL : backend = ad
>
> [2]
> root at repo:~# getent passwd "vmjp01"
> vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> root at repo:~# getent passwd "maa001"
> maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> root at repo:~# getent passwd "tsdg01"
> tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> root at repo:~# getent passwd "rmac01"
> rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
>
>
>
>> Rowland
>>
>>
>>
Have you added any RFC2307 attributes (uidNumber, gidNumber, etc) to 
your users and groups in AD ?

Rowland

On Thu, 2019-12-05 at 17:15 +0000, Rowland penny via samba
wrote:
> On 05/12/2019 17:00, S?rgio Basto wrote:
> > On Thu, 2019-12-05 at 10:15 +0000, Rowland penny via samba wrote:
> > > On 05/12/2019 06:16, S?rgio Basto wrote:
> > > > Sorry , I spoke too soon getent passwd "a new user to
this
> > > > server"
> > > > doesn't work .
> > > > But wbinfo -u or wbinfo -g always worked perfectly in any
case
> > > > ,
> > > > why
> > > > getent don't ?
> > > > 
> > > If 'wbinfo -u' works, 'getent passwd username'
doesn't, then it
> > > points
> > > to a lack of, or wrong, rfc2307 attributes (if you are using the
> > > 'ad'
> > > backend).
> > > 
> > > Any users you want to be visible to Unix, must have a uidNumber
> > > attribute containing a unique number inside the DOMAIN range set
> > > in
> > > smb.conf. You MUST also give Domain Users a gidNumber containing
> > > a
> > > number inside the same range.
> > yes, I use backend = ad , if configure backend = ad with realm [1]
> > (as
> > you said is wrong ) every 'getent passwd username' give me a
new
> > uidNumber or make a new uidNumber in sequence [1].
> > when I  configure backend = ad with workgroup (as you said that
> > must
> > have to be ) 'getent passwd username' don't produce any
new id .
> > and in /var/log/samba/winbindd.log I see
> > Could not convert sid S-1-5-21-2685600491-4108878147-961307473-
> > 2662:
> > NT_STATUS_NO_SUCH_USER
> > 
> > 
> > [1]
> > idmap config CORP.LOCAL : backend = ad
> > 
> > [2]
> > root at repo:~# getent passwd "vmjp01"
> > vmjp01:*:1000019:1000000::/srv/samba/users/vmjp01:/bin/false
> > root at repo:~# getent passwd "maa001"
> > maa001:*:1000020:1000000::/srv/samba/users/maa001:/bin/false
> > root at repo:~# getent passwd "tsdg01"
> > tsdg01:*:1000021:1000000::/srv/samba/users/tsdg01:/bin/false
> > root at repo:~# getent passwd "rmac01"
> > rmac01:*:1000022:1000000::/srv/samba/users/rmac01:/bin/false
> > 
> > 
> > 
> > > Rowland
> > > 
> > > 
> > > 
> Have you added any RFC2307 attributes (uidNumber, gidNumber, etc) to 
> your users and groups in AD ?
Users is AD was migrated from one SAMBA sernet 4.0.0 , I don't know but
I think not , what you recommend ? 
I don't find ATM the scripts to convert users but I used ldb tools ... 

> Rowland
> 
> 
> 
-- 
S?rgio M. B.