2 questions? Did you assign an UID and GID to the users. ( and "domain users" ) Please read and adjust where needed : https://wiki.samba.org/index.php/Idmap_config_ad If that all correct and you already did set UID/GID And if its available, what is in /etc/idmap.conf Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mr > Typo via samba > Verzonden: dinsdag 20 juli 2021 12:36 > Aan: Rowland Penny > CC: sambalist > Onderwerp: Re: [Samba] Problem with Samba as Member to AD > > Hey Rowland, > > i hope you can help me again. I cant find the error. I did install a > fresh centos and used the same config as we discussed last week. > > no sssd and no ncsd is configured. i can to a SID to uid lookup, but i > cant lookup uids to SID > > i hope you can help me again, i have no idea where to look.. > > best regards > > Typo > > [root at sv2-ftp01p ~]# wbinfo -s S-1-1-0 > \Everyone 5 > [root at sv2-ftp01p ~]# wbinfo -s S-1-5-2 > NT Authority\Network 5 > [root at sv2-ftp01p ~]# wbinfo -u | head -5 > administrator > gast > krbtgt > itxadmin > itxuser > [root at sv2-ftp01p ~]# wbinfo --ping-dc > checking the NETLOGON for domain[PFW] dc connection to > "sv1-dc01p.pfw.local" succeeded > [root at sv2-ftp01p ~]# net ads info > LDAP server: 10.40.130.10 > LDAP server name: sv1-dc01p.pfw.local > Realm: PFW.LOCAL > Bind Path: dc=PFW,dc=LOCAL > LDAP port: 389 > Server time: Tue, 20 Jul 2021 12:14:29 CEST > KDC server: 10.40.130.10 > Server time offset: 0 > Last machine account password change: Tue, 20 Jul 2021 11:28:26 CEST > [root at sv2-ftp01p ~]# cat /etc/nsswitch.conf|grep winbi > passwd: files winbind systemd > group: files winbind systemd > > [root at sv2-ftp01p ~]# id itxadmin > id: 'itxadmin': no such user > [root at sv2-ftp01p ~]# getent passwd itxadmin > [root at sv2-ftp01p ~]# wbinfo -s > S-1-5-21-4080695503-475066264-1108356078-1110 > PFW\adadmsar 1 > [root at sv2-ftp01p ~]# id adadmsar > id: 'adadmsar': no such user > [root at sv2-ftp01p ~]# wbinfo -i srvadmsar > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > > > > smb.conf > > [global] > workgroup = PFW > realm = PFW.LOCAL > security = ads > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config PFW:backend = ad > idmap config PFW:schema_mode = rfc2307 > idmap config PFW:range = 10000-999999 > idmap config PFW:unix_nss_info = yes > template homedir = /home/%U > template shell = /bin/false > winbind use default domain = true > winbind enum users = yes > winbind offline logon = true > log file = /var/log/samba/log.%m > max log size = 50 > log level = 9 > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > On Sun, Jul 18, 2021 at 12:27 PM Mr Typo > <euroregistrar at gmail.com> wrote: > > > > Hey Rowland, > > > > thank you for your answers and help. I found another Layer8 problem > > and now it is working as expected. > > > > thank you again! > > > > Typo > > > > On Sun, Jul 18, 2021 at 12:04 PM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sun, 2021-07-18 at 11:55 +0200, Mr Typo wrote: > > > > Yeah reading attributes from ad, like unixHomeDirectory and > > > > loginShell > > > > > > > > When i understand it right, i can use > > > > template homedir = /home/%U > > > > > > > > for default values and setting the unixHomeDirectory > and loginShell > > > > if > > > > i want another value, correct? > > > > > > Yes and no :-) > > > > > > Yes, you can add them to AD, but no they will not be used > unless you > > > use the winbind ad backend, try reading this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > > > and this: > > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > > > > > > > > currently i play with the below configuration but i just the the > > > > template values for every user. Any ideas? > > > > > > > > [global] > > > > workgroup = PFW > > > > realm = PFW.LOCAL > > > > security = ads > > > > idmap config * : backend = tdb > > > > idmap config * : range = 3000-7999 > > > > idmap config PFW:backend = ad > > > > idmap config PFW:schema_mode = rfc2307 > > > > idmap config PFW:range = 10000-999999 > > > > idmap config PFW:unix_nss_info = yes > > > > template homedir = /home/%U > > > > template shell = /bin/bash > > > > # idmap config PFW : backend = rid > > > > # idmap config PFW : range = 500-19999999 > > > > # idmap config PFW : rangesize = 1000000 > > > > winbind use default domain = true > > > > winbind enum users = no > > > > winbind offline logon = true > > > > log file = /var/log/samba/log.%m > > > > max log size = 50 > > > > log level = 3 > > > > load printers = no > > > > printing = bsd > > > > printcap name = /dev/null > > > > disable spoolss = yes > > > > > > > > > > That looks okay. > > > > > > Rowland > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hello Louis, i followed the configuration you posted before and i have a working system: (same smb.conf) [root at smbtest-andi ~]# wbinfo -i srvadmsar srvadmsar:*:1001626:1001013:Server Admin S:/home/srvadmsar:/bin/bash wbinfo -i itxadmin itxadmin:*:1001606:1001013::/home/itxadmin:/bin/false idmap.conf is default on both systems cat /etc/idmapd.conf |egrep -v '(^#|^$)' [General] [Mapping] [Translation] [Static] [UMICH_SCHEMA] LDAP_server = ldap-server.local.domain.edu LDAP_base = dc=local,dc=domain,dc=edu On Tue, Jul 20, 2021 at 12:53 PM L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> > 2 questions? > > Did you assign an UID and GID to the users. ( and "domain users" ) > Please read and adjust where needed : > https://wiki.samba.org/index.php/Idmap_config_ad > > If that all correct and you already did set UID/GID > And if its available, what is in /etc/idmap.conf > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mr > > Typo via samba > > Verzonden: dinsdag 20 juli 2021 12:36 > > Aan: Rowland Penny > > CC: sambalist > > Onderwerp: Re: [Samba] Problem with Samba as Member to AD > > > > Hey Rowland, > > > > i hope you can help me again. I cant find the error. I did install a > > fresh centos and used the same config as we discussed last week. > > > > no sssd and no ncsd is configured. i can to a SID to uid lookup, but i > > cant lookup uids to SID > > > > i hope you can help me again, i have no idea where to look.. > > > > best regards > > > > Typo > > > > [root at sv2-ftp01p ~]# wbinfo -s S-1-1-0 > > \Everyone 5 > > [root at sv2-ftp01p ~]# wbinfo -s S-1-5-2 > > NT Authority\Network 5 > > [root at sv2-ftp01p ~]# wbinfo -u | head -5 > > administrator > > gast > > krbtgt > > itxadmin > > itxuser > > [root at sv2-ftp01p ~]# wbinfo --ping-dc > > checking the NETLOGON for domain[PFW] dc connection to > > "sv1-dc01p.pfw.local" succeeded > > [root at sv2-ftp01p ~]# net ads info > > LDAP server: 10.40.130.10 > > LDAP server name: sv1-dc01p.pfw.local > > Realm: PFW.LOCAL > > Bind Path: dc=PFW,dc=LOCAL > > LDAP port: 389 > > Server time: Tue, 20 Jul 2021 12:14:29 CEST > > KDC server: 10.40.130.10 > > Server time offset: 0 > > Last machine account password change: Tue, 20 Jul 2021 11:28:26 CEST > > [root at sv2-ftp01p ~]# cat /etc/nsswitch.conf|grep winbi > > passwd: files winbind systemd > > group: files winbind systemd > > > > [root at sv2-ftp01p ~]# id itxadmin > > id: 'itxadmin': no such user > > [root at sv2-ftp01p ~]# getent passwd itxadmin > > [root at sv2-ftp01p ~]# wbinfo -s > > S-1-5-21-4080695503-475066264-1108356078-1110 > > PFW\adadmsar 1 > > [root at sv2-ftp01p ~]# id adadmsar > > id: 'adadmsar': no such user > > [root at sv2-ftp01p ~]# wbinfo -i srvadmsar > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > > > > > > > > > smb.conf > > > > [global] > > workgroup = PFW > > realm = PFW.LOCAL > > security = ads > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config PFW:backend = ad > > idmap config PFW:schema_mode = rfc2307 > > idmap config PFW:range = 10000-999999 > > idmap config PFW:unix_nss_info = yes > > template homedir = /home/%U > > template shell = /bin/false > > winbind use default domain = true > > winbind enum users = yes > > winbind offline logon = true > > log file = /var/log/samba/log.%m > > max log size = 50 > > log level = 9 > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > winbind refresh tickets = Yes > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > On Sun, Jul 18, 2021 at 12:27 PM Mr Typo > > <euroregistrar at gmail.com> wrote: > > > > > > Hey Rowland, > > > > > > thank you for your answers and help. I found another Layer8 problem > > > and now it is working as expected. > > > > > > thank you again! > > > > > > Typo > > > > > > On Sun, Jul 18, 2021 at 12:04 PM Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > > > > On Sun, 2021-07-18 at 11:55 +0200, Mr Typo wrote: > > > > > Yeah reading attributes from ad, like unixHomeDirectory and > > > > > loginShell > > > > > > > > > > When i understand it right, i can use > > > > > template homedir = /home/%U > > > > > > > > > > for default values and setting the unixHomeDirectory > > and loginShell > > > > > if > > > > > i want another value, correct? > > > > > > > > Yes and no :-) > > > > > > > > Yes, you can add them to AD, but no they will not be used > > unless you > > > > use the winbind ad backend, try reading this: > > > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > > > > > and this: > > > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > > > > > > > > > > > currently i play with the below configuration but i just the the > > > > > template values for every user. Any ideas? > > > > > > > > > > [global] > > > > > workgroup = PFW > > > > > realm = PFW.LOCAL > > > > > security = ads > > > > > idmap config * : backend = tdb > > > > > idmap config * : range = 3000-7999 > > > > > idmap config PFW:backend = ad > > > > > idmap config PFW:schema_mode = rfc2307 > > > > > idmap config PFW:range = 10000-999999 > > > > > idmap config PFW:unix_nss_info = yes > > > > > template homedir = /home/%U > > > > > template shell = /bin/bash > > > > > # idmap config PFW : backend = rid > > > > > # idmap config PFW : range = 500-19999999 > > > > > # idmap config PFW : rangesize = 1000000 > > > > > winbind use default domain = true > > > > > winbind enum users = no > > > > > winbind offline logon = true > > > > > log file = /var/log/samba/log.%m > > > > > max log size = 50 > > > > > log level = 3 > > > > > load printers = no > > > > > printing = bsd > > > > > printcap name = /dev/null > > > > > disable spoolss = yes > > > > > > > > > > > > > That looks okay. > > > > > > > > Rowland > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
So to be sure, all is working correctly now? Because i did see something else.. You have in smb.conf : idmap config PFW:range = 10000-999999 And you output of wbinfo shows. wbinfo -i srvadmsar> srvadmsar:*:1001626:1001013:Server Admin S:/home/srvadmsar:/bin/bash1001626 is better then the max UID/GID you assigned in smb.conf (999999) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Mr Typo [mailto:euroregistrar at gmail.com] > Verzonden: dinsdag 20 juli 2021 13:04 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem with Samba as Member to AD > > Hello Louis, > > i followed the configuration you posted before and i have a working > system: (same smb.conf) > > [root at smbtest-andi ~]# wbinfo -i srvadmsar > srvadmsar:*:1001626:1001013:Server Admin S:/home/srvadmsar:/bin/bash > wbinfo -i itxadmin > itxadmin:*:1001606:1001013::/home/itxadmin:/bin/false > > idmap.conf is default on both systems > > cat /etc/idmapd.conf |egrep -v '(^#|^$)' > [General] > [Mapping] > [Translation] > > [Static] > [UMICH_SCHEMA] > LDAP_server = ldap-server.local.domain.edu > LDAP_base = dc=local,dc=domain,dc=edu > > On Tue, Jul 20, 2021 at 12:53 PM L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > > > 2 questions? > > > > Did you assign an UID and GID to the users. ( and "domain users" ) > > Please read and adjust where needed : > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > If that all correct and you already did set UID/GID > > And if its available, what is in /etc/idmap.conf > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mr > > > Typo via samba > > > Verzonden: dinsdag 20 juli 2021 12:36 > > > Aan: Rowland Penny > > > CC: sambalist > > > Onderwerp: Re: [Samba] Problem with Samba as Member to AD > > > > > > Hey Rowland, > > > > > > i hope you can help me again. I cant find the error. I > did install a > > > fresh centos and used the same config as we discussed last week. > > > > > > no sssd and no ncsd is configured. i can to a SID to uid > lookup, but i > > > cant lookup uids to SID > > > > > > i hope you can help me again, i have no idea where to look.. > > > > > > best regards > > > > > > Typo > > > > > > [root at sv2-ftp01p ~]# wbinfo -s S-1-1-0 > > > \Everyone 5 > > > [root at sv2-ftp01p ~]# wbinfo -s S-1-5-2 > > > NT Authority\Network 5 > > > [root at sv2-ftp01p ~]# wbinfo -u | head -5 > > > administrator > > > gast > > > krbtgt > > > itxadmin > > > itxuser > > > [root at sv2-ftp01p ~]# wbinfo --ping-dc > > > checking the NETLOGON for domain[PFW] dc connection to > > > "sv1-dc01p.pfw.local" succeeded > > > [root at sv2-ftp01p ~]# net ads info > > > LDAP server: 10.40.130.10 > > > LDAP server name: sv1-dc01p.pfw.local > > > Realm: PFW.LOCAL > > > Bind Path: dc=PFW,dc=LOCAL > > > LDAP port: 389 > > > Server time: Tue, 20 Jul 2021 12:14:29 CEST > > > KDC server: 10.40.130.10 > > > Server time offset: 0 > > > Last machine account password change: Tue, 20 Jul 2021 > 11:28:26 CEST > > > [root at sv2-ftp01p ~]# cat /etc/nsswitch.conf|grep winbi > > > passwd: files winbind systemd > > > group: files winbind systemd > > > > > > [root at sv2-ftp01p ~]# id itxadmin > > > id: 'itxadmin': no such user > > > [root at sv2-ftp01p ~]# getent passwd itxadmin > > > [root at sv2-ftp01p ~]# wbinfo -s > > > S-1-5-21-4080695503-475066264-1108356078-1110 > > > PFW\adadmsar 1 > > > [root at sv2-ftp01p ~]# id adadmsar > > > id: 'adadmsar': no such user > > > [root at sv2-ftp01p ~]# wbinfo -i srvadmsar > > > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > > > > > > > > > > > > > > > smb.conf > > > > > > [global] > > > workgroup = PFW > > > realm = PFW.LOCAL > > > security = ads > > > idmap config * : backend = tdb > > > idmap config * : range = 3000-7999 > > > idmap config PFW:backend = ad > > > idmap config PFW:schema_mode = rfc2307 > > > idmap config PFW:range = 10000-999999 > > > idmap config PFW:unix_nss_info = yes > > > template homedir = /home/%U > > > template shell = /bin/false > > > winbind use default domain = true > > > winbind enum users = yes > > > winbind offline logon = true > > > log file = /var/log/samba/log.%m > > > max log size = 50 > > > log level = 9 > > > load printers = no > > > printing = bsd > > > printcap name = /dev/null > > > disable spoolss = yes > > > > > > winbind refresh tickets = Yes > > > vfs objects = acl_xattr > > > map acl inherit = Yes > > > store dos attributes = Yes > > > dedicated keytab file = /etc/krb5.keytab > > > kerberos method = secrets and keytab > > > > > > On Sun, Jul 18, 2021 at 12:27 PM Mr Typo > > > <euroregistrar at gmail.com> wrote: > > > > > > > > Hey Rowland, > > > > > > > > thank you for your answers and help. I found another > Layer8 problem > > > > and now it is working as expected. > > > > > > > > thank you again! > > > > > > > > Typo > > > > > > > > On Sun, Jul 18, 2021 at 12:04 PM Rowland Penny via samba > > > > <samba at lists.samba.org> wrote: > > > > > > > > > > On Sun, 2021-07-18 at 11:55 +0200, Mr Typo wrote: > > > > > > Yeah reading attributes from ad, like unixHomeDirectory and > > > > > > loginShell > > > > > > > > > > > > When i understand it right, i can use > > > > > > template homedir = /home/%U > > > > > > > > > > > > for default values and setting the unixHomeDirectory > > > and loginShell > > > > > > if > > > > > > i want another value, correct? > > > > > > > > > > Yes and no :-) > > > > > > > > > > Yes, you can add them to AD, but no they will not be used > > > unless you > > > > > use the winbind ad backend, try reading this: > > > > > > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > > > > > > > and this: > > > > > https://wiki.samba.org/index.php/Idmap_config_ad > > > > > > > > > > > > > > > > > currently i play with the below configuration but i > just the the > > > > > > template values for every user. Any ideas? > > > > > > > > > > > > [global] > > > > > > workgroup = PFW > > > > > > realm = PFW.LOCAL > > > > > > security = ads > > > > > > idmap config * : backend = tdb > > > > > > idmap config * : range = 3000-7999 > > > > > > idmap config PFW:backend = ad > > > > > > idmap config PFW:schema_mode = rfc2307 > > > > > > idmap config PFW:range = 10000-999999 > > > > > > idmap config PFW:unix_nss_info = yes > > > > > > template homedir = /home/%U > > > > > > template shell = /bin/bash > > > > > > # idmap config PFW : backend = rid > > > > > > # idmap config PFW : range = 500-19999999 > > > > > > # idmap config PFW : rangesize = 1000000 > > > > > > winbind use default domain = true > > > > > > winbind enum users = no > > > > > > winbind offline logon = true > > > > > > log file = /var/log/samba/log.%m > > > > > > max log size = 50 > > > > > > log level = 3 > > > > > > load printers = no > > > > > > printing = bsd > > > > > > printcap name = /dev/null > > > > > > disable spoolss = yes > > > > > > > > > > > > > > > > That looks okay. > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > > > -- > > > > > To unsubscribe from this list go to the following URL > and read the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >