similar to: AD trust with winbind

Hi Ralph When you said I can't use idmap_ad in my trusting domain because 'we're not allowed to talk to a DC in the trusted domain', does that still apply even if we can provide a read-only DC from the trusted domain inside the trusting domain network? Thanks, Rob -----Original Message----- From: Ralph Boehme <slow at samba.org> Sent: Tuesday, November 12, 2024 12:59

Hello What is the expected behavior of winbind on a member server when the AD DC it is communicating with becomes un-responsive? Is this a configurable behavior? Seems we have a 'hang' on authentication requests when we lose one of our DCs and a restart of winbind is our only way out at present Thanks, Rob ---------------------------------------------------------------------- This is

Hello We are running several Red Hat 7 servers as domain members using AD for winbind idmap backend and it had been working fine (no sssd is configured either) The last month or so (possibly since the latest samba-winbind package update we applied on Sep 24), server ssh logins on several servers hang on occasion, until a winbind restart, when it all works again Since this is the Red Hat

On 11/12/24 6:49 PM, Vaughan, Robert J via samba wrote: > Ok well I have that setting you mention > > I just can't map my trusted AD account in the trusting domain on my > Linux Samba domain member > > I can't see any users in the trusted domain actually > > wbinfo -u --domain=TRUSTED > > returns nothing at all this is as expected. We're not allowed

On 12/02/2023 16:40, Vaughan, Robert J via samba wrote: > Hi all > > In the idmap_config_ad wiki, it states .. > > If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. > > Can someone explain this? > >>Yes >>Every users primaryGroupID attribute is set to 513, the RID for Domain >>Users.

I've had that happen in the past with non-RedHat linux boxes. Fortunately we have Saltstack on all the boxes and can just salt '*' cmd.run 'killall -SIGKILL winbindd; service winbind restart' But it hangs SSH sessions and things like 'ls -lha' that need to resolve usernames and groups. i.e. if you removed winbind from /etc/nsswitch.conf it would stop happening. The

Is it described anywhere how to setup a domain member to share to a trusted AD domain? Thanks, Rob -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Ralph Boehme via samba Sent: Friday, November 8, 2024 4:35 PM To: samba at lists.samba.org Subject: Re: [Samba] Accessing Samba domain member shares from trusted domain On 11/8/24 9:33 PM, Rowland Penny

Hello list Is there a way to have wbinfo or getent list all the members of an AD group from my domain member? Thanks, Rob ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or

Hello Samba listers Is there a way to search Samba share file contents from the Windows client explorer? This works on Windows shares. I can't seem to get a hit on this on Google .. Thanks, Robert Vaughan ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain

Hello all We have two AD domains; A for production, and B for development I am told B trusts A, but not the other way around (one-way trust) Within domain B exists a Linux Samba file server (domain member of domain B) which I am trying to access from domain A with my domain A account, but it is not working (prompts for creds) Does the Linux Samba file server need access to the domain A DC (and

Hi all In the idmap_config_ad wiki, it states .. If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. Can someone explain this? Thanks, Robert Vaughan ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain

On 13/02/2023 18:54, Vaughan, Robert J via samba wrote: > > nsswitch.conf has 'files winbind' for the passwd, shadow and group lines Remove it from the shadow line, it should not be there. > > What does it mean 'winbind links set up'? It refers to the links that connect winbind to nsswitch > > OS is Red Hat 7. Any idea in those packages if I might be

> On 12/02/2023 16:40, Vaughan, Robert J via samba wrote: > Hi all > > In the idmap_config_ad wiki, it states .. > > If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. > > Can someone explain this? > >> Yes >> >> Every users primaryGroupID attribute is set to 513, the RID for Domain

Hello We are running several Red Hat 7 servers as domain members using AD for winbind idmap backend and it had been working fine (no sssd is configured either) The last month or so (possibly since the latest samba-winbind package update we applied on Sep 24), server ssh logins on several servers hang on occasion, until a winbind restart, when it all works again Since this is the Red Hat

> I should mention, I can ssh into the server using my AD creds and the one test share I setup also maps fine, so it all seems to be working, was just curious why 'getent passwd' does not show AD accounts >>Provided that the users you want to be visible to Unix have a uidNumber >>attribute containing a unique number inside the 225-999999 range and >>Domain Users has

On 13/02/2023 19:42, Vaughan, Robert J via samba wrote: > Yeah the link is correctly setup, since it is not compiled Samba > > Ok, I found in this link .. > >

> On 12/02/2023 16:40, Vaughan, Robert J via samba wrote: > Hi all > > In the idmap_config_ad wiki, it states .. > > If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. > > Can someone explain this? > >> Yes >> >> Every users primaryGroupID attribute is set to 513, the RID for Domain

On 13/02/2023 22:53, Vaughan, Robert J via samba wrote: > >>> Were you running 'getent passwd' rather than 'getent passwd AUSERNAME' ? > > Yes, I am used to getting that output with getent on my UNIX LDAP system. As long as I can get it from wbinfo I suppose that works too. >>Never understood why anyone requires all the users or groups on a

> The LDAP client is also Fedora 37, Samba client version also 4.17.5; > this host is joined to the Samba AD domain using "realm join ...". >>This is, in my opinion, the wrong way of joining, you should have used >>'net ads join'. >>Rowland Hi Rowland, I have noticed several times you have warned against using 'realm join' when that is the

Hello world (of Samba) We've had this periodic issue with Win 10 users 'losing their connection' to a Samba share This problem originally started on our Solaris server but we could be seeing it now on our replacement Red Hat Linux server Microsoft looked at the PC logs some time ago and stated .. "The unix device does not like some aspect of our Kerberos ticket. The device