Re: [Samba] winbind -u works, getent passwd dont't work
- Date: Mon, 30 Jan 2017 16:15:18 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] winbind -u works, getent passwd dont't work
On Mon, 30 Jan 2017 14:33:03 +0100
basti via samba <samba@xxxxxxxxxxxxxxx> wrote:
> The getent passwd works for now on my ads member, thanks a lot.
> I think I have an other problem. ("FOO" is the short domain)
Yes, you haven't setup the smb.conf on the domain member correctly ;-)
> AD DC:
> getent passwd | tail -2
> FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
> AD Member
> FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
> FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
> UID and GID on AD member is always the same.
> My smb.conf on AD member:
> root@rtr-01:~# cat /etc/samba/smb.conf
> netbios name = rtr-01
> security = ads
> workgroup = FOO
> realm = FOO
> log file = /var/log/samba/%m.log
> log level = 2
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = ldap
So very wrong, you should only use the 'tdb' backend for the '*' domain
> idmap config * : range = 3000-7999
And whilst '3000-7999' is okay for the '*' domain, you haven't setup
the 'FOO' domain range at all, also, the range '500-2999' (which appears
to be what you will need to set it to) is very small and gives you
nowhere to store any local Unix users.
> # fix LDAP connection error
> ldap server require strong auth = No
This should only be in a DC smb.conf
Can I suggest you read this:
To unsubscribe from this list go to the following URL and read the