Web lists-archives.com

Re: [Samba] domain member idmap wbinfo WBC_ERR_DOMAIN_NOT_FOUND




On Mon, 10 Jul 2017 14:17:42 +1000
Tom Robinson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I've done a classic upgrade to from samba 3.6.23 to samba 4.6.5
> bringing across all the user accounts. The samba 3.6.23 we set up
> with smbldap as an NT Domain with OpenLDAP. After a lot of effort the
> classic upgrade worked well but now I'm a bit stuck with idmapping.
> 
> The new AD DC is running 4.6.5 on CentOS7 and I can connect using
> ADUC. I set up a separate AD DM on a another CentOS7 install but
> mapping id's is confusing me.
> 
> All the users and groups brought across have 'UNIX Attributes'
> assigned when I check in ADUC. BUILTINs and other 'Well Known' SIDS
> don't.
> 
> Part of my issue may stem from the fact that the original samba 3.6
> POSIX UIDs/GIDs were all low numbers (starting at around 500 and up).
> The accounts are legacy upon legacy, originally coming
> from /etc/{passwd,group} files that were manually sync'ed from host
> to host to host a long time ago (before my time) then brought into
> samba 3.6.23/OpenLDAP and now samba 4.6.5. Are these low numbered
> UIDs an issue?
> 
> On the DM I am getting an error: WBC_ERR_DOMAIN_NOT_FOUND when using
> wbinfo. This is very similar to thread:
> 
> https://lists.samba.org/archive/samba/2015-November/195991.html
> 
> On the DC:
> 
> # wbinfo -u
> MY.DOM\administrator
> MY.DOM\auser
> MY.DOM\user2
> MY.DOM\user3
> ...
> 
> # wbinfo -n auser
> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)
> 
> # wbinfo -i auser
> MY.DOM\auser:*:592:100::/home/MY.DOM/auser:/bin/false
> 
> On the DM:
> 
> # wbinfo -u
> MY.DOM\administrator
> MY.DOM\auser
> MY.DOM\user2
> MY.DOM\user3
> ...
> 
> # wbinfo -n auser
> S-1-5-21-2252255531-4061614174-2474224977-2184 SID_USER (1)
> 
> # wbinfo -i auser
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user auser
> 
> BUT still on the DM:
> 
> # wbinfo -i MY.DOM\\auser
> MY.DOM\auser:*:592:513:Adam User:/home/MY.DOM/auser:/bin/false
> 
> # getent passwd auser
> 
> (returns with $?=2, no output)
> 
> here's my DM config files:
> 
> /etc/samba/smb.conf
> 
> [global]
>         security = ADS
>         workgroup = MY.DOM
>         realm = DOM.MOTEC.COM.AU
> 
>         log level = 1 winbind:1 idmap:1
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000000-3999999
>         idmap config MY.DOM : backend = ad
>         idmap config MY.DOM : schema_mode = rfc2307
>         idmap config MY.DOM : range = 500-10000
>         idmap config MY.DOM : unix_nss_info = yes
> 
> # grep winbind /etc/nsswitch.conf
> passwd:     files winbind sss
> group:      files winbind sss
> 
> Any help is appreciated.
> 
> Kind regards,
> Tom
> 

Before 4.6.0 all users had to use 'Domain Users' as their primary group
and so you had to give 'Domain Users' a gidNumber inside the range set
in smb.conf (in your case 500-10000). From 4.6.0, you still have to do
this unless you also added this 'idmap config <DOMAIN> :
unix_primary_group = yes' to smb.conf. You will then have to give every
user a gidNumber attribute, this attribute will contain the ID number
of the group you want to use for the user (which of course means the
group in question will also have to have a gidNumber containing the
same ID number)

The problem with using low ID numbers with Samba, isn't a problem for
Samba, up until something goes wrong. At this point, the only user that
will be able to login would be root, this is because you will not be
able to have ANY local Unix users (or groups).

I hope that 'MY.DOM' is just a placeholder for your Netbios domain
name and your real one is just one word without dots.

Why do you have sssd installed, I hope you are not using it for
authentication in any way.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba