Web lists-archives.com

Re: [Samba] [samba] Member server winbind issue




2017-07-23 11:59 GMT+02:00 mathias dufresne <infractory@xxxxxxxxx>:

>
>
> 2017-07-23 11:23 GMT+02:00 Andrew Bartlett <abartlet@xxxxxxxxx>:
>
>> On Sun, 2017-07-23 at 11:10 +0200, mathias dufresne via samba wrote:
>> > Hi all,
>> >
>> > Thank you both for your replies. I did tried both options (removing both
>> > keytab related lines as proposed by Andrew then using both lines
>> proposed
>> > by Rowland) without success.
>>
>> Just because it didn't work doesn't mean just put it back.
>>
>> I'm not going to help you any more until you can confirm you have an
>> smb.conf like:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
>> n_Member#Setting_up_a_Basic_smb.conf_File
>>
>> and joined the domain with:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
>> n_Member#Joining_the_Domain
>>
>> Please follow that HOWTO, try not to be fancy, special or different
>> until you have it working.
>>
>
> That's the whole point, I don't see what I'm doing wrong (except
> re-inserting keytab lines).
>
> The whole smb.conf is the following:
> --------------------------------------------------
> [global]
>         security = ADS
>         workgroup = AD
>         realm = AD.DOMAIN.TLD
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         # Default ID mapping configuration for local BUILTIN accounts
>         # and groups on a domain member. The default (*) domain:
>         # - must not overlap with any domain ID mapping configuration!
>         # - must use a read-write-enabled back end, such as tdb.
>         # - Adding just this is not enough
>         # - You must set a DOMAIN backend configuration, see below
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>
>         winbind nss info = rfc2307
>
>         # idmap config for the AD domain
>         idmap config AD:backend = ad
>         idmap config AD:schema_mode = rfc2307
>         idmap config AD:range = 8000-99999999
> --------------------------------------------------
>
> It was obtained with copy paste from first given link, modifying ranges
> and domain names. I didn't added user mapping as it is mentioned to be
> optional.
>
> The join is the following, using kerberos as authentication method (which
> works well and, I hope, should not be considered as too much fancy), after
> I left the domain:
>
> smbsrv:/etc/samba# net ads leave -k
> Deleted account for 'SMBSRV' in realm 'AD.DOMAIN.TLD'
> smbsrv:/etc/samba# net ads join -k
> Using short domain name -- AD
> Joined 'SMBSRV' to dns domain 'ad.domain.tld'
>
> And here the behavior is the same: wbinfo -n and -S are working, -i is not
> working.
>
> I've got no more logs generated in log.winbindd which is normal as I
> removed log level.
>
> And I still don't understand what I do wrong :/
>

I forget to mentioned how is configured the testuser, so here it is:
dc02:~# ldbsearch -H $sam samaccountname=testuser uidNumber gidNumber
loginShell unixHomeDirectory primaryGroupID uid msSFU30Name msSFU30NisDomain
# record 1
dn: CN=test user,OU=Personnes,DC=ad,DC=domain,DC=tld
primaryGroupID: 513
msSFU30NisDomain: ad
uidNumber: 10000001
loginShell: /bin/bash
unixHomeDirectory: /home/testuser
gidNumber: 20000100
msSFU30Name: testuser
uid: testuser



>
>
>>
>> Thanks,
>>
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT          http://catalyst.net.nz/service
>> s/samba
>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba