Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?

On Wed, 23 Aug 2017 13:27:01 +0000
"A. James Lewis via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> I have to confess here, that on trying again, to get the error... I
> restarted everything to ensure there were no errant messages, and now
> installing libpam-krb5 does not cause a problem... the users are
> assigned a kerberos ticket when logging in which is nice too... 
> I must thank you and Rowland both, since I have learned a lot about
> how Kerberos works in this process, and debugged some issues that
> would probably have bitten me in future.
> However, my original problem remains!... 
> That problem is more clearly defined now, "Some users do not show up
> with 'getent passwd username', while most do."

This is very strange, you are now using the 'rid' backend, so all your
users (and groups) in AD should be shown by 'getent passwd username'.
As long as they are in AD with a RID, idmap_rid should map the RID to a
Unix ID and as long as the ID is inside the range set in smb.conf for
the domain, they should be returned. Thinking about it, I wonder if
this is the problem ? Try sticking another 0 onto the end of the
'DOMAIN' high range. if that doesn't work, run this command:

wbinfo -n rowland | awk -F '-' '{print $8}' | awk '{print $1}'

Replace 'rowland' with your missing username, the output will be the
users RID, this plus '5000' should be inside '5000-10000'

> Those users can authenticate with Kerberos, and they are listed by
> wbinfo... but cannot log in, since they don't have a "password file
> entry".

The users shouldn't have a "password file entry", everything should
come from AD via winbind.

> What I need to find out is how it is that some users can
> authenticate, and are listed by wbinfo... BUT do not get mapped into
> what would be the password map.
> Could it be that one side or the other is not supporting 32 bit
> UID's... how would I tell?... can I query what the output of IDMAP
> would be with something like wbinfo, rather than getent passwd... so
> that I can see if there is an issue here?
> How to go about debugging the IDMAP!?.

Is there anything in either the Unix logs or the Windows event logs ?
Is there anything strange about the missing usernames, any accents,
start with a number, that sort of thing.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba