Web lists-archives.com

Re: [Samba] Centos 7 member server login fails





0n 12/27/2017 02:39 AM, Rowland Penny via samba wrote:

Have you actually given your users & groups a uidNumber or gidNumber
attribute, or are you using the 'rid' backend
Yes I am using the AD backend and they have these uidNumber &gidNumbers. They come from when I was originally using rid (back in the 4.0 days) and switched to the AD backend. I just happened to make the uidNumber/gidNumber the number one would get if using rid. I never changed them to anything more reasonable since I didn't want to deal with the issues that creates. So yes it seems strange but everything is correct.

There is actually another list message in the archives where the use of these uidNumber/gidNumber caused confusion. Maybe one of these days I will changeover to something more reasonable if just to avoid that confusion.
This gets stranger and stranger, if you are using the 'rid' backend,
why does 'Administrator' have the 'RID' 1107 ? and if you aren't, why
isn't it '0:0' ?
The kinit command was issued from the testuser1 account. I will go out on a limb and suggest that 3001107 is correct since that is the keyring owner. If it makes you feel better here is the same getent passwd on the DC (note the "0" in the administrator user):

> getent passwd
MYDC\administrator:*:0:3000513::/home/administrator:/bin/bash
MYDC\testuser2:*:3001108:3000513::/home/testuser2:/bin/bash
MYDC\testuser1:*:3001107:3000513::/home/testuser1:/bin/bash

I did give domain users and domain admin groups gidNumbers so that is what you see. That is why it is not 0:0. My understanding is that is okay. You just cannot give administrator a uidNumber if I recall other list messages correctly.

Also if I do the kinit/klist commands on the member server as root I get this:
> kinit administrator
Password for administrator@xxxxxxxxxxxxx:
> klist
Ticket cache: KEYRING:persistent:0:krb_ccache_kgkyAS7
Default principal: administrator@xxxxxxxxxxxxx

Valid starting       Expires              Service principal
12/27/2017 18:24:49  12/28/2017 04:24:49 krbtgt/MYDC.TEST.COM@xxxxxxxxxxxxx
    renew until 01/03/2018 18:24:46
Winbind cannot find your user
Yes sssd was completely removed. The SERNET samba distribution will not install if sssd is installed. Yum errors will occur. And as I said in my other message the problem disappears once I re-ran authconfig-tui.  Authconfig-tui changes /etc/nsswitch.conf file per your suggestion, and it recreates /etc/pam.d/passwd-auth-ac file and /etc/pam.d/system-auth-ac for use with winbind. I had been using /etc/pam.d/ files created from those used by sssd and hand edited with vi to change over to winbind. While that worked at one time it failed this time with my upgrade from samba 4.6 to 4.7. They were admittedly pretty old versions of the PAM files so I guess I should have expected this day to come.

In any event, I will reiterate that everything is working like it is supposed to now. Thank you for your help.

--
Paul (ganci@xxxxxxxxxx)
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba