Web lists-archives.com

Re: [Samba] Samba 4.5: trying to setup an omnios system as a DC member




On Tue, 19 Jun 2018 16:10:33 +0200
Andrea Cucciarrè via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> I'm trying to setup an omnios system as a Samba DC member, and I need
> AD backend for consistent IDs on all Samba clients.
> The AD join is successful, the wbinfo shows the AD users
> 
> # /opt/samba/bin/wbinfo -n andrea
> S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1)
> 
> however, " getent passwd ..." returns nothing for the user (all the
> AD user)
> 
> I have enabled debugging and I can see the following relevant error:
> 
> [2018/06/19 15:53:54.302030,  5, pid=638, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
>    Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies
> [2018/06/19 15:53:54.302082,  5, pid=638, effective(0, 0), real(0,
> 0), class=winbind] 
> ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username)
>    resolve_alias_to_username: backend query returned 
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> ...
> [2018/06/19 15:53:54.309621,  5, pid=638, effective(0, 0), real(0,
> 0), class=winbind] 
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
>    Could not convert sid
> S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED
> 
> Also the command wbinfo fails to convert the SID to UID
> 
> # /opt/samba/bin/wbinfo -S
> S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call
> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid
> S-1-5-21-2680195940-2267646359-3814218302-1109 to uid
> 
> This is the relevant smb.conf:
> 
> ===============================
> [global]
>      log file = /opt/samba/log/%m.log
>      log level = 10
>      workgroup = HYPERFILE
>      security = ADS
>      realm = HYPERFILE.NET
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>      server string = Data %h
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind expand groups = 4
>      winbind nss info = rfc2307
>      winbind refresh tickets = Yes
>      winbind normalize names = Yes
> 
>      idmap config * : backend = tdb
>      idmap config * : range = 1000000-2000000
>      idmap config * : schema_mode = rfc2307

Hmm, the range is slightly excessive. The '*' domain is for the 'Well
Known SIDs' (and there are less than 200 of these) and anything outside
the domain, do you really expect around '999,800' users & groups from
outside the domain to connect to the domain ?
You also do not use 'idmap config * : schema_mode = rfc2307' with the
'*' domain.

> 
> idmap config HYPERFILE:backend = ad
> idmap config HYPERFILE:schema_mode = rfc2307
> idmap config HYPERFILE:range = 1000-9999
> idmap config HYPERFILE:unix_primary_group = yes

Have you really only have 8,999 users ?
Do they have a uidNumber inside the '1000-9999' range
Does 'Domain Users' have a gidNumber inside the same range ?
Neither the uidNumber or gidNumber attributes are added automatically,
you must add them manually.
And on the subject of the '1000-9999' range, do you not have any Unix
users other than the system users ?

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba