Web lists-archives.com

Re: [Samba] NSS interface lists all domain users but gives error on single user




On Wed, 17 Oct 2018 18:46:35 +0200
Giuseppe Sacco via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello Rowland,
> 
> Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha
> scritto:
> > On Wed, 17 Oct 2018 15:03:41 +0200
> > Giuseppe Sacco via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > [...]
> > > # Global parameters
> > > [global]
> > > 	dns proxy = No
> > > 	log file = /var/log/samba/log.%m
> > > 	map to guest = Bad User
> > > 	max log size = 1000
> > > 	panic action = /usr/share/samba/panic-action %d
> > > 	realm = AGENZIA.LOCAL
> > > 	security = ADS
> > > 	server role = member server
> > > 	server string = %h server (Samba, Ubuntu)
> > > 	template homedir = /home/%U
> > > 	template shell = /bin/bash
> > > 	usershare allow guests = Yes
> > > 	winbind cache time = 5
> > > 	winbind enum groups = Yes
> > > 	winbind enum users = Yes
> > > 	winbind offline logon = Yes
> > > 	winbind refresh tickets = Yes
> > > 	winbind separator = +
> > > 	workgroup = AGENZIA
> > > 	idmap config * : range = 5000-5100
> > > 	idmap config * : backend = tdb
> > 
> > You haven't set up idmap correctly, see here:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > and here:
> > https://wiki.samba.org/index.php/Idmap_config_ad
> > or here:
> > https://wiki.samba.org/index.php/Idmap_config_rid
> 
> If I understand the documentation, I need to setup two idmap config,
> one allocating ids for the BUILTIN users (using the tdb backend) and a
> separate one for my domain users. I tought that using "*" would have
> covered all domains, but I now think this is not true. Moreover, using
> the rid backend, I found that not all users were listed until its
> range was not large enough.
> 
> So, I changed the idmap config this way:
> 
> 	idmap config * : range = 3000-7999
> 	idmap config * : backend = tdb
> 	idmap config AGENZIA : range = 8000-20000
> 	idmap config AGENZIA : backend = rid
> 
> I stopped the samba daemons, deleted the relevant tdb files, restarted
> all daemons. I did not leave/join the domain again.
> 
> But I still have the same problem: "getent passwd" list all users,
> while "getent passwd 'AGENZIA+manuelb'" does not give any results.
> 
okay, try changing this in /etc/nsswitch.conf:

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files winbind

To this:

NSS configuration is simple:

passwd:         files winbind
group:          files winbind
shadow:         files

make sure that 'smbd' & 'winbind' are running.

Providing the there is a user called 'manuelb' in AD, winbind should
show the user with 'getent passwd AGENZIA+manuelb'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba