Web lists-archives.com

Re: [Samba] DsReplicaSync failed - WERR_LOGON_FAILURE // Failed to bind to uuid for ncacn_ip_tcp - NT_STATUS_LOGON_FAILURE




On Wed, 10 Apr 2019 21:10:59 +0200
Martin Krämer <mk.maddin@xxxxxxxxx> wrote:


> Thanks - think I will give it a try
> I read the wiki page
> https://wiki.samba.org/index.php/Idmap_config_rid and understood this
> is a read only connection. For normal logon and use I think this is
> absolutely enough. Only topic I am not sure of is password expiry...
> - will people be able to change their passwords from linux machine
> with this rid backend?

Yes, the AD password has nothing to do with the winbind backend

> > > 2. Did I understand correctly that these uid- & gidNumbers cannot
> > > be set automatically/managed by samba-tool or any other linux out
> > > of box tool?  
> >
> > Have a look at LAM, (LDAP Account Manager)
> >
> > Looks absolutely interesting.  

 
> But I am able to get that resolved as follows on the DC without
> uidNumber attribute set (or am I misinterpreting something here?):
> 
> root@location-000001:~# wbinfo --name-to-sid faiuser
> S-1-5-21-2380976951-3081962821-3908499780-1138 SID_USER (1)
> root@location-000001:~# wbinfo --sid-to-uid
> S-1-5-21-2380976951-3081962821-3908499780-1138
> 3000020

AH, I thought we were talking just about Unix domain members ;-)

Samba DC's have yet another way doing things, they use 'xidNumber'
attributes stored in idmap.ldb, these are only used on DC's and will be
replaced by any uidNumber or gidNumber attributes added.


> Does that mean that the result I recieve for "wbinfo --sid-to-uid"
> might overlap even on the same DC?
> That would mean that a file permitted for user A with uidNumber 123456
> might be accessible by user B, too, because the uidNumber for that
> user might be 123456 as well on the DC?

On 'A' DC, no, but on another DC, yes

Long answer: The 'xidnumber' attributes on a DC are allocated on a
'first come basis', this means that you cannot rely on any user or
group getting the same ID number on different DC's. This means that
you are advised to sync idmap.ldb from your first DC to any other DC's
 


> > You think to increment these attributes with every newly created
> > user /  
> computer or group?

Yes, this is just what ADUC does. I don't know if you are aware that,
as far as AD is concerned, a computer is just a user with an extra
objectclass.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba