Web lists-archives.com

Re: [Samba] Samba 4.4.8 AD member ads / nss fails to find group id




On Mon, 22 Apr 2019 15:18:32 -0400
"Thomas, David via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Roland,
> 
> On 3/29/2019 2:54 PM, Rowland Penny via samba wrote:
> >   get the feeling that your users have different Unix ids on each
> > Unix computer, this just leads to trouble.  
> 
> We use nss so all the unix computers at our site share the same
> database of users, uids and gids.
> 
> The problem that I'm having seems to be that smbd is trying to find a 
> gid from the SID for the Domain Users group and is failing. This
> stops users from authenticating.
> 
> Using wbinfo I can resolve the "Domain Users" name from the S....-513 
> SID but wbinfo fails to resolve a gid for that SID.

Your setup probably will never map 'Domain Users' to a gid because
there isn't anything to map it to or it is outside the range set inside
your smb.conf (it has been sometime since your last post, so everything
is a bit hazy)
Just a note: the 'S.....' part of what you are calling the SID, is the
actual SID, the '513' is the RID, this the unique number that
identifies the object in AD.

> 
> The domain controller is a windows machine that's part of the
> corporate IT network and I have no control over it.

I seem to remember saying this before, but you could use the winbind
'rid' backend, this would not entail adding anything to AD, but would
mean having to join your machine to AD and probably also entail
changing ownership of files and directories.

Using the same smb.conf on all Unix domain members would give you the
same ID's on them all.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba