Re: [Samba] RFC2307, AD, and Samba 3.6
Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc. thanks, -Nick On Aug 12, 2012, at 6:26 AM, Gémes Géza wrote: > Hi, >> Hi all, >> >> I'm still struggling with getting samba 3.6 to use the uids and gids from my >> Active Directory 2008 R2 setup. I can see the users, I just can't get their >> UIDs mapped onto my linux machine. >> >> I've configured AD to use it's "services for unix" feature, and through >> that, I got a "Unix Attributes" tab where I could enter fields like uid, >> home dir, shell, and primary GID. >> >> My few questions: >> >> 1. Am I supposed to configure Samba to use rfc2307, or sfu? >> 2. As you can see in my config, below, I've configured an idmap range for >> the AD domain. It seems to be ignored, and instead, my users get placed in >> the wildcard domain's idmap range. >> 3. I found some advice (don't remember where) to try to delete these files >> when I change this part of my config: >> /var/run/samba/gencache* >> /var/cache/samba/winbindd_cache.tdb >> /var/lib/samba/winbindd_idmap.tdb >> Any thoughts about the need/value to delete these temp files is >> appreciated. >> 4. Finally, does anyone have suggestions of other things I can try? >> >> thanks very much. >> >> best, >> -Nick > According to man idmap_ad you should have a generic idmap backend line as > well, like: > > idmap backend = tdb > idmap uid range = some uninteresting range > idmap gid range = some uninteresting range > > I've wrote uninteresting range, because you should specify a range you > haven't placed you users via ADUC >> [global] (from my smb.conf) >>workgroup = CORP >>server string = %h server (Samba, Ubuntu) >> >>security = ADS >>realm = CORP.xxx.COM >>allow trusted domains = yes >>winbind use default domain = yes >>winbind nested groups = YES >>winbind nested groups = YES >>winbind enum groups = yes >>winbind enum users = yes >>winbind nss info = rfc2307 >>winbind refresh tickets = yes >>idmap config CORP : backend = ad >>idmap config CORP : schema_mode = rfc2307 >>#idmap config CORP : range = 1000 - 9 >>idmap config * : default = yes >>#idmap config * : backend = tdb >>#idmap config * : range = 10 - 19 >>idmap config * : range = 900 - 1999 >> >>encrypt passwords = true >> >>obey pam restrictions = yes >>client use spnego = yes >>client ntlmv2 auth = yes >>encrypt passwords = true >>restrict anonymous = 2 >> >> When I perform an ldapsearch against my server, I see these attributes, >> among others: >> >> msSFU30Name: nick >> msSFU30NisDomain: corp >> uidNumber: 1001 >> gidNumber: 1000 >> unixHomeDirectory: /home/nick >> loginShell: /bin/bash >> > Regards > > Geza > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RFC2307, AD, and Samba 3.6
Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to get uids from AD
Hi Steve, I'm running AD on Windows Server 2008 R2. Once you have the AD domain services role installed, there's a feature you can install called something like, "Server for NIS". See: http://technet.microsoft.com/en-us/library/cc755221.aspx, amongst many other postings from Microsoft. regards, -Nick On Jul 24, 2012, at 4:15 AM, steve wrote: > On 18/07/12 03:52, Nick Triantos wrote: >> It looks like uidNumber is the attribute that gets set (I've queried it with >> ldapsearch). This is what AD Users & Computers sets when I use their GUI to >> configure a user. >> > > Hi > How do you get ADUC to display fields where you can enter uidNumber? > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to get uids from AD
Thanks Steve. I don't have an 'objectClass: posixAccount' set, though I'm unclear whether that's needed. My nsswitch.conf is set as: passwd: files winbind I'm not trying to use the generic LDAP mechanism.. I'm trying to get Winbind to talk to AD. I suspect it will look for different attributes than the ldap modules would look for. cheers, -Nick On Jul 18, 2012, at 1:15 AM, steve wrote: > On 18/07/12 03:00, Rob Townley wrote: >> Precisely what ldap attribute are you setting user id numbers in AD? You >> may want to check. There are numerous attribute names that include uid and >> gid, but you need the correct one. >> > Hi > In AD we have: > objectClass: posixAccount > and > uidNumber: xyz > > with /etc/nsswitch.conf conatining: > passwd: compat ldap > > nss-ldapd (for example) pulls the uidNumber fine using: > getent passwd > > Is that what we are talking about? > Cheers, > Steve > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to get uids from AD
It looks like uidNumber is the attribute that gets set (I've queried it with ldapsearch). This is what AD Users & Computers sets when I use their GUI to configure a user. thanks, -Nick On Jul 17, 2012, at 6:00 PM, Rob Townley wrote: > Precisely what ldap attribute are you setting user id numbers in AD? You may > want to check. There are numerous attribute names that include uid and gid, > but you need the correct one. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to get uids from AD
Just a quick confirmation: If I set the idmap config CORP : range parameter, I always get no result for getent passwd , and the winbind log shows "Could not get unix ID", whether the range overlaps with my "*" range or not. I do have one suspicion what could be failing, from inspecting the code.. Is it possible for me to map uids in AD but not gids? Currently, I've configured my users, but not all of my security groups. thanks, -Nick p.s. - This is happening with 3.6.3 on Ubuntu. I've been trying unsuccessfully to build v3-6-stable from source so I can debug this. Samba fails to build in ../libcli/auth/ntlmssp_server.c (error: ‘ndr_push_ntlmssp_VERSION’ undeclared). Any tips on how to work past this? On Jul 16, 2012, at 6:35 PM, Nick Triantos wrote: > Thanks Heather. > > It was my understanding, from reading one of the doc pages, that the range > acted as a filter, and would invalidate any users who didn't match the range, > so I purposely made it cover a broader range (from 900 onward). In AD, my > first user maps at 1001. On the local machine, all users are daemons, etc. > which map to below 899. > > In the case where I specified a range for the CORP section, it seemed to be > overridden by the "*" range, or it was ignored and the system fell back to > using the * range. > > All of my Samba users are in AD, so there shouldn't actually be a need for > the BUILTIN realm, but I'm happy to leave it if that makes samba happy. > > Re use of 'idmap = ad' being moot, you might be right. Someone else responded > to a previous thread of mine on this list and suggested using it so that > Samba wouldn't attempt to create and store IDs in a tdb, though obviously, > that isn't quite working. > > When I instead specify non-overlapping ranges, as below, the command 'getent > passwd ' returns no data. > security = ADS > realm = CORP.mycompany.COM > allow trusted domains = yes > winbind use default domain = yes > winbind nested groups = YES > winbind enum groups = yes > winbind enum users = yes > winbind nss info = rfc2307 > winbind refresh tickets = yes > idmap config CORP : backend = ad > idmap config CORP : schema_mode = rfc2307 > idmap config CORP : range = 900 - 1 > #idmap config * : backend = tdb > idmap config * : default = yes > idmap config * : range = 10 - 19 > > The only error I saw in my winbind log, with the above config, which looked > to be of value was shown a debuglevel=3: > Could not get unix ID > > I will dig in to some google searches to see what I can find. I may also be > getting the sfu vs rfc2307 incorrect, but whenever I've changed that to sfu, > I get no results. The docs are very terse about which is which (I'm using AD > from Windows Server 2008 R2, with the Services for Unix feature installed). > > Any other suggestions? > > BTW, I do very much appreciate all the help. > > thanks, > -Nick > > On Jul 16, 2012, at 4:42 PM, Heather Choi wrote: > >> I noticed you tried to comment out the default idmap section. The range also >> starts very low, (too low). I think you might be running into uid/gid >> collisions because of that. >> Something like this is more preferrable (in addition to setting your ranges): >> >> idmap config * : backend = tdb >> idmap config * : range = 100-199 >> >> idmap config CORP : backend = ad >> idmap config CORP : range = 900-99 >> idmap config CORP : schema_mode = rfc2307 >> >> You want to make sure you retain the local allocation for stuff like >> BUILTIN. Also you may want to start at 1000 for your range for CORP, to >> make it more logical (i.e. so they are always at least 4 digits long). You >> also have to make sure you set the groups properly. >> >> Isn't the use of idmap = ad somewhat moot now that they revised (and mostly >> 'fixed') id mapping in Samba 3.6? >> >> On 07/16/2012 03:57 AM, Jonathan Buzzard wrote: >>> On 14/07/12 17:50, Nick Triantos wrote: >>>> Hi, >>>> >>>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from >>>> AD 2008 R2 with the Services for Unix feature installed. My users have >>>> uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 >>>> >>>> The global part of my smb.conf. I've tried changing 'winbind nss info' and >>>> 'schema_mode' to sfu as well. >>>> >>>> security = ADS >>>> realm = CORP.mycompany
Re: [Samba] Failing to get uids from AD
Thanks Heather. It was my understanding, from reading one of the doc pages, that the range acted as a filter, and would invalidate any users who didn't match the range, so I purposely made it cover a broader range (from 900 onward). In AD, my first user maps at 1001. On the local machine, all users are daemons, etc. which map to below 899. In the case where I specified a range for the CORP section, it seemed to be overridden by the "*" range, or it was ignored and the system fell back to using the * range. All of my Samba users are in AD, so there shouldn't actually be a need for the BUILTIN realm, but I'm happy to leave it if that makes samba happy. Re use of 'idmap = ad' being moot, you might be right. Someone else responded to a previous thread of mine on this list and suggested using it so that Samba wouldn't attempt to create and store IDs in a tdb, though obviously, that isn't quite working. When I instead specify non-overlapping ranges, as below, the command 'getent passwd ' returns no data. security = ADS realm = CORP.mycompany.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 900 - 1 #idmap config * : backend = tdb idmap config * : default = yes idmap config * : range = 10 - 19 The only error I saw in my winbind log, with the above config, which looked to be of value was shown a debuglevel=3: Could not get unix ID I will dig in to some google searches to see what I can find. I may also be getting the sfu vs rfc2307 incorrect, but whenever I've changed that to sfu, I get no results. The docs are very terse about which is which (I'm using AD from Windows Server 2008 R2, with the Services for Unix feature installed). Any other suggestions? BTW, I do very much appreciate all the help. thanks, -Nick On Jul 16, 2012, at 4:42 PM, Heather Choi wrote: > I noticed you tried to comment out the default idmap section. The range also > starts very low, (too low). I think you might be running into uid/gid > collisions because of that. > Something like this is more preferrable (in addition to setting your ranges): > >idmap config * : backend = tdb >idmap config * : range = 100-199 > >idmap config CORP : backend = ad >idmap config CORP : range = 900-99 >idmap config CORP : schema_mode = rfc2307 > > You want to make sure you retain the local allocation for stuff like BUILTIN. > Also you may want to start at 1000 for your range for CORP, to make it more > logical (i.e. so they are always at least 4 digits long). You also have to > make sure you set the groups properly. > > Isn't the use of idmap = ad somewhat moot now that they revised (and mostly > 'fixed') id mapping in Samba 3.6? > > On 07/16/2012 03:57 AM, Jonathan Buzzard wrote: >> On 14/07/12 17:50, Nick Triantos wrote: >>> Hi, >>> >>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from >>> AD 2008 R2 with the Services for Unix feature installed. My users have >>> uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 >>> >>> The global part of my smb.conf. I've tried changing 'winbind nss info' and >>> 'schema_mode' to sfu as well. >>> >>>security = ADS >>>realm = CORP.mycompany.COM >>>allow trusted domains = yes >>>winbind use default domain = yes >>>winbind nested groups = YES >>>winbind enum groups = yes >>>winbind enum users = yes >>>winbind nss info = rfc2307 >>>winbind refresh tickets = yes >>>idmap config CORP : backend = ad >>>idmap config CORP : schema_mode = rfc2307 >>>#idmap config * : backend = tdb >>>idmap config * : default = yes >>>idmap config * : range = 900 - 9 >>> >> >> There is no range here for the ad backend. From what I have determined >> empirically is that you need to specify ranges for both that don't overlap. >> That said this is now covered in the manual page, but it is vitally >> important and it won't work properly without it. What I do is specify a >> small range really high up well out of the way of anything being allocated >> in the AD for the tdb backend. >> >> JAB. >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failing to get uids from AD
Thanks Jonathan, but it didn't work for me. I updated my config to look like this: security = ADS realm = CORP.mycompany.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 idmap config CORP : 1000 - 9 #idmap config * : backend = tdb idmap config * : default = yes idmap config * : range = 10 - 19 And after restarting smbd and winbindd, my ID came back as 10 instead of the expected 1001. Is there some other element missing from my "idmap config CORP" sections to somehow associate it with this specific AD server? Or does the "CORP" identifier suffice? thanks again! -Nick On Jul 16, 2012, at 1:57 AM, Jonathan Buzzard wrote: > On 14/07/12 17:50, Nick Triantos wrote: >> Hi, >> >> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD >> 2008 R2 with the Services for Unix feature installed. My users have >> uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 >> >> The global part of my smb.conf. I've tried changing 'winbind nss info' and >> 'schema_mode' to sfu as well. >> >>security = ADS >>realm = CORP.mycompany.COM >>allow trusted domains = yes >>winbind use default domain = yes >>winbind nested groups = YES >>winbind enum groups = yes >>winbind enum users = yes >>winbind nss info = rfc2307 >>winbind refresh tickets = yes >>idmap config CORP : backend = ad >>idmap config CORP : schema_mode = rfc2307 >>#idmap config * : backend = tdb >>idmap config * : default = yes >>idmap config * : range = 900 - 9 >> > > There is no range here for the ad backend. From what I have determined > empirically is that you need to specify ranges for both that don't overlap. > That said this is now covered in the manual page, but it is vitally important > and it won't work properly without it. What I do is specify a small range > really high up well out of the way of anything being allocated in the AD for > the tdb backend. > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Failing to get uids from AD
Hi, I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD 2008 R2 with the Services for Unix feature installed. My users have uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 The global part of my smb.conf. I've tried changing 'winbind nss info' and 'schema_mode' to sfu as well. security = ADS realm = CORP.mycompany.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config * : backend = tdb idmap config * : default = yes idmap config * : range = 900 - 9 Each time I re-test, I delete the files: /var/run/samba/gencache*.tdb /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb My users always come back with an id in the range mapped above (900+), even though their IDs should actually be 1000+. When I run an ldapsearch query, I get back results for my users that include (as well as other fields): sAMAccountName: ross userPrincipalName: ross@corp lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,... uid: ross mail: ross@... msSFU30Name: ross msSFU30NisDomain: corp uidNumber: 1006 gidNumber: 100 unixHomeDirectory: /home/ross loginShell: /bin/bash Any suggestions of things I can try are greatly appreciated. thanks! -Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't get idmap connected to AD unix attribs
It turns out that setting idmap config * : ad was the cause of my failures. For some reason, that backend is not compiled into the Ubuntu packages (or at least, when I ran with debug = 3 for winbind, I saw that the backend 'ad' was failing to load. It does seem, from my very non-scientific study of the list over the past few days, that a large number of questions seem to be focused on connecting samba with AD. Hopefully this can be made more rock-solid in the future. regards, -Nick On Jul 11, 2012, at 10:50 AM, Rowland Penny wrote: > On 11/07/12 17:38, Nick Triantos wrote: >> Hi Rowland, >> >> Yes, I've added their unix attributes. >> >> It looks like there is a long-open bug in winbind/samba 3.6.x that may be >> causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). >> I'm now stuck behind that so I'm trying to downgrade to 3.5.x. >> >> regards, >> -Nick >> >> On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: >> >>> On 11/07/12 01:57, Nick Triantos wrote: >>>> Thanks Robert. >>>> >>>> I've tried switching over to the AD back-end (which does sound like what I >>>> want), but I still receive only the errors: >>>>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >>>> >>>> I restarted both winbind and smbd after changing the config. Is there some >>>> cache I have to flush, or some other config that needs to be changed >>>> beyond the settings in smb.conf? >>>> >>>> thanks again! >>>> -Nick >>>> >>>> My updated smb.conf: >>>> >>>>workgroup = CORP >>>>security = ADS >>>>#password server = 192.168.77.251 >>>>realm = CORP.MYCOMPANY.COM >>>>allow trusted domains = yes >>>>winbind use default domain = yes >>>>winbind nested groups = YES >>>>idmap config CORP : backend = ad >>>>idmap config CORP : default = yes >>>>idmap config CORP : schema_mode = rfc2307 >>>>idmap config CORP : range = 800 - 9 >>>> >>>> >>>> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: >>>> >>>>> -BEGIN PGP SIGNED MESSAGE- >>>>> Hash: SHA1 >>>>> >>>>> - -BEGIN PGP SIGNED MESSAGE- >>>>> Hash: SHA1 >>>>> >>>>> Nick, >>>>> >>>>> I think what you may be looking for is the ad backend: >>>>> >>>>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html >>>>> >>>>> Since you are using tdb in your config, it is using a local database >>>>> and allocates UID/GIDs on the fly...first come, first served. So a >>>>> user may not get the same UID from one machine to the next. >>>>> >>>>> Robert >>>>> >>>>> On 07/10/2012 12:20 AM, Nick Triantos wrote: >>>>>> Hi, >>>>>> >>>>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and >>>>>> Winbind to map userids and groups to the unix attributes in an AD >>>>>> 2008 server. I can see that when I perform an ldapsearch, I'm able >>>>>> to read the attributes, and for one of my accounts, the id should >>>>>> be 1001. However, when I run 'wbinfo -i', I get back >>>>>> something like 920. >>>>>> >>>>>> At one point, I was setting the idmap range to start at 900, but >>>>>> I've since removed that from my config, and restarted winbindd and >>>>>> smbd. I've also tried to 'net cache flush'. >>>>>> >>>>>> I also see wbinfo -i usually returns: failed to call >>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user >>>>>> >>>>>> >>>>>> The relevant parts of my smb.conf are below. I've tried patching >>>>>> this together from various tuts and help pages. Any guidance would >>>>>> be very helpful. >>>>>> >>>>>> thanks! -Nick >>>>>> >>>>>> [global] workgroup = CORP security = ADS password server = >>>>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = >>>>&g
Re: [Samba] Can't get idmap connected to AD unix attribs
Hi Rowland, Yes, I've added their unix attributes. It looks like there is a long-open bug in winbind/samba 3.6.x that may be causing the error below (https://bugzilla.samba.org/show_bug.cgi?id=8676). I'm now stuck behind that so I'm trying to downgrade to 3.5.x. regards, -Nick On Jul 11, 2012, at 7:05 AM, Rowland Penny wrote: > On 11/07/12 01:57, Nick Triantos wrote: >> Thanks Robert. >> >> I've tried switching over to the AD back-end (which does sound like what I >> want), but I still receive only the errors: >>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> >> I restarted both winbind and smbd after changing the config. Is there some >> cache I have to flush, or some other config that needs to be changed beyond >> the settings in smb.conf? >> >> thanks again! >> -Nick >> >> My updated smb.conf: >> >>workgroup = CORP >>security = ADS >>#password server = 192.168.77.251 >>realm = CORP.MYCOMPANY.COM >>allow trusted domains = yes >>winbind use default domain = yes >>winbind nested groups = YES >>idmap config CORP : backend = ad >>idmap config CORP : default = yes >>idmap config CORP : schema_mode = rfc2307 >>idmap config CORP : range = 800 - 9 >> >> >> On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> - -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA1 >>> >>> Nick, >>> >>> I think what you may be looking for is the ad backend: >>> >>> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html >>> >>> Since you are using tdb in your config, it is using a local database >>> and allocates UID/GIDs on the fly...first come, first served. So a >>> user may not get the same UID from one machine to the next. >>> >>> Robert >>> >>> On 07/10/2012 12:20 AM, Nick Triantos wrote: >>>> Hi, >>>> >>>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and >>>> Winbind to map userids and groups to the unix attributes in an AD >>>> 2008 server. I can see that when I perform an ldapsearch, I'm able >>>> to read the attributes, and for one of my accounts, the id should >>>> be 1001. However, when I run 'wbinfo -i', I get back >>>> something like 920. >>>> >>>> At one point, I was setting the idmap range to start at 900, but >>>> I've since removed that from my config, and restarted winbindd and >>>> smbd. I've also tried to 'net cache flush'. >>>> >>>> I also see wbinfo -i usually returns: failed to call >>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user >>>> >>>> >>>> The relevant parts of my smb.conf are below. I've tried patching >>>> this together from various tuts and help pages. Any guidance would >>>> be very helpful. >>>> >>>> thanks! -Nick >>>> >>>> [global] workgroup = CORP security = ADS password server = >>>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = >>>> yes winbind use default domain = yes winbind nested groups = YES >>>> idmap config CORP : backend = tdb idmap config CORP : default = yes >>>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range >>>> = 1000 - idmap config * : backend = tdb encrypt passwords = >>>> true obey pam restrictions = yes client use spnego = yes client >>>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 >>>> unix password sync = yes winbind enum groups = yes winbind enum >>>> users = yes winbind nss info = rfc2307 >>>> >>>> >>> >>> - - -- >>> >>> >>> Robert Freeman-Day >>> >>> https://launchpad.net/~presgas >>> GPG Public Key: >>> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 >>> >>> >>> - -BEGIN PGP SIGNATURE- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ >>> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y >>> =yLz3 >>> - -END PGP SIGNATURE- >>> -BEGIN PGP SIGNATURE- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>> >>> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ >>> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb >>> =eagU >>> -END PGP SIGNATURE- > Hi, just a thought, have you added the RFC2307 uid/gid values to your users > on the AD server? if you haven't, there will be nothing to find and it may > throw the error that you are getting. > > Rowland > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't get idmap connected to AD unix attribs
Thanks Robert. I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf? thanks again! -Nick My updated smb.conf: workgroup = CORP security = ADS #password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = ad idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 800 - 9 On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Nick, > > I think what you may be looking for is the ad backend: > > https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html > > Since you are using tdb in your config, it is using a local database > and allocates UID/GIDs on the fly...first come, first served. So a > user may not get the same UID from one machine to the next. > > Robert > > On 07/10/2012 12:20 AM, Nick Triantos wrote: >> Hi, >> >> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and >> Winbind to map userids and groups to the unix attributes in an AD >> 2008 server. I can see that when I perform an ldapsearch, I'm able >> to read the attributes, and for one of my accounts, the id should >> be 1001. However, when I run 'wbinfo -i ', I get back >> something like 920. >> >> At one point, I was setting the idmap range to start at 900, but >> I've since removed that from my config, and restarted winbindd and >> smbd. I've also tried to 'net cache flush'. >> >> I also see wbinfo -i usually returns: failed to call >> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user >> >> >> The relevant parts of my smb.conf are below. I've tried patching >> this together from various tuts and help pages. Any guidance would >> be very helpful. >> >> thanks! -Nick >> >> [global] workgroup = CORP security = ADS password server = >> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = >> yes winbind use default domain = yes winbind nested groups = YES >> idmap config CORP : backend = tdb idmap config CORP : default = yes >> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range >> = 1000 - idmap config * : backend = tdb encrypt passwords = >> true obey pam restrictions = yes client use spnego = yes client >> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 >> unix password sync = yes winbind enum groups = yes winbind enum >> users = yes winbind nss info = rfc2307 >> >> > > > - - -- > > > Robert Freeman-Day > > https://launchpad.net/~presgas > GPG Public Key: > http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 > > > - -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ > AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y > =yLz3 > - -END PGP SIGNATURE- > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+ > 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb > =eagU > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't get idmap connected to AD unix attribs
Hi, I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and Winbind to map userids and groups to the unix attributes in an AD 2008 server. I can see that when I perform an ldapsearch, I'm able to read the attributes, and for one of my accounts, the id should be 1001. However, when I run 'wbinfo -i ', I get back something like 920. At one point, I was setting the idmap range to start at 900, but I've since removed that from my config, and restarted winbindd and smbd. I've also tried to 'net cache flush'. I also see wbinfo -i usually returns: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user The relevant parts of my smb.conf are below. I've tried patching this together from various tuts and help pages. Any guidance would be very helpful. thanks! -Nick [global] workgroup = CORP security = ADS password server = 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES idmap config CORP : backend = tdb idmap config CORP : default = yes idmap config CORP : schema_mode = rfc2307 idmap config CORP : range = 1000 - idmap config * : backend = tdb encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 unix password sync = yes winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
