Problems with winbind, idmap and usrmgr.exe
in [Samba]
|
Prev: [Samba] Can't use Encrypted Passwords with ldapsam backend
Next: [Samba] Running Samba 3 in a FreeBSD jail
From: Mike Brady on 23 Apr 2008 03:50 First of all apologies for replying to my own query, but I have run out of things to try and really need to make some progress on this. I have done a clean install and am now using the configuration file below for my Samba PDC. This has made no difference to the issue with usrmgr.exe. As before this is Samba 3.0.28a on Centos 5.1 x86_64 and nsswitch is configured to use winbind. [global] log level = 5 workgroup = domb server string = Samba Server Version %v interfaces = lo, eth0 passdb backend = tdbsam:/etc/samba/passdb.tdb username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 # Stuff that makes this machine a PDC. add user script = /usr/sbin/useradd "%u" -n -g domusers delete user script = /usr/sbin/userdel "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false -g machines "%u" logon path = \\%L\Profiles\%U logon home = \\%L\%U\.profiles logon drive = H: domain logons = Yes os level = 33 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes # Equivalent of old behaviour. idmap domains = ALLDOMAINS idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:backend = tdb idmap config ALLDOMAINS:range = 10000 - 50000 idmap alloc backend = tdb idmap alloc config:range = 10000 - 50000 winbind enum users = yes winbind enum groups = Yes winbind nested groups = yes hosts allow = 127., 192.168.42., 192.168.43. cups options = raw [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes browseable = No share modes = No read only = yes [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 At this stage I believe there to be a problem with winbind as I have also tried the following. Creating a local group with "net -U root%xxxxxxx sam createlocalgroup local1", which succeeds. A portion of the output from "net groupmap list verbose" shows: local1 SID : S-1-5-21-2991776595-4262790192-2958925130-1004 Unix gid : 10053 Unix group: local1 Group type: Local Group Comment : Testing winbind with the following: [root(a)dombpdc ~]# wbinfo -G 10053 S-1-5-21-2991776595-4262790192-2958925130-1004 [root(a)dombpdc ~]# wbinfo -s "S-1-5-21-2991776595-4262790192-2958925130-1004" Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004 Shouldn't both these commands work or am missing something? I tried it both with and without the quotes around the SID. Also [root(a)dombpdc ~]# wbinfo -D . Name : DOMB Alt_Name : SID : S-1-5-21-2991776595-4262790192-2958925130 Active Directory : No Native : No Primary : Yes Sequence : -1 [root(a)dombpdc ~]# wbinfo -u Error looking up domain users [root(a)dombpdc ~]# wbinfo -g BUILTIN\server operators BUILTIN\guests BUILTIN\power users BUILTIN\print operators BUILTIN\administrators BUILTIN\account operators BUILTIN\backup operators BUILTIN\users local1 These are only the local groups. Shouldn't this list the domain groups as well? [root(a)dombpdc ~]# wbinfo --getdcname domb Could not get dc name for domb Which may well be the root of the problem? I am happy to supply which ever logs are required, just let me know. Thanks Mike
From: L.P.H. van Belle on 23 Apr 2008 07:20 did you add your server to the domain ? eq.. net rpc join -S 'pdc-name' -U administrator%password -d 5 check this page and review your config also. http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html Louis >-----Oorspronkelijk bericht----- >Van: samba-bounces+belle=bazuin.nl(a)lists.samba.org >[mailto:samba-bounces+belle=bazuin.nl(a)lists.samba.org] Namens >Mike Brady >Verzonden: woensdag 23 april 2008 9:46 >Aan: samba(a)lists.samba.org >Onderwerp: Re: [Samba] Problems with winbind, idmap and usrmgr.exe > >First of all apologies for replying to my own query, but I have run out >of things to try and really need to make some progress on this. > >I have done a clean install and am now using the configuration file >below for my Samba PDC. This has made no difference to the issue with >usrmgr.exe. As before this is Samba 3.0.28a on Centos 5.1 x86_64 and >nsswitch is configured to use winbind. > >[global] > log level = 5 > workgroup = domb > server string = Samba Server Version %v > interfaces = lo, eth0 > passdb backend = tdbsam:/etc/samba/passdb.tdb > username map = /etc/samba/smbusers > log file = /var/log/samba/%m.log > max log size = 50 > > # Stuff that makes this machine a PDC. > add user script = /usr/sbin/useradd "%u" -n -g domusers > delete user script = /usr/sbin/userdel "%u" > add group script = /usr/sbin/groupadd "%g" > delete group script = /usr/sbin/groupdel "%g" > delete user from group script = /usr/sbin/userdel "%u" "%g" > add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" >-M -d /nohome -s /bin/false -g machines "%u" > logon path = \\%L\Profiles\%U > logon home = \\%L\%U\.profiles > logon drive = H: > domain logons = Yes > os level = 33 > preferred master = Yes > domain master = Yes > wins proxy = Yes > wins support = Yes > > # Equivalent of old behaviour. > idmap domains = ALLDOMAINS > idmap config ALLDOMAINS:default = yes > idmap config ALLDOMAINS:backend = tdb > idmap config ALLDOMAINS:range = 10000 - 50000 > > idmap alloc backend = tdb > idmap alloc config:range = 10000 - 50000 > > winbind enum users = yes > winbind enum groups = Yes > winbind nested groups = yes > hosts allow = 127., 192.168.42., 192.168.43. > cups options = raw > >[homes] > comment = Home Directories > read only = No > browseable = No > >[netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = Yes > browseable = No > share modes = No > read only = yes > >[profiles] > path = /var/lib/samba/profiles > read only = no > create mask = 0600 > directory mask = 0700 > >At this stage I believe there to be a problem with winbind as I have >also tried the following. > >Creating a local group with "net -U root%xxxxxxx sam createlocalgroup >local1", which succeeds. > >A portion of the output from "net groupmap list verbose" shows: >local1 > SID : S-1-5-21-2991776595-4262790192-2958925130-1004 > Unix gid : 10053 > Unix group: local1 > Group type: Local Group > Comment : > >Testing winbind with the following: >[root(a)dombpdc ~]# wbinfo -G 10053 >S-1-5-21-2991776595-4262790192-2958925130-1004 >[root(a)dombpdc ~]# wbinfo -s >"S-1-5-21-2991776595-4262790192-2958925130-1004" >Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004 > >Shouldn't both these commands work or am missing something? >I tried it >both with and without the quotes around the SID. > >Also > >[root(a)dombpdc ~]# wbinfo -D . >Name : DOMB >Alt_Name : >SID : S-1-5-21-2991776595-4262790192-2958925130 >Active Directory : No >Native : No >Primary : Yes >Sequence : -1 > >[root(a)dombpdc ~]# wbinfo -u >Error looking up domain users > >[root(a)dombpdc ~]# wbinfo -g >BUILTIN\server operators >BUILTIN\guests >BUILTIN\power users >BUILTIN\print operators >BUILTIN\administrators >BUILTIN\account operators >BUILTIN\backup operators >BUILTIN\users >local1 > >These are only the local groups. Shouldn't this list the domain groups >as well? > >[root(a)dombpdc ~]# wbinfo --getdcname domb >Could not get dc name for domb > >Which may well be the root of the problem? > >I am happy to supply which ever logs are required, just let me know. > >Thanks > >Mike > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
From: Mike Brady on 23 Apr 2008 15:40
On Wed, 2008-04-23 at 13:11 +0200, L.P.H. van Belle wrote: > did you add your server to the domain ? > eq.. net rpc join -S 'pdc-name' -U administrator%password -d 5 > > check this page and review your config also. > http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html > > Louis > > > >-----Oorspronkelijk bericht----- > >Van: samba-bounces+belle=bazuin.nl(a)lists.samba.org > >[mailto:samba-bounces+belle=bazuin.nl(a)lists.samba.org] Namens > >Mike Brady > >Verzonden: woensdag 23 april 2008 9:46 > >Aan: samba(a)lists.samba.org > >Onderwerp: Re: [Samba] Problems with winbind, idmap and usrmgr.exe > > > >First of all apologies for replying to my own query, but I have run out > >of things to try and really need to make some progress on this. > > > >I have done a clean install and am now using the configuration file > >below for my Samba PDC. This has made no difference to the issue with > >usrmgr.exe. As before this is Samba 3.0.28a on Centos 5.1 x86_64 and > >nsswitch is configured to use winbind. > > > >[global] > > log level = 5 > > workgroup = domb > > server string = Samba Server Version %v > > interfaces = lo, eth0 > > passdb backend = tdbsam:/etc/samba/passdb.tdb > > username map = /etc/samba/smbusers > > log file = /var/log/samba/%m.log > > max log size = 50 > > > > # Stuff that makes this machine a PDC. > > add user script = /usr/sbin/useradd "%u" -n -g domusers > > delete user script = /usr/sbin/userdel "%u" > > add group script = /usr/sbin/groupadd "%g" > > delete group script = /usr/sbin/groupdel "%g" > > delete user from group script = /usr/sbin/userdel "%u" "%g" > > add machine script = /usr/sbin/useradd -n -c "Workstation (% u)" > >-M -d /nohome -s /bin/false -g machines "%u" > > logon path = \\%L\Profiles\%U > > logon home = \\%L\%U\.profiles > > logon drive = H: > > domain logons = Yes > > os level = 33 > > preferred master = Yes > > domain master = Yes > > wins proxy = Yes > > wins support = Yes > > > > # Equivalent of old behaviour. > > idmap domains = ALLDOMAINS > > idmap config ALLDOMAINS:default = yes > > idmap config ALLDOMAINS:backend = tdb > > idmap config ALLDOMAINS:range = 10000 - 50000 > > > > idmap alloc backend = tdb > > idmap alloc config:range = 10000 - 50000 > > > > winbind enum users = yes > > winbind enum groups = Yes > > winbind nested groups = yes > > hosts allow = 127., 192.168.42., 192.168.43. > > cups options = raw > > > >[homes] > > comment = Home Directories > > read only = No > > browseable = No > > > >[netlogon] > > comment = Network Logon Service > > path = /var/lib/samba/netlogon > > guest ok = Yes > > browseable = No > > share modes = No > > read only = yes > > > >[profiles] > > path = /var/lib/samba/profiles > > read only = no > > create mask = 0600 > > directory mask = 0700 > > > >At this stage I believe there to be a problem with winbind as I have > >also tried the following. > > > >Creating a local group with "net -U root%xxxxxxx sam createlocalgroup > >local1", which succeeds. > > > >A portion of the output from "net groupmap list verbose" shows: > >local1 > > SID : S-1-5-21-2991776595-4262790192-2958925130-1004 > > Unix gid : 10053 > > Unix group: local1 > > Group type: Local Group > > Comment : > > > >Testing winbind with the following: > >[root(a)dombpdc ~]# wbinfo -G 10053 > >S-1-5-21-2991776595-4262790192-2958925130-1004 > >[root(a)dombpdc ~]# > >"S-1-5-21-2991776595-4262790192-2958925130-1004" > >Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004 > > > >Shouldn't both these commands work or am missing something? > >I tried it > >both with and without the quotes around the SID. > > > >Also > > > >[root(a)dombpdc ~]# wbinfo -D . > >Name : DOMB > >Alt_Name : > >SID : S-1-5-21-2991776595-4262790192-2958925130 > >Active Directory : No > >Native : No > >Primary : Yes > >Sequence : -1 > > > >[root(a)dombpdc ~]# wbinfo -u > >Error looking up domain users > > > >[root(a)dombpdc ~]# wbinfo -g > >BUILTIN\server operators > >BUILTIN\guests > >BUILTIN\power users > >BUILTIN\print operators > >BUILTIN\administrators > >BUILTIN\account operators > >BUILTIN\backup operators > >BUILTIN\users > >local1 > > > >These are only the local groups. Shouldn't this list the domain groups > >as well? > > > >[root(a)dombpdc ~]# wbinfo --getdcname domb > >Could not get dc name for domb > > > >Which may well be the root of the problem? > > > >I am happy to supply which ever logs are required, just let me know. > > > >Thanks > > > >Mike > > > Lois Thanks for the response. My server is the PDC and on the current build it has not been joined to the domain. I have joined it now and it has made no difference in that the above wbinfo commands give the same results. In general is it required that the PDC be added to itself (well sort of)? I had to use root to do the join. Meaning net rpc join -S 'pdc-name' -U root%password -d 5 administrator doesn't work for the net commands, but I can login in as administrator from a Windows client. smbusers contains # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest so should 'administrator' work for the net commands? Thanks Mike |