Raphaël RIGNIER
2016-07-04 17:35:46 UTC
Hi samba team !
I try to resolve for hours a problem I have with a Linux Host (Samba
4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012
R2. Forest level is 2003 R2.
my smb.conf :
[GLOBAL]
netbios name = CR-DEV-01
security = ADS
workgroup = ADDOMAIN
realm = ADDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-9998
idmap config ADDOMAIN:backend = ad
idmap config ADDOMAIN:schema_mode = rfc2307
idmap config ADDOMAIN:range = 9999-999999
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
9999 start range is "Domain's user" GidNumber. To have a default primary
group.
Shared uid and gid starts with 10000.
The test for groups :
--------------
# net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
Got 1 replies
sAMAccountName: info2
gidNumber: 10002
------------------
# getent group info2
info2:x:10002:
------------------
All is OK
For the User, it is not working as expected :
-------------
# net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
gidnumber gecos -P
Got 1 replies
sAMAccountName: b.btstest
--------------------------------
No uidnumber,gidnumber,gecos ?
Same search with admin account :
------------------------
net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
gidnumber gecos -U administrator
Enter administrator's password:
Got 1 replies
sAMAccountName: b.btstest
uidNumber: 13367
gidNumber: 10002
gecos: BTSTEST B
---------------
-----
#getent passwd b.btstest (no output)
------
Winbind output
------
getpwnam b.btstest
Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471:
NT_STATUS_NONE_MAPPED
----------
This is the same for all mapped AD users (3042 users).
Does Winbind makes queries on DCs with machine account ?
Does that mean bad AD schema ?
Strange behavior.
Thanks for help.
I try to resolve for hours a problem I have with a Linux Host (Samba
4.3.9 ubutnu 16.04) as AD member.DCs are Windows 2008 R2, One is 2012
R2. Forest level is 2003 R2.
my smb.conf :
[GLOBAL]
netbios name = CR-DEV-01
security = ADS
workgroup = ADDOMAIN
realm = ADDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-9998
idmap config ADDOMAIN:backend = ad
idmap config ADDOMAIN:schema_mode = rfc2307
idmap config ADDOMAIN:range = 9999-999999
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
9999 start range is "Domain's user" GidNumber. To have a default primary
group.
Shared uid and gid starts with 10000.
The test for groups :
--------------
# net ads search '(SamAccountName=info2)' samaccountname gidnumber -P
Got 1 replies
sAMAccountName: info2
gidNumber: 10002
------------------
# getent group info2
info2:x:10002:
------------------
All is OK
For the User, it is not working as expected :
-------------
# net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
gidnumber gecos -P
Got 1 replies
sAMAccountName: b.btstest
--------------------------------
No uidnumber,gidnumber,gecos ?
Same search with admin account :
------------------------
net ads search '(SamAccountName=b.btstest)' samaccountName uinumber
gidnumber gecos -U administrator
Enter administrator's password:
Got 1 replies
sAMAccountName: b.btstest
uidNumber: 13367
gidNumber: 10002
gecos: BTSTEST B
---------------
-----
#getent passwd b.btstest (no output)
------
Winbind output
------
getpwnam b.btstest
Could not convert sid S-1-5-21-4272071638-3509717963-3151537417-7471:
NT_STATUS_NONE_MAPPED
----------
This is the same for all mapped AD users (3042 users).
Does Winbind makes queries on DCs with machine account ?
Does that mean bad AD schema ?
Strange behavior.
Thanks for help.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba