Getent passwd and getent group fail / Samba 3.5.2
in [Samba]
|
From: Mike Leone on 4 May 2010 08:40 On 5/4/2010 4:20 AM, Oliver Weinmann had this to say: > Hi all, > > I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: <snip> > In the log I get this error when running getent group: > > tail -f /var/log/samba/log.winbindd-idmap > Could not get unix ID > [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) > Could not get unix ID Doesn't that indicate that Samba thinks the SFU extensions aren't installed? What is the version of AD? Is it 2003 R2, or 2003 with SFU installed? -- Michael J. Leone, <mailto:turgon(a)mike-leone.com> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos> USER ERROR: replace user and press any key to continue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Oliver Weinmann on 5 May 2010 04:30 Im really totally lost about this problem. I tried a lot of things in smb.conf but it just doesn't work. I mean it is working fine on 3.3.2 so I don't think this is a problem in AD. It must be something that has changed in the config of 3.5.2 -----Original Message----- From: samba-bounces(a)lists.samba.org [mailto:samba-bounces(a)lists.samba.org] On Behalf Of Oliver Weinmann Sent: Dienstag, 4. Mai 2010 10:21 To: samba(a)lists.samba.org Subject: [Samba] Getent passwd and getent group fail / Samba 3.5.2 Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: [global] netbios name = sles11test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = someserver.somedomain.net idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0-99999999 winbind nss info = sfu winbind enum users = yes winbind enum groups = yes winbind offline logon = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 3 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = true idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Getent group and passwd works fine e.g. on an old ubuntu install with samba 3.3.2. So far I have this problem on SLES9 and SLES11. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Oliver Weinmann on 6 May 2010 03:10 I have investigated further and compared the behaviour of samba 3.3 and samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I noticed that there are a few kerberos params that have changed in 3.5 but I just can't get 3.5 to work as expected: sles9test3:~ # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Unknown parameter encountered: "use kerberos keytab" Ignoring unknown parameter "use kerberos keytab" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions For example I can run getent passwd and getent group fine under 3.3 but not under 3.5. Also I created a user in AD "tuser2" this user is visible within 1 minute under 3.3 under 3.5 it's not even visible after a reboot. Also group memberships of AD users are not updated under 3.5.2. I'm not sure if this is a bug. I tried a lot of things in smb.conf but it just doesn't work. At the moment I have to consider going back to 3.3. I googled a lot in the past days to find a correct smb.conf for 3.5 and idmap_ad but it's really hard to find a well documented howto. I would really appreciate if someone has a look on this. Here is my smb.conf: [global] netbios name = sles9test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = dc.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0-99999999 winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Vista error 67 The network name cannot be found Next: [Samba] how to clear winbind cache |