Re: [Samba] getent acting unreliable with idmap_ad
Hello Nico, I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. I cannot tell for 2008R2, we don't have this version yet ... - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I just filled it up properly, but did not mention Kerberos in any way in smb.conf Best regards --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:robert.gra...@cedrat.com --- Support service : mailto:supp...@cedrat.com Commercial service : mailto:ced...@cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
I just filled it up properly, but did not mention Kerberos in any way in smb.conf Doh, that's what I have too. Any chance you could send me a copy of your smb.conf? well, no problem, I am sure it is not a great piece of smb.conf, actually : here it is : it is the one for my desktop : I removed the comments and our private names and IPs : [global] netbios name = short workgroup = WG realm = WG.LAN server string = Samba Server - long_name hosts allow = 10.0. 127. smb ports = 445 #printcap name = /etc/printcap printcap name = cups load printers = yes printing = cups cups options = raw log level = 1 log file = /var/log/samba/%m.log max log size = 1 security = ADS password server = s1,s2 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no name resolve order = wins bcast wins server = IP1 IP2 dns proxy = yes idmap domains = ALLDOMAINS idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:schema_mode = sfu idmap config ALLDOMAINS:range = 500 - 2 template homedir = /home/%U winbind use default domain = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind nss info = template sfu winbind offline logon = true winbind refresh tickets = true Some comments : - I used netbios name, as my desktop Unix name is longer than 15 characters - Windows or Samba did not like it ... - we have two names for our AD domain - our winadmin did not solve this issue so far, thus I put one name as the workgroup and the other name as the kerberos realm ... - I let template homedir in smb.conf by sheer lazyness, with SFU I don't use it - I used to set winbind offline logon and winbind refresh tickets when my Samba was unstable, they were tests - then, once I found the true solution, lazyness again ... Hope this helps --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:robert.gra...@cedrat.com --- Support service : mailto:supp...@cedrat.com Commercial service : mailto:ced...@cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hi Robert, thanks for your reply. On Fri, 2010-07-30 at 17:45 +0200, Robert Grasso wrote: Hello, I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : - I stated clearly my password server = in smb.conf I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I am running on CentOS 5.5, samba 3.0.33. Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd username yields a result for the accounts which have an Unix account declared in AD through the Unix attributes, and only for these ones (?). I think that's expected behaviour. idmap_ad looks upo uid/gid from AD but doesn't create its own mapping if it doesn't find one. So any user that doesn't have a proper unix uid/gid field won't show up. I also noticed idmap_ad looks at the Windows Primary Group as gid in stead of the group field on the unix tab. Therefor the Windows Primary Group also needs to have a valid unix id assigned. Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hi Robert, On Mon, 2010-08-02 at 11:32 +0200, Robert Grasso wrote: Hello Nico, I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... Thanks for trying anyway. Very much appreciated :-) I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. I cannot tell for 2008R2, we don't have this version yet ... - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I just filled it up properly, but did not mention Kerberos in any way in smb.conf Doh, that's what I have too. Any chance you could send me a copy of your smb.conf? Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent acting unreliable with idmap_ad
I'm trying to get my linux boxes to authenticate to AD using winbind. I need to get my uid's from AD so I'm using idmap_ad. I got to the point where 'getent passwd' shows me the list of unix users from AD with all correct details, however when I do 'getent passwd username' for any username from the list returned by 'getent passwd' I get an empty reply (getent returns error code 2) and I can't login using those users. As a matter of fact on one of my testmachines it works sometimes. 'getent passwd nico' will return my user details and I can logon properly but when the system has been quiet for some time it seems to forget about the account again. Anybody seen this before? Any suggestions on how to debug this? I'm trying this on Ubuntu 9.10 and 10.04. Thanks in advance, Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hello, I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : - I stated clearly my password server = in smb.conf - I stated clearly my /etc/krb5.conf I am running on CentOS 5.5, samba 3.0.33. Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd username yields a result for the accounts which have an Unix account declared in AD through the Unix attributes, and only for these ones (?). Regards --- Robert GRASSO System engineer CEDRAT S.A. 15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30 mailto:robert.gra...@cedrat.com - http://www.cedrat.com -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de Nico De Ranter Envoyé : 30 juillet 2010 13:44 À : samba@lists.samba.org Objet : [Samba] getent acting unreliable with idmap_ad I'm trying to get my linux boxes to authenticate to AD using winbind. I need to get my uid's from AD so I'm using idmap_ad. I got to the point where 'getent passwd' shows me the list of unix users from AD with all correct details, however when I do 'getent passwd username' for any username from the list returned by 'getent passwd' I get an empty reply (getent returns error code 2) and I can't login using those users. As a matter of fact on one of my testmachines it works sometimes. 'getent passwd nico' will return my user details and I can logon properly but when the system has been quiet for some time it seems to forget about the account again. Anybody seen this before? Any suggestions on how to debug this? I'm trying this on Ubuntu 9.10 and 10.04. Thanks in advance, Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 ** ** The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba