SOLVED Difficulties with a Samba 4 Active Directory setup

[BeepDog]

I'm running FreeNAS 11.3-U1 and haven't yet upgraded to U2.1.

Originally, pre 11.3, I was using simple LDAP to provide users to the system, and samba was using that LDAP based user setup to authenticate. Everything was great until I upgraded to 11.3, and then none of that worked any more. Everything else worked fine, but I could never figure out how to get simple LDAP directory users showing up for samba working again.

If I could figure out how to completely reset everything samba related, so that there's absolutely no information about it in there, I'd like to know that. I think perhaps something got messed up that isn't going away.

What I ended up doing instead, is to set up a samba4 domain controller, and bind the FreeNAS to that. That has not been without issue either, unfortunately.

I have had tons of problems with my desktop getting errors like "This account is not authorized to connect from this machine." after about 12 hours of being connected. If I log out/login everything works again.

Most recently, as shown in the ticket I filed, I have groups from Active Directory, but not users. I have not yet figured out why suddenly my users have gone away. They were there yesterday :(

I would love to go back to simple LDAP backed users, and have my samba accounts authenticate that way. I don't need an AD controller, as I have no intention of binding my windows boxes to them. The LDAP does more for me than Samba AD can anyway, with sudoers in there, that I can't quite do with AD.

Thanks in advance for any help.

 

[BeepDog]

I found this thread from a long time back, and I appear to be having many of the same problems.

For some reason, winbind isn't doing the right things.

Code:

root@freenas[/var/log/samba4]# wbinfo -i 'DEFIANCE\dkowis'
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DEFIANCE\dkowis
root@freenas[/var/log/samba4]# wbinfo --uid-to-sid 10001
S-1-5-21-2022112486-4111327446-4197854780-1103
root@freenas[/var/log/samba4]# wbinfo -s S-1-5-21-2022112486-4111327446-4197854780-1103
DEFIANCE\dkowis 1
root@freenas[/var/log/samba4]#
root@freenas[/var/log/samba4]# wbinfo --gid-info 10001
dkowis_group:x:10001:
root@freenas[/var/log/samba4]# wbinfo --gid-info 20000
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 20000
root@freenas[/var/log/samba4]#
root@freenas[/var/log/samba4]# wbinfo --gid-info 20006
videos:x:20006:
root@freenas[/var/log/samba4]#

 

[BeepDog]

Okay, I think I've actually solved this, but I need it to stay working for a couple days before I have actual confidence that it did actually work.

Samba // wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND on linux domain member

linux domain member – idmap ad – getent passwd not working – wbinfo -i SAMDOM\\xyzuser returns wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND PROBLEM: Users per default primary group &#822…

bytesandbones.wordpress.com

So finding this obscure post means that somehow, users aren't added to idmap unless all of their groups resolve a GID number. And Domain Users, despite me not using it for anything at all, is made of all users. So if that one doesn't have a gidNumber, no users get entered into getent passwd.

Why did I have users prior to this? Maybe there was some caching going on that didn't get cleared, and so when that cache expired, everything started coming apart at the seams.

I would still like to go back to a simple LDAP based user/password combination, as I don't really need anything Active Directory related, and my LDAP is actually more rich than the Active Directory, with regards to my linux servers.

 

[BeepDog]

After at least 12 hours, normally I'd have a disconnection problem, and it has gone away.

So if there's anyone else doing the same thing I'm doing out there, and they run into a problem where users from Samba Active Directory (or possibly microsoft active directory) in FreeNAS don't show up, but groups do, no errors in the logs. This might be your solution.

I tried to include most of the words I searched for, in the hopes that it helps someone else. Good luck!