On 23/06/15 13:32, David Minard wrote:> I've Set up a DC and a Member Server for a file server. Both are running on Centos7 and samba version 4.2.2. The Member Server is running smbd and winbindd. > > I've followed the wiki and for the most part it's working. However, after stuffing up the ranges, then fixing them up, when I create new accounts, adding all the Unix attributes, the UID_Number is not showing the correct value for new accounts. Existing ones are okay. > > Member_Server Config: > > [global] > > netbios name = MS1 > workgroup = AD > security = ADS > realm = SAMBADOM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 30000000-40000000 > idmap config SAMBADOM:backend = ad > idmap config SAMBADOM:schema_mode = rfc2307 > idmap config SAMBADOM:range = 600-29999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > > Existing Account: > getent passwd fred > > fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh > > New Account: > > fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh > > Fred1 was set up with --uid-number='5004' > > I've tried clearing winbindd caches as per some post I read: > > systemctl stop winbindd > rm /usr/local/samba/var/locks/group_mapping.tdb* /usr/local/samba/var/locks/winbindd_idmap.tdb* /usr/local/samba/var/locks/winbindd_cache.tdb* > systemctl start winbindd > > But no change. > > I've also noticed that the default group that all users are in used to be "domain users", now for some reason they are all in "BUILTIN\administrators" ! > > Am I doing something wrong? If so, what. If not, how do I track down why this is happening? > > > Cheers, > David Minard. > Ph: 0247 360 155 > Fax: 0247 360 770 > > School of Computing, Engineering, and Mathematics > Building Y - Penrith Campus (Kingswood) > Locked bag 1797 > Penrith South DC > NSW 1797 > > [Sometimes waking up just isn't worth the insult of the day to come.] > >Yes, you do appear to doing things wrong workgroup = AD but: idmap config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should be 'AD' You have 'realm = SAMBADOM' , it really should be something like 'realm = SAMBADOM.COM' Rowland Thanks for the quick reply Roland. The change didn't make any difference. I remember having it the way you suggested in the first place, but was still getting strangeness. I have put it back to the right way as suggested. I now have a config of: [global] netbios name = MS1 workgroup = AD security = ADS realm = SAMDOM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 30000000-40000000 idmap config AD:backend = ad idmap config AD:schema_mode = rfc2307 idmap config AD:range = 600-29999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes SAMDOM is as you say, a domain name for the AD. I noticed that the UIDNumber of new accounts are overlapping with system accounts. fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false -- Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 24/06/15 02:55, David Minard wrote:> On 23/06/15 13:32, David Minard wrote: > >> I've Set up a DC and a Member Server for a file server. Both are >> running on Centos7 and samba version 4.2.2. The Member Server is >> running smbd and winbindd. >> >> I've followed the wiki and for the most part it's working. >> However, after stuffing up the ranges, then fixing them up, when I >> create new accounts, adding all the Unix attributes, the UID_Number >> is not showing the correct value for new accounts. Existing ones are >> okay. >> >> Member_Server Config: >> >> [global] >> >> netbios name = MS1 >> workgroup = AD >> security = ADS >> realm = SAMBADOM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 30000000-40000000 >> idmap config SAMBADOM:backend = ad >> idmap config SAMBADOM:schema_mode = rfc2307 >> idmap config SAMBADOM:range = 600-29999999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> >> >> Existing Account: >> getent passwd fred >> >> fred:*:4999:30000000:Fred Nerks:/home/fred:/bin/tcsh >> >> New Account: >> >> fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh >> >> Fred1 was set up with --uid-number='5004' >> >> I've tried clearing winbindd caches as per some post I read: >> >> systemctl stop winbindd >> rm /usr/local/samba/var/locks/group_mapping.tdb* >> /usr/local/samba/var/locks/winbindd_idmap.tdb* >> /usr/local/samba/var/locks/winbindd_cache.tdb* >> systemctl start winbindd >> >> But no change. >> >> I've also noticed that the default group that all users are in >> used to be "domain users", now for some reason they are all in >> "BUILTIN\administrators" ! >> Am I doing something wrong? If so, what. If not, how do >> I track down why this is happening? >> >> Cheers, >> David Minard. >> Ph: 0247 360 155 >> Fax: 0247 360 770 >> >> School of Computing, Engineering, and Mathematics >> Building Y - Penrith Campus (Kingswood) >> Locked bag 1797 >> Penrith South DC >> NSW 1797 >> >> [Sometimes waking up just isn't worth the insult of the day to >> come.] >> >> > Yes, you do appear to doing things wrong workgroup = AD but: idmap > config SAMBADOM:backend = ad idmap config SAMBADOM:schema_mode > rfc2307 idmap config SAMBADOM:range = 600-29999999 'SAMBADOM' should > be 'AD' You have 'realm = SAMBADOM' , it really should be something > like 'realm = SAMBADOM.COM' Rowland > > Thanks for the quick reply Roland. The change didn't make any > difference. I remember having it the way you suggested in the first > place, but was still getting strangeness. I have put it back to the > right way as suggested. I now have a config of: > > [global] > > netbios name = MS1 > workgroup = AD > security = ADS > realm = SAMDOM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 30000000-40000000 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 600-29999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > SAMDOM is as you say, a domain name for the AD. > > I noticed that the UIDNumber of new accounts are overlapping with > system accounts. > > fred1:*:30000002:30000000:Fred Nerks:/home/fred1:/bin/tcsh > krbtgt:*:30000002:30000000:krbtgt:/home/AD/krbtgt:/bin/false > > fred:*:30000000:30000000:Fred Nerks:/home/fred:/bin/tcsh > administrator:*:30000000:30000000:Administrator:/home/AD/administrator:/bin/false > >Strange, have you tried running 'net cache flush' on the member server ? Have you given all the users & groups an ID number in AD ? Can you post the exact command you are using to create users. Rowland