Stefan G. Weichinger
2015-Dec-29 16:32 UTC
[Samba] samba4 as ADS member: some users visible, others not
I have to add a brand new fedora 23 server with samba 4.3.3 to an existing Windows ADS domain. The join is OK: # net ads testjoin Join is OK I use winbind as I still have to learn about sssd (and I am unsure which one to prefer). config (workgroup and realm edited): [global] workgroup = customer realm = my.customer server string security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config customer:range = 10000-999999 idmap config customer:schema_mode = rfc2307 idmap config customer:backend = ad idmap config *:range = 2000-9999 idmap config * : backend = tdb force create mode = 0664 force directory mode = 0775 printing = bsd level2 oplocks = No --- issues: wbinfo -u wbinfo -g list all users and groups from ADS getent passwd only gives me around 20 users from ADS ... -> some users get access to shares, some not! I assume this has to do with "idmap config customer:range" ? How to determine the values of the max ids? Do I have to "reset" some mappings after changing this parameter? What else to check for? thanks for any help on this, Stefan
Rowland penny
2015-Dec-29 17:05 UTC
[Samba] samba4 as ADS member: some users visible, others not
On 29/12/15 16:32, Stefan G. Weichinger wrote:> I have to add a brand new fedora 23 server with samba 4.3.3 to an > existing Windows ADS domain. > > The join is OK: > > # net ads testjoin > Join is OK > > I use winbind as I still have to learn about sssd (and I am unsure which > one to prefer). > > config (workgroup and realm edited): > > [global] > workgroup = customer > realm = my.customer > server string > security = ADS > map to guest = Bad User > username map = /etc/samba/smbusers > map untrusted to domain = Yes > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > idmap config customer:range = 10000-999999 > idmap config customer:schema_mode = rfc2307 > idmap config customer:backend = ad > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > force create mode = 0664 > force directory mode = 0775 > printing = bsd > level2 oplocks = No > > --- > > issues: > > wbinfo -u > wbinfo -g list all users and groups from ADS > > getent passwd only gives me around 20 users from ADS ... > > -> some users get access to shares, some not! > > I assume this has to do with "idmap config customer:range" ? > > How to determine the values of the max ids? > > Do I have to "reset" some mappings after changing this parameter? > > What else to check for? > > thanks for any help on this, Stefan >The only mappings you should have, are the ones for the 'builtin' users & groups, all the others should have a uidNumber or gidNumber attribute in AD, these should be between '10000-999999' I would also recommend you remove these lines: force create mode = 0664 force directory mode = 0775 They really only belong in a share, but you should be using Posix ACLs anyway. If a user isn't shown by getent, then they are unknown to the OS and will not be able to access shares unless the share also allows guest access. Rowland
Stefan G. Weichinger
2015-Dec-29 17:30 UTC
[Samba] samba4 as ADS member: some users visible, others not
Am 2015-12-29 um 18:05 schrieb Rowland penny:> On 29/12/15 16:32, Stefan G. Weichinger wrote: >> I have to add a brand new fedora 23 server with samba 4.3.3 to an >> existing Windows ADS domain. >> >> The join is OK: >> >> # net ads testjoin >> Join is OK >> >> I use winbind as I still have to learn about sssd (and I am unsure which >> one to prefer). >> >> config (workgroup and realm edited): >> >> [global] >> workgroup = customer >> realm = my.customer >> server string >> security = ADS >> map to guest = Bad User >> username map = /etc/samba/smbusers >> map untrusted to domain = Yes >> load printers = No >> printcap name = /dev/null >> disable spoolss = Yes >> template shell = /bin/bash >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind nss info = rfc2307 >> idmap config customer:range = 10000-999999 >> idmap config customer:schema_mode = rfc2307 >> idmap config customer:backend = ad >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb >> force create mode = 0664 >> force directory mode = 0775 >> printing = bsd >> level2 oplocks = No >> >> --- >> >> issues: >> >> wbinfo -u >> wbinfo -g list all users and groups from ADS >> >> getent passwd only gives me around 20 users from ADS ... >> >> -> some users get access to shares, some not! >> >> I assume this has to do with "idmap config customer:range" ? >> >> How to determine the values of the max ids? >> >> Do I have to "reset" some mappings after changing this parameter? >> >> What else to check for? >> >> thanks for any help on this, Stefan >> > > The only mappings you should have, are the ones for the 'builtin' users > & groups, all the others should have a uidNumber or gidNumber attribute > in AD, these should be between '10000-999999' > I would also recommend you remove these lines: > > force create mode = 0664 > force directory mode = 0775I agree, sure.> They really only belong in a share, but you should be using Posix ACLs > anyway. > > If a user isn't shown by getent, then they are unknown to the OS and > will not be able to access shares unless the share also allows guest > access.So I understand you suggest to use this instead ? -> [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb printing = bsd level2 oplocks = No I will test later as there are some users working (early evening here) ... thanks! Stefan