niya levi
2016-Apr-01 00:16 UTC
[Samba] setup-sysvol-bidirectional.sh unable to id administrator
hi Louis thank for the suggestion. first i tried switching back to winbind in nsswitch.conf then getent an id worked as they should so i've cornered the problem down to sssd but i had another problem with the winbind solution the home dir was not being pulled from AD, with a bit of net searching i found this from the samba mail archives Sébastien Le Ray says in smb.conf idmap_ldb:use rfc2307 = yes is used to pull down UNIX information from active directory (namely uid, gid, homedir, shell). Support is partial on domain controller since shell & homedir can only be set through * template parameters in smb.conf despite rfc2307 being used. Shell & homedir are correctly fetched on member servers. does this still apply to winbindd as i run arch linux with the latest samba, if there is a way to use winbind on th dc's and be able to retrieve home dirs from the AD then i would permently use winbindd if not i'll have to start hitting sssd with a hammer and getting on their mailing list until it works. as for your replication script it works perfecly, the cronjob keeps my mailbox busy but will do something about that once i've sorted out my current issues shadrock
mathias dufresne
2016-Apr-04 09:07 UTC
[Samba] setup-sysvol-bidirectional.sh unable to id administrator
I expect Winbind on DC do NOT retrieve home dir, by design. DC are not meant to be used by AD users, no session from standard users on DC, never. DC are meant to discuss with Windows clients and with tools as SSSD, Winbind or nslcd which use AD as a users database. This tools are configurable enough to use the database to make what we want on member servers. Winbind generates users from AD using "primaryGroupID" for GID and something else for UID (I still don't know exactly how is chosen that UID) because of ACL on SysVol. SysVol is accessed by Windows clients and that's the only moment there is an interaction between user-from-AD and system-hosting-Samba-AD. To match Windows user information during ACL check on SysVol Winbind uses Windows information from AD to generate users. I hope I was clear but that's not sure at all :D Anyway, I tried ;) Cheers, mathias 2016-04-01 2:16 GMT+02:00 niya levi <niyalevi at gmail.com>:> hi Louis > > thank for the suggestion. > > first i tried switching back to winbind in nsswitch.conf > then getent an id worked as they should > so i've cornered the problem down to sssd > but i had another problem with the winbind solution > the home dir was not being pulled from AD, > with a bit of net searching i found this from the samba mail archives > > Sébastien Le Ray says > in smb.conf idmap_ldb:use rfc2307 = yes is used to pull down UNIX > information from active directory > (namely uid, gid, homedir, shell). > Support is partial on domain controller since shell & homedir can only > be set through * template parameters in > smb.conf despite rfc2307 being used. > Shell & homedir are correctly fetched on member servers. > > does this still apply to winbindd as i run arch linux with the latest > samba, > if there is a way to use winbind on th dc's and be able to retrieve home > dirs from the AD > then i would permently use winbindd > if not i'll have to start hitting sssd with a hammer and getting on > their mailing list until it works. > > as for your replication script it works perfecly, > the cronjob keeps my mailbox busy but will do something about that once > i've sorted out my current issues > > shadrock > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Apr-04 11:56 UTC
[Samba] setup-sysvol-bidirectional.sh unable to id administrator
On 04/04/16 10:07, mathias dufresne wrote:> I expect Winbind on DC do NOT retrieve home dir, by design.Well, not by design, the code to do this hasn't been written yet :-)> > DC are not meant to be used by AD users, no session from standard users on > DC, never. > DC are meant to discuss with Windows clients and with tools as SSSD,sssd isn't a Samba tool and the fact they work with a DC is down to the work done by sssd devs.> Winbind or nslcd which use AD as a users database. This tools are > configurable enough to use the database to make what we want on member > servers. > > Winbind generates users from AD using "primaryGroupID" for GID and > something else for UID (I still don't know exactly how is chosen that UID)It all depends on where winbind is running and secondly on what winbind backend is being used. On a DC, you can only use idmap.ldb and this assigns IDs on a first come basis. On a domain member there are numerous backends available and each has their own manpage. Rowland> because of ACL on SysVol. SysVol is accessed by Windows clients and that's > the only moment there is an interaction between user-from-AD and > system-hosting-Samba-AD. To match Windows user information during ACL check > on SysVol Winbind uses Windows information from AD to generate users. > > I hope I was clear but that's not sure at all :D > > Anyway, I tried ;) > > Cheers, > > mathias > > > 2016-04-01 2:16 GMT+02:00 niya levi <niyalevi at gmail.com>: > >> hi Louis >> >> thank for the suggestion. >> >> first i tried switching back to winbind in nsswitch.conf >> then getent an id worked as they should >> so i've cornered the problem down to sssd >> but i had another problem with the winbind solution >> the home dir was not being pulled from AD, >> with a bit of net searching i found this from the samba mail archives >> >> Sébastien Le Ray says >> in smb.conf idmap_ldb:use rfc2307 = yes is used to pull down UNIX >> information from active directory >> (namely uid, gid, homedir, shell). >> Support is partial on domain controller since shell & homedir can only >> be set through * template parameters in >> smb.conf despite rfc2307 being used. >> Shell & homedir are correctly fetched on member servers. >> >> does this still apply to winbindd as i run arch linux with the latest >> samba, >> if there is a way to use winbind on th dc's and be able to retrieve home >> dirs from the AD >> then i would permently use winbindd >> if not i'll have to start hitting sssd with a hammer and getting on >> their mailing list until it works. >> >> as for your replication script it works perfecly, >> the cronjob keeps my mailbox busy but will do something about that once >> i've sorted out my current issues >> >> shadrock >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Sketch
2016-Apr-04 13:53 UTC
[Samba] setup-sysvol-bidirectional.sh unable to id administrator
On Mon, 4 Apr 2016, mathias dufresne wrote:> I expect Winbind on DC do NOT retrieve home dir, by design. > > DC are not meant to be used by AD users, no session from standard users on > DC, never.While I agree that it is best practice not to allow user logins onto an authentication server, I'd still consider this a bug/missing feature. Linux is not Windows. I don't think we should inherit limitations from Windows just bceause they have them. Also note that limitations in winbind are what prevents a fileserver from running on a DC, and that _is_ possible on Windows.
L.P.H. van Belle
2016-Apr-04 14:00 UTC
[Samba] setup-sysvol-bidirectional.sh unable to id administrator
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sketch > Verzonden: maandag 4 april 2016 15:53 > Aan: mathias dufresne > CC: samba > Onderwerp: Re: [Samba] setup-sysvol-bidirectional.sh unable to id > administrator > > On Mon, 4 Apr 2016, mathias dufresne wrote: > > > I expect Winbind on DC do NOT retrieve home dir, by design. > > > > DC are not meant to be used by AD users, no session from standard users > on > > DC, never. > > While I agree that it is best practice not to allow user logins onto an > authentication server, I'd still consider this a bug/missing feature. > Linux is not Windows. I don't think we should inherit limitations from > Windows just bceause they have them. Also note that limitations in > winbind are what prevents a fileserver from running on a DC, and that _is_ > possible on Windows. > > --I dont have any problems with users to allow login onto an authentication server. I just dont allow UID 0 ! ever to login anywhere. ... and on a DC administrator = UID 0 See: id administrator uid=0(root) .. and lots more groups here..> I don't think we should inherit limitations from > Windows just bceause they have them. Also note that limitations in > winbind are what prevents a fileserver from running on a DC, and that _is_ > possible on Windows.You can run Samba as DC as File server also, its just not recommended. So no limitations here. Greetz, Louis
Reasonably Related Threads
- setup-sysvol-bidirectional.sh unable to id administrator
- setup-sysvol-bidirectional.sh unable to id administrator
- point n print driver deployment for canon ip7250
- dhcpd create lease error and unable to kinit for dynupdate on domain controller
- is samba ad dc the domain and local master browser ?