> On 9 Dec 2016, at 14:26, lingpanda101 via samba <samba at lists.samba.org> wrote: > > Still no luck getting getent to retrieve user information. I have uid's and gid's setup for all users I am attempting to query.But did you give Domain Users a gid? If you don’t do that, winbind and getent will not find any UNIX users (doesn’t matter if the users have a uid and gid within the range you’ve specified in smb.conf). It’s been a while since I had this problem - my memory is it’s not clearly mentioned in the wiki at all. Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On 12/9/2016 10:23 AM, Kevin Davidson via samba wrote:>> On 9 Dec 2016, at 14:26, lingpanda101 via samba <samba at lists.samba.org> wrote: >> >> Still no luck getting getent to retrieve user information. I have uid's and gid's setup for all users I am attempting to query. > > But did you give Domain Users a gid? If you don’t do that, winbind and getent will not find any UNIX users (doesn’t matter if the users have a uid and gid within the range you’ve specified in smb.conf). It’s been a while since I had this problem - my memory is it’s not clearly mentioned in the wiki at all. > > > Kevin Davidson > Apple Certified System Administrator > Technical Director > > t 01506 668674 > m 07813 149620 > w www.indigospring.co.uk > > indigospring (Scotland) Ltd > Registered in Scotland No. SC398572 > Registered office: 103 Oldwood Place, Livingston EH54 6US > > Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> > Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> > > http://www.indigospring.co.uk/terms-and-conditions > > > > >I do. I had a Debian domain member joined to my ADDC successfully in the past with the help from Rowland. For whatever reason Ubuntu is not playing nice. I tried then with Ubuntu and couldn't get it to work either. -- - James
On Fri, 9 Dec 2016 15:23:24 +0000 Kevin Davidson via samba <samba at lists.samba.org> wrote:> > > On 9 Dec 2016, at 14:26, lingpanda101 via samba > > <samba at lists.samba.org> wrote: > > > > Still no luck getting getent to retrieve user information. I have > > uid's and gid's setup for all users I am attempting to query. > > > But did you give Domain Users a gid? If you don’t do that, winbind > and getent will not find any UNIX users (doesn’t matter if the users > have a uid and gid within the range you’ve specified in smb.conf). > It’s been a while since I had this problem - my memory is it’s not > clearly mentioned in the wiki at all. >It is mentioned on the wiki, to be precise here: https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites Do you think it needs more emphasis ? Rowland
Data Control Systems - Mike Elkevizth
2016-Dec-09 16:00 UTC
[Samba] How to join join Ubuntu desktop to AD
Just to confirm that it can be done, I followed the wiki and joined my Ubuntu 16.04 desktop to a Samba AD using the Ubuntu distro provided packages. I'm not sure if it's relevant, but the Samba AD DCs are also running Ubuntu 16.04 with the distro provided packages. Mike E. On Fri, Dec 9, 2016 at 10:55 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 9 Dec 2016 15:23:24 +0000 > Kevin Davidson via samba <samba at lists.samba.org> wrote: > > > > > > On 9 Dec 2016, at 14:26, lingpanda101 via samba > > > <samba at lists.samba.org> wrote: > > > > > > Still no luck getting getent to retrieve user information. I have > > > uid's and gid's setup for all users I am attempting to query. > > > > > > But did you give Domain Users a gid? If you don’t do that, winbind > > and getent will not find any UNIX users (doesn’t matter if the users > > have a uid and gid within the range you’ve specified in smb.conf). > > It’s been a while since I had this problem - my memory is it’s not > > clearly mentioned in the wiki at all. > > > > It is mentioned on the wiki, to be precise here: > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Do you think it needs more emphasis ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> On 9 Dec 2016, at 15:55, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Fri, 9 Dec 2016 15:23:24 +0000 > Kevin Davidson via samba <samba at lists.samba.org> wrote: > >> >>> On 9 Dec 2016, at 14:26, lingpanda101 via samba >>> <samba at lists.samba.org> wrote: >>> >>> Still no luck getting getent to retrieve user information. I have >>> uid's and gid's setup for all users I am attempting to query. >> >> >> But did you give Domain Users a gid? If you don’t do that, winbind >> and getent will not find any UNIX users (doesn’t matter if the users >> have a uid and gid within the range you’ve specified in smb.conf). >> It’s been a while since I had this problem - my memory is it’s not >> clearly mentioned in the wiki at all. >> > > It is mentioned on the wiki, to be precise here: > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Do you think it needs more emphasis ?I think I’d move it further up the list to be the first thing listed. As all the other requirements seem obvious to a UNIX admin (UNIX users must have a shell, homedir, uid and gid) it’s easy to miss this one non-obvious requirement that a group that is meaningless to UNIX admins also needs to be changed. There’s also no warning there that the primary group of users should be left as “Domain Users” and not changed to match what the UNIX admin regards as that user’s primary group. I think I’d expect UNIX admins to be reading that section and they may have little, no or wrong knowledge of AD and AD builtin groups. Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On 09/12/2016 15:55, Rowland Penny wrote:>> But did you give Domain Users a gid? If you don’t do that, winbind >> and getent will not find any UNIX users (doesn’t matter if the users >> have a uid and gid within the range you’ve specified in smb.conf). >> It’s been a while since I had this problem - my memory is it’s not >> clearly mentioned in the wiki at all. >> > It is mentioned on the wiki, to be precise here: > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Do you think it needs more emphasis ?I think there's plenty of emphasis now, but I think there is a part which is misleading: > To enable Samba to retrieve user and group information from Active Directory (AD): > > * Users must have at least the uidNumber and groups the gidNumber attribute set. As far as I can tell there is no need at all to set the gidNumber on the user entry, at least not when using the winbind component of Samba. By saying it has to be set, the implication is that it does something useful. So the admin sets e.g. uidNumber: 1000 gidNumber: 1000 and is surprised when the user's primary group is the gidNumber from Domain Users (or that the user doesn't appear at all, if Domain Users has no gidNumber) I think it would be clearer like this: "To enable Samba to retrieve user and group information from Active Directory (AD): * Users must have the uidNumber attribute set. When using the rfc2307 winbind NSS info mode, user accounts must also have the loginShell and unixHomeDirectory set. * The group which the user's PrimaryGroupID refers to (normally "Domain Users") must have the gidNumber attribute set. * It is recommended that you do not change any user's primaryGroupID. Windows expects all the users primary group to be "Domain Users". This implies that all Unix logins will use the same primary gid. * The user and group IDs must be within the range configured in the smb.conf for this domain. ...etc" Regards, Brian.