samba - Dec 2016 - How to join join Ubuntu desktop to AD

> On 9 Dec 2016, at 14:26, lingpanda101 via samba <samba at
lists.samba.org> wrote:
> 
> Still no luck getting getent to retrieve user information. I have uid's
and gid's setup for all users I am attempting to query.

But did you give Domain Users a gid? If you don’t do that, winbind  and getent
will not find any UNIX users (doesn’t matter if the users have a uid and gid
within the range you’ve specified in smb.conf). It’s been a while since I had
this problem - my memory is it’s not clearly mentioned in the wiki at all.


Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT
<http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk
<http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions

On 12/9/2016 10:23 AM, Kevin Davidson via samba wrote:
>> On 9 Dec 2016, at 14:26, lingpanda101 via samba <samba at
lists.samba.org> wrote:
>>
>> Still no luck getting getent to retrieve user information. I have
uid's and gid's setup for all users I am attempting to query.
>
> But did you give Domain Users a gid? If you don’t do that, winbind  and
getent will not find any UNIX users (doesn’t matter if the users have a uid and
gid within the range you’ve specified in smb.conf). It’s been a while since I
had this problem - my memory is it’s not clearly mentioned in the wiki at all.
>
>
> Kevin Davidson
> Apple Certified System Administrator
> Technical Director
>
> t 01506 668674
> m 07813 149620
> w www.indigospring.co.uk
>
> indigospring (Scotland) Ltd
> Registered in Scotland No. SC398572
> Registered office: 103 Oldwood Place, Livingston EH54 6US
>
> Follow us on Twitter - twitter.com/indigospringIT
<http://twitter.com/indigospringIT>
> Members of the Apple Consultants Network - consultants.apple.com/uk
<http://consultants.apple.com/uk>
>
> http://www.indigospring.co.uk/terms-and-conditions
>
>
>
>
>
I do.

I had a Debian domain member joined to my ADDC successfully in the past 
with the help from Rowland. For whatever reason Ubuntu is not playing 
nice. I tried then with Ubuntu and couldn't get it to work either.

-- 
- James

On Fri, 9 Dec 2016 15:23:24 +0000
Kevin Davidson via samba <samba at lists.samba.org> wrote:
> 
> > On 9 Dec 2016, at 14:26, lingpanda101 via samba
> > <samba at lists.samba.org> wrote:
> > 
> > Still no luck getting getent to retrieve user information. I have
> > uid's and gid's setup for all users I am attempting to query.
> 
> 
> But did you give Domain Users a gid? If you don’t do that, winbind
> and getent will not find any UNIX users (doesn’t matter if the users
> have a uid and gid within the range you’ve specified in smb.conf).
> It’s been a while since I had this problem - my memory is it’s not
> clearly mentioned in the wiki at all.
> 
It is mentioned on the wiki, to be precise here:

https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites

Do you think it needs more emphasis ?

Rowland

Just to confirm that it can be done, I followed the wiki and joined my
Ubuntu 16.04 desktop to a Samba AD using the Ubuntu distro provided
packages.  I'm not sure if it's relevant, but the Samba AD DCs are also
running Ubuntu 16.04 with the distro provided packages.

Mike E.


On Fri, Dec 9, 2016 at 10:55 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 9 Dec 2016 15:23:24 +0000
> Kevin Davidson via samba <samba at lists.samba.org> wrote:
>
> >
> > > On 9 Dec 2016, at 14:26, lingpanda101 via samba
> > > <samba at lists.samba.org> wrote:
> > >
> > > Still no luck getting getent to retrieve user information. I have
> > > uid's and gid's setup for all users I am attempting to
query.
> >
> >
> > But did you give Domain Users a gid? If you don’t do that, winbind
> > and getent will not find any UNIX users (doesn’t matter if the users
> > have a uid and gid within the range you’ve specified in smb.conf).
> > It’s been a while since I had this problem - my memory is it’s not
> > clearly mentioned in the wiki at all.
> >
>
> It is mentioned on the wiki, to be precise here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Do you think it needs more emphasis ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

> On 9 Dec 2016, at 15:55, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> On Fri, 9 Dec 2016 15:23:24 +0000
> Kevin Davidson via samba <samba at lists.samba.org> wrote:
> 
>> 
>>> On 9 Dec 2016, at 14:26, lingpanda101 via samba
>>> <samba at lists.samba.org> wrote:
>>> 
>>> Still no luck getting getent to retrieve user information. I have
>>> uid's and gid's setup for all users I am attempting to
query.
>> 
>> 
>> But did you give Domain Users a gid? If you don’t do that, winbind
>> and getent will not find any UNIX users (doesn’t matter if the users
>> have a uid and gid within the range you’ve specified in smb.conf).
>> It’s been a while since I had this problem - my memory is it’s not
>> clearly mentioned in the wiki at all.
>> 
> 
> It is mentioned on the wiki, to be precise here:
> 
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
> 
> Do you think it needs more emphasis ?
I think I’d move it further up the list to be the first thing listed. As all the
other requirements seem obvious to a UNIX admin (UNIX users must have a shell,
homedir, uid and gid) it’s easy to miss this one non-obvious requirement that a
group that is meaningless to UNIX admins also needs to be changed. There’s also
no warning there that the primary group of users should be left as “Domain
Users” and not changed to match what the UNIX admin regards as that user’s
primary group. I think I’d expect UNIX admins to be reading that section and
they may have little, no or wrong knowledge of AD and AD builtin groups.


Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT
<http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk
<http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions

On 09/12/2016 15:55, Rowland Penny wrote:
>> But did you give Domain Users a gid? If you don’t do that, winbind
>> and getent will not find any UNIX users (doesn’t matter if the users
>> have a uid and gid within the range you’ve specified in smb.conf).
>> It’s been a while since I had this problem - my memory is it’s not
>> clearly mentioned in the wiki at all.
>>
> It is mentioned on the wiki, to be precise here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Do you think it needs more emphasis ?
I think there's plenty of emphasis now, but I think there is a part 
which is misleading:

 > To enable Samba to retrieve user and group information from Active 
Directory (AD):
 >
 > * Users must have at least the uidNumber and groups the gidNumber 
attribute set.

As far as I can tell there is no need at all to set the gidNumber on the 
user entry, at least not when using the winbind component of Samba.

By saying it has to be set, the implication is that it does something 
useful. So the admin sets e.g.

uidNumber: 1000
gidNumber: 1000

and is surprised when the user's primary group is the gidNumber from 
Domain Users (or that the user doesn't appear at all, if Domain Users 
has no gidNumber)

I think it would be clearer like this:

"To enable Samba to retrieve user and group information from Active 
Directory (AD):

* Users must have the uidNumber attribute set. When using the rfc2307 
winbind NSS info mode, user accounts must also have the loginShell and 
unixHomeDirectory set.

* The group which the user's PrimaryGroupID refers to (normally "Domain
Users") must have the gidNumber attribute set.

* It is recommended that you do not change any user's primaryGroupID. 
Windows expects all the users primary group to be "Domain Users". 
This
implies that all Unix logins will use the same primary gid.

* The user and group IDs must be within the range configured in the 
smb.conf for this domain.
...etc"

Regards,

Brian.