Hi, How to make the user id on the domain controller and the file server the same SERVER DC: [global] netbios name = SRV-DC02 realm = EXAMPLE.RU workgroup = EXAMPLE server role = active directory domain controller log level = 2 auth_json_audit:3 username map = /etc/samba/username_map vfs objects = acl_xattr store dos attributes = Yes [root at srv-dc02 ~]# id vas.lah at example.ru uid=3000416(EXAMPLE\vas.lah) gid=100(users) группы=100(users),3000416(EXAMPLE\vas.lah),3000051(EXAMPLE\domain admins),3000054(EXAMPLE\группа с запрещением репликации паролей rodc),3000055(EXAMPLE\администраторы wsus),3000056(EXAMPLE\wsus administrators),3000035(EXAMPLE\1c_links_ут),3000001(BUILTIN\users),3000000(BUILTIN\administrators),3000057(BUILTIN\performance log users),3000043(BUILTIN\performance monitor users) SHARE: [global] netbios name = SRV-SHARE workgroup = EXAMPLE realm = EXAMPLE.RU server string = %h rsync host # server role = member server security = ads [root at srv-share samba]# id vas.lah at example.ru uid=3188138(EXAMPLE.RU\vas.lah) gid=3000513(domain users) группы=3000513(domain users),3188138(EXAMPLE.RU\vas.lah),3109633(wsus administrators),3034556(1c_links_ут),3111123(администраторы wsus),3100572(группа с запрещением репликации паролей rodc),3100512(domain admins),3153446(администратор 4 категории),3000001(BUILTIN\users),3000000(BUILTIN\administrators)
On Thu, 14 Jun 2018 18:02:29 +0500 Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote:> Hi, > How to make the user id on the domain controller and the file server > the same > > SERVER DC: > [global] > netbios name = SRV-DC02 > realm = EXAMPLE.RU > workgroup = EXAMPLE > server role = active directory domain controller > log level = 2 auth_json_audit:3 > username map = /etc/samba/username_map > vfs objects = acl_xattr > store dos attributes = Yes > > [root at srv-dc02 ~]# id vas.lah at example.ru > uid=3000416(EXAMPLE\vas.lah) gid=100(users) > группы=100(users),3000416(EXAMPLE\vas.lah),3000051(EXAMPLE\domain > admins),3000054(EXAMPLE\группа с запрещением репликации паролей > rodc),3000055(EXAMPLE\администраторы wsus),3000056(EXAMPLE\wsus > administrators),3000035(EXAMPLE\1c_links_ут),3000001(BUILTIN\users),3000000(BUILTIN\administrators),3000057(BUILTIN\performance > log users),3000043(BUILTIN\performance monitor users) > > > > SHARE: > [global] > netbios name = SRV-SHARE > workgroup = EXAMPLE > realm = EXAMPLE.RU > server string = %h rsync host > # server role = member server > security = ads > > [root at srv-share samba]# id vas.lah at example.ru > uid=3188138(EXAMPLE.RU\vas.lah) gid=3000513(domain users) > группы=3000513(domain users),3188138(EXAMPLE.RU\vas.lah),3109633(wsus > administrators),3034556(1c_links_ут),3111123(администраторы > wsus),3100572(группа с запрещением репликации паролей > rodc),3100512(domain admins),3153446(администратор 4 > категории),3000001(BUILTIN\users),3000000(BUILTIN\administrators)The first thing to do, remove these lines from the Samba AD DC: username map = /etc/samba/username_map vfs objects = acl_xattr store dos attributes = Yes They have no place in a Samba AD DC smb.conf. There is only one way to have the same ID's everywhere on Unix and that is to use the winbind 'ad' backend. This entails giving your users & groups uidNumber & gidNumber attributes, then run 'net cache flush' on the DC, most ID's will change. You then need to set up the smb.conf correctly on the Unix domain member (yours is correct as far as it goes, it just doesn't go far enough). Can I suggest you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Anything you don't understand, or have questions about, please ask. Rowland
for the groups and users it is necessary to configure on the AD side UNIX Attributes and edit /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind after edit config samba to SERVER DC: [global] netbios name = SRV-DC02 realm = EXAMPLE.RU workgroup = EXAMPLE server role = active directory domain controller log level = 2 auth_json_audit:3 SHARE: [global] netbios name = SRV-SHARE workgroup = EXAMPLE realm = EXAMPLE.RU server string = %h rsync host security = ads 14.06.2018 20:28, Rowland Penny via samba пишет:> On Thu, 14 Jun 2018 18:02:29 +0500 > Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote: > >> Hi, >> How to make the user id on the domain controller and the file server >> the same >> >> SERVER DC: >> [global] >> netbios name = SRV-DC02 >> realm = EXAMPLE.RU >> workgroup = EXAMPLE >> server role = active directory domain controller >> log level = 2 auth_json_audit:3 >> username map = /etc/samba/username_map >> vfs objects = acl_xattr >> store dos attributes = Yes >> >> [root at srv-dc02 ~]# id vas.lah at example.ru >> uid=3000416(EXAMPLE\vas.lah) gid=100(users) >> группы=100(users),3000416(EXAMPLE\vas.lah),3000051(EXAMPLE\domain >> admins),3000054(EXAMPLE\группа с запрещением репликации паролей >> rodc),3000055(EXAMPLE\администраторы wsus),3000056(EXAMPLE\wsus >> administrators),3000035(EXAMPLE\1c_links_ут),3000001(BUILTIN\users),3000000(BUILTIN\administrators),3000057(BUILTIN\performance >> log users),3000043(BUILTIN\performance monitor users) >> >> >> >> SHARE: >> [global] >> netbios name = SRV-SHARE >> workgroup = EXAMPLE >> realm = EXAMPLE.RU >> server string = %h rsync host >> # server role = member server >> security = ads >> >> [root at srv-share samba]# id vas.lah at example.ru >> uid=3188138(EXAMPLE.RU\vas.lah) gid=3000513(domain users) >> группы=3000513(domain users),3188138(EXAMPLE.RU\vas.lah),3109633(wsus >> administrators),3034556(1c_links_ут),3111123(администраторы >> wsus),3100572(группа с запрещением репликации паролей >> rodc),3100512(domain admins),3153446(администратор 4 >> категории),3000001(BUILTIN\users),3000000(BUILTIN\administrators) > The first thing to do, remove these lines from the Samba AD DC: > > username map = /etc/samba/username_map > vfs objects = acl_xattr > store dos attributes = Yes > > They have no place in a Samba AD DC smb.conf. > > There is only one way to have the same ID's everywhere on Unix and that > is to use the winbind 'ad' backend. This entails giving your users & > groups uidNumber & gidNumber attributes, then run 'net cache flush' on > the DC, most ID's will change. > > You then need to set up the smb.conf correctly on the Unix domain > member (yours is correct as far as it goes, it just doesn't go far > enough). > > Can I suggest you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Anything you don't understand, or have questions about, please ask. > > Rowland > >