On Fri, 26 Oct 2018 16:47:52 +0200 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> thank you for your comprehension > > Il 26/10/2018 16:40, Rowland Penny via samba ha scritto: > > OK, two further ldbsearches: > > > > ldbsearch -Hldap://$(hostname -s) -k yes -P > > '(&(samaccountname=*)(uidNumber=*))' uidNumber | grep uidNumber | > > awk '{print $NF}' > 1289 > 1690 > 673 > 1613 > 1527 > 1661 > 1542 > 822 > 1280 > 647 > 596 > 1699 > 650 > 1766 > 592 > 1674 > 629 > 1127 > 1065 > 966 > > & more,more,more,more :-) > > > > ldbsearch -Hldap://$(hostname -s) -k yes -P > > '(&(samaccountname=*)(gidNumber=*))' gidNumber | grep gidNumber | > > awk '{print $NF}' > 736 > 501 > 767 > 501 > 501 > 759 > 615 > 729 > 669 > 603 > 611 > 1239 > 681 > 618 > 713 > 553 > 690 > 757 > 501 > 501 > 679 > 501 > 528 > 517 > 501 > > more,more,more > > They should both print a string of numbers, if either doesn't then > > there is your problem, but why, is another question. > i have many numbers :-) >Thank goodness, but why does Domain Users not seem to have a gidNumber ? Anyway, no problem ;-) On the DC (note, replace 'dc4' with your DC short hostname ldbedit -e nano -H ldap://dc4 -U Administrator Enter Administrators password when prompted. Press the 'Ctrl' and 'w' keys together enter the search: dn: CN=Domain Users check for a line in the object that starts 'gidNumber', there shouldn't be one. Add this one anywhere in the object: gidNumber: 513 Press 'Ctrl' and 'x' together, press 'y' when prompted Now go to the Unix domain member and open smb.conf in an editor, change the low range on the DOMAIN 'idmap config' line to '500', restart Samba, run 'net cache flush' and check a user again. Rowland
Il 26/10/2018 17:18, Rowland Penny via samba ha scritto:> gidNumber: 513[root at dc1 ~]# ldbsearch -Hldap://$(hostname -s) -k yes -P '(&(samaccountname=Domain Users)(gidNumber=*))' gidNumber | grep gidNumber | awk '{print $NF}' 513 gid number is ok but on member with testparm idmap config lxcerruti : unix_nss_info = yes idmap config lxcerruti : schema_mode = rfc2307 idmap config lxcerruti : range = 500-7999 idmap config lxcerruti : backend = ad idmap config * : range = 9000-17999 idmap config * : backend = tdb after net cache flush i see : drwxrwx-wx. 4 root 513 83 30 apr 2015 Titoli drwxrwxrwx. 175 root 502 8192 25 ott 12.21 usr :-( i'm a little bit frustrating -- *Corrado Ravinetto * Sistemi informativi corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at lanificiocerruti.com> T: +39 015 3591283 Lanificio F.lli CERRUTI *Lanificio F.lli Cerruti S.p.A. * Via Cernaia 40, 13900 - Biella (BI) Italy www.lanificiocerruti.com <http://www.lanificiocerruti.com/> Twitter <https://twitter.com/Lan_Cerruti> Facebook <https://www.facebook.com/LanificioCerruti> Instagram <https://www.instagram.com/lanificiocerruti/> Rispetta l'ambiente, non stampare questa mail se non necessario Respect the environment, don't print unless necessary
On Fri, 26 Oct 2018 17:38:55 +0200 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> > > Il 26/10/2018 17:18, Rowland Penny via samba ha scritto: > > gidNumber: 513 > [root at dc1 ~]# ldbsearch -Hldap://$(hostname -s) -k yes -P > '(&(samaccountname=Domain Users)(gidNumber=*))' gidNumber | grep > gidNumber | awk '{print $NF}' > 513 > > gid number is ok > but on member with testparm > idmap config lxcerruti : unix_nss_info = yes > idmap config lxcerruti : schema_mode = rfc2307 > idmap config lxcerruti : range = 500-7999 > idmap config lxcerruti : backend = ad > idmap config * : range = 9000-17999 > idmap config * : backend = tdb > > after net cache flush i see : > > drwxrwx-wx. 4 root 513 83 30 apr 2015 Titoli > drwxrwxrwx. 175 root 502 8192 25 ott 12.21 usr > > > :-( > i'm a little bit frustrating > >I take it that this is the result of something like 'ls -la /path/to/somewhere' This is a step forward, what does 'getent passwd ausername' show ? On a Unix domain member, with the 'idmap config' lines above, the primary group of all users will be Domain Users (513) What does 'getent group Domain\ Users' show ? What worries me is the group with the ID 502, which group is it ? I ask this because '502' is the RID for krbtgt. Rowland