On Mon, 5 Nov 2018 13:50:09 +0100 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> > > Il 05/11/2018 13:24, Rowland Penny via samba ha scritto: > > It sounds like you do not want your users to log into the DC, so I > > would remove the libnss_winbind links on the DC, this will not > > affect authentication from the DC. > sorry for my english,Nothing really wrong with your English, when I said 'It sounds like', this can also mean 'I think', English is wonderful, we have words that, whilst spelt the same, mean totally different things depending on how you pronounce them ;-)> i want my users connect to domain and authenticate to him, then, > after authentication, use a share on member. > That's all > like before i used pdc, only difference, i had 1 server only for > authentication e file serverThis is what I thought, so remove the libnss_winbind links from the DC, these are only required if you want to use your DC as a fileserver. Rowland
Il 05/11/2018 14:01, Rowland Penny via samba ha scritto:> Nothing really wrong with your English, when I said 'It sounds like', > this can also mean 'I think', English is wonderful, we have words that, > whilst spelt the same, mean totally different things depending on how > you pronounce them;-)thanks a lot :-)>> i want my users connect to domain and authenticate to him, then, >> after authentication, use a share on member. >> That's all >> like before i used pdc, only difference, i had 1 server only for >> authentication e file server > This is what I thought, so remove the libnss_winbind links from the > DC,i do it> these are only required if you want to use your DC as a fileserver.ok, but on dc, when i login from my windows client, i see always error in log.smbd if there is no problem, i forget this log :-) -- *Corrado Ravinetto *
On Mon, 5 Nov 2018 14:31:35 +0100 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> > > Il 05/11/2018 14:01, Rowland Penny via samba ha scritto: > > Nothing really wrong with your English, when I said 'It sounds > > like', this can also mean 'I think', English is wonderful, we have > > words that, whilst spelt the same, mean totally different things > > depending on how you pronounce them;-) > > thanks a lot :-) > > >> i want my users connect to domain and authenticate to him, then, > >> after authentication, use a share on member. > >> That's all > >> like before i used pdc, only difference, i had 1 server only for > >> authentication e file server > > This is what I thought, so remove the libnss_winbind links from the > > DC, > i do it > > these are only required if you want to use your DC as a > > fileserver. > > ok, but on dc, when i login from my windows client, i see always > error in log.smbd > if there is no problem, i forget this log :-) >This all depends on what you mean by 'login', if you mean when a client logs into a Windows machine and authenticates from the DC, then removing the links should stop your error. If you mean that your Windows clients try to log into the DC, then they cannot because of the login shell set '/bin/false', again removing the links will stop this because they will no longer be recognised by the Unix OS. Of course, the error message can be ignored, it is meaningless, it is just tell you it cannot do something, that it really shouldn't be doing anyway ;-) Rowland
Il 05/11/2018 14:01, Rowland Penny via samba ha scritto:> This is what I thought, so remove the libnss_winbind links from the > DC, these are only required if you want to use your DC as a fileserver.ok, but my gpo where are stored ?? If i cannot access to my dc, i cannot import gpo on client : is correct ??? -- *Corrado Ravinetto *
On Tue, 6 Nov 2018 11:16:07 +0100 Corrado Ravinetto via samba <samba at lists.samba.org> wrote:> > > Il 05/11/2018 14:01, Rowland Penny via samba ha scritto: > > This is what I thought, so remove the libnss_winbind links from the > > DC, these are only required if you want to use your DC as a > > fileserver. > ok, but my gpo where are stored ?? > If i cannot access to my dc, i cannot import gpo on client : is > correct ???No, your GPO's will still work. Rowland