Rowland penny
2019-Jun-18 19:07 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 19:49, Edouard Guign? via samba wrote:> ?gidNumber for 'Domain Users' is 513 > > not in range? '10000-14999' of uidNumber > > Is it a problem ?Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside the DOMAIN range you set in smb.conf, if they aren't, all your users WILL be ignored by Samba. Find the next available gidNumber in AD and change the 'Domain User' gidNumber to this and I am very sure everything will then work. Rowland
Edouard Guigné
2019-Jun-18 19:25 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
And What about Domain Admins gid ? Should also be in the DOMAIN range ? Le 18/06/2019 ? 16:07, Rowland penny via samba a ?crit?:> On 18/06/2019 19:49, Edouard Guign? via samba wrote: >> ?gidNumber for 'Domain Users' is 513 >> >> not in range? '10000-14999' of uidNumber >> >> Is it a problem ? > > Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside > the DOMAIN range you set in smb.conf, if they aren't, all your users > WILL be ignored by Samba. > > Find the next available gidNumber in AD and change the 'Domain User' > gidNumber to this and I am very sure everything will then work. > > Rowland > > >
Edouard Guigné
2019-Jun-18 19:41 UTC
[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Is it possible to make start DOMAIN range from 500 instead of 10000 ? I realized that all my gid are in range 500 to 600 and not in range 10000 - 14999 I thought? DOMAIN range 10000 - 14999 was reserved for DOMAIN users -------- Message transf?r? -------- Sujet?: Re: [Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication Date?: Tue, 18 Jun 2019 16:25:39 -0300 De?: Edouard Guign? via samba <samba at lists.samba.org> R?pondre ??: Edouard Guign? <eguigne at pasteur-cayenne.fr> Pour?: samba at lists.samba.org And What about Domain Admins gid ? Should also be in the DOMAIN range ? Le 18/06/2019 ? 16:07, Rowland penny via samba a ?crit?:> On 18/06/2019 19:49, Edouard Guign? via samba wrote: >> ?gidNumber for 'Domain Users' is 513 >> >> not in range? '10000-14999' of uidNumber >> >> Is it a problem ? > > Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside > the DOMAIN range you set in smb.conf, if they aren't, all your users > WILL be ignored by Samba. > > Find the next available gidNumber in AD and change the 'Domain User' > gidNumber to this and I am very sure everything will then work. > > Rowland > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2019-Jun-18 19:53 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 20:25, Edouard Guign? via samba wrote:> And What about Domain Admins gid ? Should also be in the DOMAIN range ?Any AD user or group that you want/need to be visible to the Unix OS needs a uidNumber or gidNumber attribute and the attributes need to contain numbers inside the DOMAIN range. Note that not all AD users & groups need to be known to the Unix OS. However, Domain Admins is a bit special, groups cannot own files on Unix, but Domain Admins needs to own files in sysvol, so the group is mapped inside idmap.ldb to 'ID_TYPE_BOTH' which allows it to own files. If you give Domain Admins a gidNumber attribute it just returns to being a group and groups cannot own files on Unix. I personally create a group called 'Unix Admins' , give this group a gidNumber and make it a member of Domain Admins, then use this group on Unix wherever you would normally Domain Admins. Rowland
Possibly Parallel Threads
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
- Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication