I could use some input to point out the error in my configuration, which 
eludes me.
Previously I operated a 225-node cluster with samba 4.3 and sssd on the 
Linux boxes. Everything worked OK.
Now I am using samba 4.11.6 on CentOS 7.7, patched up to date. The DC, on 
a KVM VM, is the only node configured so far. I am using winbind in place 
of sssd (my first experience with winbind). BIND9_DLZ pointing to a DNS 
hosted on the same virtual box. The smb.conf is exactly as created by the 
domain provision, except that I added:
 	winbind use default domain = yes
         winbind nss info = rfc2307
 	template shell = /bin/zsh
         template homedir = /fs/home/%U
All installation tests seem to work OK. I create a group and a user 
(username smt) with samba-tool, and add the appropriate loginShell, 
unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo -i
smt"
command gives:
 	VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh
while "getent passwd smt" gives:
 	VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh
The things that I don't understand are the absence of gecos, and the 
(uid,gid) of (1000,100). Both the uid and gid are wrong. I don't know 
where winbind is getting these values; if I modify the values in the 
database using ldbmodify and flush the winbind caches, the values returned 
by wbinfo and getent do not change from those shown above. If I change the 
template home directory, the value seen by wbinfo and getent do change as 
expected, since the DB value are evidently not used on a DC. Any pointers?
Steve
---------------------------------------------------------------------------- 
Steve Thompson E-mail:  smt AT vgersoft DOT com Voyager Software LLC Web: 
http://www DOT vgersoft DOT com 3901 N Charles St VSW Support: support AT 
vgersoft DOT com Baltimore MD 21218
   "186,282 miles per second: it's not just a good idea, it's the
law"
----------------------------------------------------------------------------
On 15/02/2020 19:15, Steve Thompson via samba wrote:> I could use some input to point out the error in my configuration, > which eludes me. > > Previously I operated a 225-node cluster with samba 4.3 and sssd on > the Linux boxes. Everything worked OK. > > Now I am using samba 4.11.6 on CentOS 7.7, patched up to date.Have you compiled Samba yourself, or are you using Samba packages and if so, where from ?> The DC, on a KVM VM, is the only node configured so far. I am using > winbind in place of sssd (my first experience with winbind). BIND9_DLZ > pointing to a DNS hosted on the same virtual box.What do you mean by 'DNS hosted on the same virtual box' ?> The smb.conf is exactly as created by the domain provision, except > that I added: > > ????winbind use default domain = yes > ??????? winbind nss info = rfc2307Those two do not work on a DC.> ????template shell = /bin/zsh > ??????? template homedir = /fs/home/%U > > All installation tests seem to work OK. I create a group and a user > (username smt) with samba-tool, and add the appropriate loginShell, > unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo -i > smt" command gives: > > ????VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zshIs there a reason to use such low ID's ? I know where the '100' is coming from, you haven't given Domain Users a gidNumber.> > while "getent passwd smt" gives: > > ????VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh > > The things that I don't understand are the absence of gecos, and the > (uid,gid) of (1000,100). Both the uid and gid are wrong. I don't know > where winbind is getting these values; if I modify the values in the > database using ldbmodify and flush the winbind caches, the values > returned by wbinfo and getent do not change from those shown above. If > I change the template home directory, the value seen by wbinfo and > getent do change as expected, since the DB value are evidently not > used on a DC. Any pointers?Yes, do not use the DC as a fileserver ;-) You cannot use the loginShell, and unixHomeDirectory attributes on a Samba AD DC Rowland
On Sat, 15 Feb 2020, Rowland penny via samba wrote:> On 15/02/2020 19:15, Steve Thompson via samba wrote: >> Now I am using samba 4.11.6 on CentOS 7.7, patched up to date. > Have you compiled Samba yourself, or are you using Samba packages and if so, > where from ? >> The DC, on a KVM VM, is the only node configured so far. I am using >> winbind in place of sssd (my first experience with winbind). BIND9_DLZ >> pointing to a DNS hosted on the same virtual box. > What do you mean by 'DNS hosted on the same virtual box' ? >> The smb.conf is exactly as created by the domain provision, except that I >> added: >> >> ????winbind use default domain = yes >> ??????? winbind nss info = rfc2307 > Those two do not work on a DC.OK, I removed them.>> All installation tests seem to work OK. I create a group and a user >> (username smt) with samba-tool, and add the appropriate loginShell, >> unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo -i smt" >> command gives: >> >> ????VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh > > Is there a reason to use such low ID's ?UID's and GID's are already assigned (via file ownerships) for 2500 users across many fileservers, and I do not really want to change them.> I know where the '100' is coming from, you haven't given Domain Users a > gidNumber.I assigned a gidNumber to Domain Users, and now both wbinfo and getent return that number for the user's gid instead of the user's gidNumber from the database. This is wrong is it not? And it doesn't explain why the uid was incorrect also.> Yes, do not use the DC as a fileserver ;-)I understand this.> You cannot use the loginShell, and unixHomeDirectory attributes on a Samba AD > DCI understand this too. I don't understand why this should be a limitation, though. I realize it was coded this way, but why? Steve -- ---------------------------------------------------------------------------- Steve Thompson E-mail: smt AT vgersoft DOT com Voyager Software LLC Web: http://www DOT vgersoft DOT com 3901 N Charles St VSW Support: support AT vgersoft DOT com Baltimore MD 21218 "186,282 miles per second: it's not just a good idea, it's the law" ----------------------------------------------------------------------------
Hi, On Sat, 15 Feb 2020 at 20:16, Steve Thompson via samba <samba at lists.samba.org> wrote:> > winbind use default domain = yes > winbind nss info = rfc2307 > template shell = /bin/zsh > template homedir = /fs/home/%UI have this on my DCs: idmap_ldb:use rfc2307 = yes I'm now doubting myself if that's even correct :) although it seems to mostly work (I have issues with sysvol/GPO, I suspect that may be down to other problems - that's next on my list to investigate) Reference: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#RFC2307_on_AD_Domain_Controllers -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On 16/02/2020 15:05, Jonathan Hunter via samba wrote:> Hi, > > On Sat, 15 Feb 2020 at 20:16, Steve Thompson via samba > <samba at lists.samba.org> wrote: >> winbind use default domain = yes >> winbind nss info = rfc2307 >> template shell = /bin/zsh >> template homedir = /fs/home/%U > I have this on my DCs: > idmap_ldb:use rfc2307 = yes > > I'm now doubting myself if that's even correct :) although it seems to > mostly work (I have issues with sysvol/GPO, I suspect that may be down > to other problems - that's next on my list to investigate) > > Reference: > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#RFC2307_on_AD_Domain_Controllers > >You can stop doubting yourself, it is required if you want to use rfc2307 attributes ;-) Rowland