Hi everyone, on a server running samba4 with sssd for nsswitch mapping, I realized recently that on windows workstation in the "folder propery/security tab", users are mapped as "Unix user\userlogin" instead of "DOMAINNAME\userlogin". I guess this is due to the fact that sssd mapping with getent passwd gives me user name without domain name (eg. userlogin), and in the samba4 smb.conf I don't know how to specify to use default domain, so it probably maps users to DOMAINNAME\userlogin. Looking at sssd doc, I didn't find how to add domain name in sssd.conf, and in smb.conf, the only related command is "winbind use default domain", and I'd like to use sssd instead of winbind. So I'd like to ask if there is a "use default domain" command for smb.conf without winbind? Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
On Mon, 2014-01-20 at 11:25 +0100, Denis Cardon wrote:> > So I'd like to ask if there is a "use default domain" command for > smb.conf without winbind?In sssd, it is the default. You get just the name of the object. Nothing needs to be added to either sssd.conf nor smb.conf. HTH Steve
On 20/01/14 10:25, Denis Cardon wrote:> Hi everyone, > > on a server running samba4 with sssd for nsswitch mapping, I realized > recently that on windows workstation in the "folder propery/security > tab", users are mapped as "Unix user\userlogin" instead of > "DOMAINNAME\userlogin". > > I guess this is due to the fact that sssd mapping with getent passwd > gives me user name without domain name (eg. userlogin), and in the > samba4 smb.conf I don't know how to specify to use default domain, so > it probably maps users to DOMAINNAME\userlogin. > > Looking at sssd doc, I didn't find how to add domain name in > sssd.conf, and in smb.conf, the only related command is "winbind use > default domain", and I'd like to use sssd instead of winbind. > > So I'd like to ask if there is a "use default domain" command for > smb.conf without winbind? > > Cheers, > > Denis > >Hi, I do not think that this has anything to do with sssd, the problem seems to occur only on a windows workstation where sssd is not used. Did you create the unix users with samba-tool? If you did, then this could be where the problem lies, if you create a user through ADUC and then add the Unix attributes, ADUC adds the following attributes to the user: msSFU30NisDomain msSFU30Name uidNumber gidNumber loginShell unixHomeDirectory uid I think that it is the lack of at least the first on the list that is giving you your problem. If you think about it, where is 'Unix user' coming from? I think it is something windows uses if it cannot get the 'msSFU30NisDomain' but does find 'uidNumber' Try adding the attributes to one of your users and see if it cures your problem. Rowland
Hi Denis, On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:> on a server running samba4 with sssd for nsswitch mapping, I > realized recently that on windows workstation in the "folder > propery/security tab", users are mapped as "Unix user\userlogin" > instead of "DOMAINNAME\userlogin".first question I need to ask: which mode do you run samba in? Are you running Samba in a AD server mode (samba binary) or do you run Samba in classic mode (nmbd/smbd binary)? If you run Samba in AD server mode, the best option is currently to use only the really needed fileserver functionality, that means usually you should not have other shares than the sysvol/netlogon share. Also using winbind in AD server mode is not neccessary at all, you will have numeric UIDs on the server but that is okay. You also should not use a Windows AD server as a file/print server. Set up a member server to do the other file serving tasks. If you run Samba in classic mode, then running it along with Winbind is the only supported option for a member server. On a member server where the source of the AD users is any different NSS source than nss_winbind you have to configure the idmap nss backend. Theoretically this would also be required if you would use sssd. Because I read the sssd recommendations so often on the list recently - once more: sssd is NOT the right thing for Samba member server setups. Bj?rn