?icro MEGAS
2014-Oct-23 11:22 UTC
[Samba] Samba4: "MYDOM\Administrator" quite useless on a member server?
Hello list, my DC and member server is running Samba 4.1.12. The DC was provisioned with rfc2307 and NIS extensions. Through ADUC tool and the [UNIX Attribute] tab I assigned a uid to the AD user "testuser1" and I also assigned a gid to the AD group "Domain Users". The member server was configured according the official wiki of samba.org. Winbind was configured on the member server and /etc/nsswitch.conf was modified, too like that: passwd: compat winbind group: compat winbind My questions are: (1.) "wbinfo -p", "wbinfo -u" and "wbinfo -g" executed on the member server all are returning correct and expected results. From "wbinfo -u" and "wbinfo -g" I get all the available AD users+groups. From "getent passwd" I get only the AD users, for which a uid on the UNIX attribute exist, in that case "testuser1" is displayed correctly. But when I run "getent group" I don't get the group "Domain Users" although this group also has a gid assigned. The strange thing is that "getent group 'Domain Users'" or "getent group 10000" works fine though: [root at membersrv1:~$ getent group 'Domain Users' domain users:x:10000: [root at membersrv1:~$ getent group 10000 domain users:x:10000: Why does "getent group" *NOT* returning the AD domain groups, that certainly have a GID assigned as UNIX attribute? I installed a new member server with samba 4.1.11/wheezy-backports and joined it to my DC. The same problem exists on that new member server. I don't get the AD groups displayed by command "getent group" but with " getent group 'Domain Users' " or " getent group 10000 " they are displayed correctly. Where is that issue related to? (2.) For my understanding please anyone explain to me. Every user or group I want to make usable on a member server *needs* to have a uid or gid assigned on the [UNIX attribute] tab, correct? On the other side, I was told *NEVER* ever assign a UNIX attribute UID to the "MYDOM\Administrator" account on the [UNIX attribute] tab in ADUC tool. So how should that special user "MYDOM\Administrator" be available for my member server? He cannot in my opinion, and so winbind never will be able to use him. Any help appreciated. Thanks to all. Mirco
Rowland Penny
2014-Oct-23 12:04 UTC
[Samba] Samba4: "MYDOM\Administrator" quite useless on a member server?
On 23/10/14 12:22, ?icro MEGAS wrote:> Hello list, > > my DC and member server is running Samba 4.1.12. The DC was provisioned with rfc2307 and NIS extensions. Through ADUC tool and the [UNIX Attribute] tab I assigned a uid to the AD user "testuser1" and I also assigned a gid to the AD group "Domain Users". The member server was configured according the official wiki of samba.org. Winbind was configured on the member server and /etc/nsswitch.conf was modified, too like that: > > passwd: compat winbind > group: compat winbind > > My questions are: > > (1.) "wbinfo -p", "wbinfo -u" and "wbinfo -g" executed on the member server all are returning correct and expected results. From "wbinfo -u" and "wbinfo -g" I get all the available AD users+groups. From "getent passwd" I get only the AD users, for which a uid on the UNIX attribute exist, in that case "testuser1" is displayed correctly. But when I run "getent group" I don't get the group "Domain Users" although this group also has a gid assigned. The strange thing is that "getent group 'Domain Users'" or "getent group 10000" works fine though: > > [root at membersrv1:~$ getent group 'Domain Users' > domain users:x:10000: > [root at membersrv1:~$ getent group 10000 > domain users:x:10000: > > Why does "getent group" *NOT* returning the AD domain groups, that certainly have a GID assigned as UNIX attribute? I installed a new member server with samba 4.1.11/wheezy-backports and joined it to my DC. The same problem exists on that new member server. I don't get the AD groups displayed by command "getent group" but with " getent group 'Domain Users' " or " getent group 10000 " they are displayed correctly. > > Where is that issue related to?It is related to a known problem, if indeed it is a problem, you will have to give **every** group a gidNumber to get 'getent group' to work like 'getent paswd'. If I was you, I wouldn't worry about it, everything else seems to work.> > (2.) For my understanding please anyone explain to me. Every user or group I want to make usable on a member server *needs* to have a uid or gid assigned on the [UNIX attribute] tab, correct? On the other side, I was told *NEVER* ever assign a UNIX attribute UID to the "MYDOM\Administrator" account on the [UNIX attribute] tab in ADUC tool. So how should that special user "MYDOM\Administrator" be available for my member server? He cannot in my opinion, and so winbind never will be able to use him.Look. ignore what ever dev it was that told you not to use the smbmap, just use it, **everybody** who has any sense uses it. Rowland> > Any help appreciated. Thanks to all. > > Mirco
Apparently Analagous Threads
- winbind/idmap issue on samba4 member server
- Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux hosts
- Samba4: Setting up share/security permissions for shares on member server
- 3rd-party tool for creating users as alternative to ADUC
- Samba4: "MYDOM\Administrator" quite useless on a member server?