On 02/04/15 10:20, buhorojo wrote:> On 02/04/15 08:36, L.P.H. van Belle wrote: >> nss/winbind does work, yes, there is 1 missing file, just created it. >> ( and this is not needed on a DC ! ) > So you are telling us that something that returns: > /bin/false > when: > /bin/bash > is specified in the database is a piece of software that is working? >You only need a shell if you are logging into the DC and you shouldn't be, the samba wiki couldn't be much plainer, it is not recommended to use the DC as a fileserver! However, if you must use the DC as a fileserver, investigate the 'template' lines for smb.conf Rowland
On 02/04/15 11:27, Rowland Penny wrote:> On 02/04/15 10:20, buhorojo wrote: >> On 02/04/15 08:36, L.P.H. van Belle wrote: >>> nss/winbind does work, yes, there is 1 missing file, just created it. >>> ( and this is not needed on a DC ! ) >> So you are telling us that something that returns: >> /bin/false >> when: >> /bin/bash >> is specified in the database is a piece of software that is working? >> > > You only need a shell if you are logging into the DC and you shouldn't > be, the samba wiki couldn't be much plainer, it is not recommended to > use the DC as a fileserver! > > However, if you must use the DC as a fileserver, investigate the > 'template' lines for smb.conf > > RowlandThe correct output from getent and id goes far beyond login! Please read previous the posts to the list.
L.P.H. van Belle
2015-Apr-02 10:18 UTC
[Samba] sssd-ad cannot be installed with sernet samba
so give a good example of what it not working.. I have DC/Member servers, proxy, mail ,web servers, nfs(v4) mounts etc. mixed linux and windows server and groups. All work fine, so give a good example what your problem is. There are so many previous posts and i didnt see exactly what your problem is. Louis>-----Oorspronkelijk bericht----- >Van: buhorojo.lcb at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens buhorojo >Verzonden: donderdag 2 april 2015 12:05 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] sssd-ad cannot be installed with sernet samba > >On 02/04/15 11:27, Rowland Penny wrote: >> On 02/04/15 10:20, buhorojo wrote: >>> On 02/04/15 08:36, L.P.H. van Belle wrote: >>>> nss/winbind does work, yes, there is 1 missing file, just >created it. >>>> ( and this is not needed on a DC ! ) >>> So you are telling us that something that returns: >>> /bin/false >>> when: >>> /bin/bash >>> is specified in the database is a piece of software that is working? >>> >> >> You only need a shell if you are logging into the DC and you >shouldn't >> be, the samba wiki couldn't be much plainer, it is not >recommended to >> use the DC as a fileserver! >> >> However, if you must use the DC as a fileserver, investigate the >> 'template' lines for smb.conf >> >> Rowland > >The correct output from getent and id goes far beyond login! >Please read >previous the posts to the list. > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 02/04/15 11:05, buhorojo wrote:> On 02/04/15 11:27, Rowland Penny wrote: >> On 02/04/15 10:20, buhorojo wrote: >>> On 02/04/15 08:36, L.P.H. van Belle wrote: >>>> nss/winbind does work, yes, there is 1 missing file, just created it. >>>> ( and this is not needed on a DC ! ) >>> So you are telling us that something that returns: >>> /bin/false >>> when: >>> /bin/bash >>> is specified in the database is a piece of software that is working? >>> >> >> You only need a shell if you are logging into the DC and you >> shouldn't be, the samba wiki couldn't be much plainer, it is not >> recommended to use the DC as a fileserver! >> >> However, if you must use the DC as a fileserver, investigate the >> 'template' lines for smb.conf >> >> Rowland > > The correct output from getent and id goes far beyond login! Please > read previous the posts to the list. >If you follow the recommendation on the samba wiki and do not use the DC as a fileserver, you will not have this problem. Using the 'template' lines is a workaround, but you still could have problems if you do use the DC as a fileserver. Rowland
Greetings, Rowland Penny!>>> nss/winbind does work, yes, there is 1 missing file, just created it. >>> ( and this is not needed on a DC ! ) >> So you are telling us that something that returns: >> /bin/false >> when: >> /bin/bash >> is specified in the database is a piece of software that is working? >>> You only need a shell if you are logging into the DC and you shouldn't > be, the samba wiki couldn't be much plainer, it is not recommended to > use the DC as a fileserver!You can recommend whatever you like, the reality is that there's no spare hardware is coming my way alongside your recommendations. And I've been bitten by virtualization one time too many already to feel reluctant to implement it in production. Just check the last thread I started.> However, if you must use the DC as a fileserver, investigate the > 'template' lines for smb.confI can't see, how it can make a difference, if I'm setting winbind on DC or a member server. The information is coming from same place - from AD. What makes it behave differently, if set on different server? -- With best regards, Andrey Repin Thursday, April 2, 2015 19:57:14 Sorry for my terrible english...
On 02/04/15 18:02, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>> nss/winbind does work, yes, there is 1 missing file, just created it. >>>> ( and this is not needed on a DC ! ) >>> So you are telling us that something that returns: >>> /bin/false >>> when: >>> /bin/bash >>> is specified in the database is a piece of software that is working? >>> >> You only need a shell if you are logging into the DC and you shouldn't >> be, the samba wiki couldn't be much plainer, it is not recommended to >> use the DC as a fileserver! > You can recommend whatever you like, the reality is that there's no spare > hardware is coming my way alongside your recommendations. > And I've been bitten by virtualization one time too many already to feel > reluctant to implement it in production. > Just check the last thread I started.I understand where you are coming from, been there, had to do that :-)> >> However, if you must use the DC as a fileserver, investigate the >> 'template' lines for smb.conf > I can't see, how it can make a difference, if I'm setting winbind on DC or a > member server. The information is coming from same place - from AD. > What makes it behave differently, if set on different server? > >Because, whilst using rfc2307 attributes on a samba AD member server will get you the contents of the 'unixHomeDirectory' & 'loginShell' attributes, on the samba AD DC itself, you won't. Rowland
On 02/04/15 19:02, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>> nss/winbind does work, yes, there is 1 missing file, just created it. >>>> ( and this is not needed on a DC ! ) >>> So you are telling us that something that returns: >>> /bin/false >>> when: >>> /bin/bash >>> is specified in the database is a piece of software that is working? >>> >> You only need a shell if you are logging into the DC and you shouldn't >> be, the samba wiki couldn't be much plainer, it is not recommended to >> use the DC as a fileserver! > You can recommend whatever you like, the reality is that there's no spare > hardware is coming my way alongside your recommendations. > And I've been bitten by virtualization one time too many already to feel > reluctant to implement it in production. > Just check the last thread I started. > >> However, if you must use the DC as a fileserver, investigate the >> 'template' lines for smb.conf > I can't see, how it can make a difference, if I'm setting winbind on DC or a > member server. The information is coming from same place - from AD. > What makes it behave differently, if set on different server? > >Hi For a small domain it makes sense to use the DC as a file server. That's what windows does. If you don't want to use samba, you can pick up a w2003v2 or whatever they call it cd for next to nothing these days. B.
On 19:54:24 wrote Andrey Repin:> Greetings, Rowland Penny! > > >>> nss/winbind does work, yes, there is 1 missing file, just created > >>> it. ( and this is not needed on a DC ! ) > >> > >> So you are telling us that something that returns: > >> /bin/false > >> > >> when: > >> /bin/bash > >> is specified in the database is a piece of software that is > >> working? > > > > You only need a shell if you are logging into the DC and you > > shouldn't be, the samba wiki couldn't be much plainer, it is not > > recommended to use the DC as a fileserver! > > You can recommend whatever you like, the reality is that there's no > spare hardware is coming my way alongside your recommendations. > And I've been bitten by virtualization one time too many already to > feel reluctant to implement it in production. > Just check the last thread I started. > > > However, if you must use the DC as a fileserver, investigate the > > 'template' lines for smb.conf > > I can't see, how it can make a difference, if I'm setting winbind on > DC or a member server.OK. You dont understand it. winbind exists in two incarnations. winbind on samba dc, version 4.0.x and 4.1.x, winbindd (with two d) on all other samba versions.> The information is coming from same place - > from AD.Simply false. Read the docs. Information may be stored in AD, passwd db, nis, idmap.ldb or computed on the fly. Sometimes you have two stores at the same time.> What makes it behave differently, if set on different > server?Different approaches for the same thing!! Mapping M$ identities to posix identities could be quite complex. -- Regards Harry Jede