samba - Oct 2015 - Samba AD: gidNumber?

I joined a Samba AD member server (file server) to a Samba AD DC. This 
seems to have worked. However, if I try to access the file server from 
the domain administrator account on a Windows client, I am asked to 
provide authorization details. Since I have no other privileged users, I 
am using the domain admin credentials but they're not accepted.

I'm not sure exactly where to look but I think the problem could be 
connected to the following: On my member server, the getent command does 
not yield any results. As per the recommendations on the "Samba Member 
Server Troubleshooting" page, I checked on the DC if the group Domain 
Users has a gidNumber. Well, it doesn't. Neither do my users have 
uidNumbers though this, allegedly, is not such an issue.

To solve it, all it says is to "add a gidNumber to Domain Users".

How do I do that?

On 26/10/15 21:38, Viktor Trojanovic wrote:
> I joined a Samba AD member server (file server) to a Samba AD DC. This 
> seems to have worked. However, if I try to access the file server from 
> the domain administrator account on a Windows client, I am asked to 
> provide authorization details. Since I have no other privileged users, 
> I am using the domain admin credentials but they're not accepted.
>
> I'm not sure exactly where to look but I think the problem could be 
> connected to the following: On my member server, the getent command 
> does not yield any results. As per the recommendations on the "Samba 
> Member Server Troubleshooting" page, I checked on the DC if the group 
> Domain Users has a gidNumber. Well, it doesn't. Neither do my users 
> have uidNumbers though this, allegedly, is not such an issue.
Yes it is, there is no point in adding a gidNumber to  Domain Users if 
you are not going to give your Users a uidNumber.

As far as how to add uidNumbers and gidNumbers, well firstly, do you 
need to? if your users are never going to actually log into the member 
server and this is your only Unix machine, you could use the winbind 
'rid' backend, this will create the ID numbers on the fly.
If you have more than one member server, or Unix clients or want your 
users to log into the member server, you will probably be better off 
using the winbind 'ad' backend. To do this you will need to give your 
users a unique uidNumber and Domain Users (at least) a gidNumber. You 
can do this by using the ADUC UNIX Attributes tab, by writing your own 
script using an ldif, or by using something like the LDAP Account 
Manager (LAM).

Rowland
>
> To solve it, all it says is to "add a gidNumber to Domain Users".
>
> How do I do that?
>

On 26.10.2015 23:03, Rowland Penny wrote:
> On 26/10/15 21:38, Viktor Trojanovic wrote:
>> I joined a Samba AD member server (file server) to a Samba AD DC. 
>> This seems to have worked. However, if I try to access the file 
>> server from the domain administrator account on a Windows client, I 
>> am asked to provide authorization details. Since I have no other 
>> privileged users, I am using the domain admin credentials but
they're
>> not accepted.
>>
>> I'm not sure exactly where to look but I think the problem could be
>> connected to the following: On my member server, the getent command 
>> does not yield any results. As per the recommendations on the
"Samba
>> Member Server Troubleshooting" page, I checked on the DC if the
group
>> Domain Users has a gidNumber. Well, it doesn't. Neither do my users
>> have uidNumbers though this, allegedly, is not such an issue.
>
> Yes it is, there is no point in adding a gidNumber to  Domain Users if 
> you are not going to give your Users a uidNumber.
>
> As far as how to add uidNumbers and gidNumbers, well firstly, do you 
> need to? if your users are never going to actually log into the member 
> server and this is your only Unix machine, you could use the winbind 
> 'rid' backend, this will create the ID numbers on the fly.
> If you have more than one member server, or Unix clients or want your 
> users to log into the member server, you will probably be better off 
> using the winbind 'ad' backend. To do this you will need to give
your
> users a unique uidNumber and Domain Users (at least) a gidNumber. You 
> can do this by using the ADUC UNIX Attributes tab, by writing your own 
> script using an ldif, or by using something like the LDAP Account 
> Manager (LAM).
>
> Rowland
Thanks again for helping, Rowland.

As I mentioned before, both the DC and the member server are Unix 
running Samba 4.3. The purpose of the member server is to act as file 
server, nothing more.

The clients are all windows machines and users, they will never log in 
to one of the unix systems directly. If they are able to access shares 
on the file server without having to log in, then I guess this 'rid' 
backend seems to be what I need. Correct? Can you give me some pointers 
on how to do that, or direct me to the documentation?

Though one has to wonder: There is a wiki how to implement a Samba AD, 
and how to add a Samba Member Server. I followed the instructions step 
by step, for both, and now it turns out that the instructions for the 
member server are not made to fit the configuration of the DC? That's a 
bit discouraging.

Viktor