On 18/11/15 10:36, Georgi Georgiev wrote:> Hello all,
>
> I build following test environment, two Sernet Samba 4.2.5-8 DC with
> --use-rfc2307 on Debian Jessie with BIND9_DLZ as DNS backend,
> two Member server same sernet packages :
> member1 acting like Print Server and member2 - File Server.
> DC1 conf:
> # Global parameters
> [global]
> workgroup = COMAC
> realm = COMAC.CMBG.BG
> netbios name = DC1
> interfaces = lo eth0
> bind interfaces only = Yes
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
>
> load printers = no
> printcap name = /dev/null
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/comac.cmbg.bg/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Member2 :
> [global]
>
> netbios name = MEMBER2
> security = ADS
> workgroup = COMAC
> realm = COMAC.CMBG.BG
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> # Important: The ranges of the default (*) idmap config
> # and the domain(s) must not overlap!
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain
> idmap config COMAC:backend = ad
> idmap config COMAC:schema_mode = rfc2307
> idmap config COMAC:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> printcap name = /dev/null
> load printers = no
>
>
> [TEST3]
> comment = TEST3
> path = /data/test3
> read only = no
>
> On member:
> root at member2:/data# wbinfo -n test3
> S-1-5-21-3950231052-3657987514-2080562086-1108 SID_USER (1)
> root at member2:/data# getent passwd test3
> test3:*:10003:10001:test3:/home/test3:/bin/sh
> root at member2:/data# id test3
> uid=10003(test3) gid=10001(domain users) groups=10001(domain
> users),*10002(cmbg)*,2001(BUILTIN\users)
As you can see 'test3' has the uid of '10003' and the primary
gid of '10001'
>
> root at member2:/data# getent group | grep cmbg
> cmbg:x:10002:
>
> I have following problem or maybe missing something when setup
> permissions:
> Trying POSIX method
> mkdir /data/test3
> chown test3:cmbg /data/test3
> chmod 2770 /data/test3
>
> but newly created subdirectories show always "domain users" as
group:
> drwxrws---+ 2 test3 domain users 4096 Nov 18 12:12 demo
If a user creates a directory (or file) it will get the users uid & gid
(see above), just adding a gidNumber to a domain user does not make it
the users primary Unix group, perhaps it should, but it doesn't.
Rowland
>
> I really would appreciate any advise you can offer!
> --GIG
>
>
>
>
>
>
>
>