I finally got to test it and it works OK something really strange is occurring though It works good as follows except for groups but I'll look at that latter as I see others have mentioned some issues with groups here is my /etc/samba/smb.conf security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 900-999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 1000-99999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 What is strange is when I use the ranges like so idmap config * : range = 1000-9999 idmap config DOMAIN:range = 10000-99999 only a small fraction of my users show up when I do a "getent passwd" they all seem to show up when I do a "wbinfo -u" and all my users uids are over 10000 when I set it back to idmap config * : range = 900-999 idmap config DOMAIN:range = 1000-99999 I see all my users So going further I find that when I run "id" as myuser I didn't see all my groups but if I ran "id myuser" I did see all my users So I tried idmap config * : range = 100000-1099999 idmap config DOMAIN:range = 0-99999 and now when I run "id" as myuser I see all my group On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org> wrote:> On 05/12/15 02:47, Jeff Sadowski wrote: > >> Thank you Rowland for looking at it. >> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad >> that is how I got as far as I did; that and the idmap_ad man page. I could >> not find how to use the loginShell is there a variable I can use for it in >> the template or an option to set to use it? loginShell and unixHomedir are >> not mentioned on the wiki that I could find. I'm good with the templated >> homedir but curious how to use the unixHomedir. It seems that the >> schema_mode = rfc2307 is the default as it works fine except for the >> default shells which I have the workaround for. I think I will move them >> out of their home directories and set them else ware, where users will need >> to ask to change the shell. I purposefully set rid as the default backend >> if one does not exist explicit for the domain as it worked better for me. >> What I did with the default backend should stop the login if the domain >> isn't explicitly defined. >> >> >> >> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 04/12/15 22:43, Jeff Sadowski wrote: >> >> We use power broker here at work and where wondering why we >> need it. >> >> I was able to setup a new linux server using samba and am able >> to login >> with my active directory accounts but I couldn't figure out >> how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> >> Have you considered reading the Samba wiki ? >> Your 'idmap config' block should look similar to this: >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SAMDOM >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /nfs/homes/%U/.default_shell >> template homedir = /nfs/homes/%U >> >> Though as you seem to be using uidNumber & gidNumber attributes, >> you could also store the loginShell and unixHomedir in AD as well. >> >> Rowland >> >> >> allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user >> using a simple >> script I can run on a machine that has power broker but I am >> wondering what >> others have done to allow users to pick their shell using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by rfc2307 that >> I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a difference. I >> could probably >> find a way to upgrade if there is support in newer versions. >> >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > Samba AD as standard comes with the ability to add RFC2307 attributes to a > user or group (see here for more info: > https://www.ietf.org/rfc/rfc2307.txt) > What this means is, if you give a user a uidNumber and at least 'Domain > Users' a gidNumber, then the user will become visible on a Unix domain > member (aka Unix workstation). > If you study the list of attributes on the link above, you will find that > there are more attributes available, amongst them are loginShell and > homeDirectory. The first is where you can store the users login shell > (obviously), but there is a problem with the second, AD already has an > attribute with the same name to store the users windows home directory > path, so this became unixHomeDirectory and is where you can store the users > Unix home directory. > If you require more info on the RFC2307 attributes, please ask. > > Now, as for the 'idmap config' block and which to use, this is down to the > sysadmin (i.e. you) and is based on what you require. > There are several backends available, but only two are regularly used, the > 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this is > used if you don't want (or need) to add RFC2307 attributes to AD. Your > users & groups will be mapped to a number inside the range you set i.e. > idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the > IDs from the user/group RID and as long as you use the same 'idmap config' > block on every Unix machine, you will get the same Unix ID on every Unix > machine. The downside is that you cannot set individual homedirs & shells > for users and will have to use the template lines in smb.conf. > > The 'ad' backend is different, it uses the RFC2307 attributes for the > user/group IDs, this does of course mean that you have to add a uidNumber > attribute containing a unique number to any users that you need to be > visible to Unix *and* add a gidNumber to Domain Users at least. These > numbers must be inside the range you set in smb.conf, any numbers outside > the range will be ignored. > You can go further with the 'ad' backend, you can add the loginShell > attribute containing the users shell (/bin/bash for instance), you can also > add the unixHomeDirectory attribute containing the path to the users home > directory. To use these, you would also need to have the line 'winbind nss > info = rfc2307' in smb.conf. If you don't want to add these further > attributes, you can add 'winbind nss info = template' instead and also add > the template lines. > > You need these lines in smb.conf: > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > These lines are where Samba will store the mappings for the builtin users > & groups, without these, it is very unlikely Samba will work correctly. > > Again, any questions, please ask. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
bad testing for groups. Working with many systems I found I must have been testing on another system then what I was configuring. idmap config * : range = 100000-1099999 idmap config DOMAIN:range = 0-99999 worked no different to me from idmap config * : range = 900-999 idmap config DOMAIN:range = 1000-99999 so I will set it back. On Mon, Dec 7, 2015 at 8:42 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I finally got to test it and it works OK > something really strange is occurring though > > It works good as follows except for groups but I'll look at that latter as > I see others have mentioned some issues with groups > here is my /etc/samba/smb.conf > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 900-999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 1000-99999 > idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 > winbind use default domain = yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > What is strange is when I use the ranges like so > > idmap config * : range = 1000-9999 > idmap config DOMAIN:range = 10000-99999 > > only a small fraction of my users show up when I do a "getent passwd" > they all seem to show up when I do a "wbinfo -u" > and all my users uids are over 10000 > > when I set it back to > > idmap config * : range = 900-999 > idmap config DOMAIN:range = 1000-99999 > > I see all my users > > > So going further I find that when I run "id" as myuser I didn't see all my > groups but if I ran "id myuser" I did see all my users > So I tried > > idmap config * : range = 100000-1099999 > idmap config DOMAIN:range = 0-99999 > > and now when I run "id" as myuser I see all my group > > > On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org> wrote: > >> On 05/12/15 02:47, Jeff Sadowski wrote: >> >>> Thank you Rowland for looking at it. >>> I did read the wiki here >>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as >>> far as I did; that and the idmap_ad man page. I could not find how to use >>> the loginShell is there a variable I can use for it in the template or an >>> option to set to use it? loginShell and unixHomedir are not mentioned on >>> the wiki that I could find. I'm good with the templated homedir but curious >>> how to use the unixHomedir. It seems that the schema_mode = rfc2307 is the >>> default as it works fine except for the default shells which I have the >>> workaround for. I think I will move them out of their home directories and >>> set them else ware, where users will need to ask to change the shell. I >>> purposefully set rid as the default backend if one does not exist explicit >>> for the domain as it worked better for me. What I did with the default >>> backend should stop the login if the domain isn't explicitly defined. >>> >>> >>> >>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org <mailto: >>> rpenny at samba.org>> wrote: >>> >>> On 04/12/15 22:43, Jeff Sadowski wrote: >>> >>> We use power broker here at work and where wondering why we >>> need it. >>> >>> I was able to setup a new linux server using samba and am able >>> to login >>> with my active directory accounts but I couldn't figure out >>> how to set the >>> login shells. >>> I have a work around but would like feedback >>> in my /etc/samba/smb.conf I have the following >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config DOMAIN : backend = ad >>> idmap config DOMAIN : range = 1000-999999999 >>> #should not get here >>> idmap config * : range = 999999998-999999999 >>> idmap config * :backend =rid >>> template homedir = /nfs/homes/%U >>> template shell = /nfs/homes/%U/.default_shell >>> winbind use default domain = yes >>> restrict anonymous = 2 >>> >>> >>> Have you considered reading the Samba wiki ? >>> Your 'idmap config' block should look similar to this: >>> >>> # Default idmap config used for BUILTIN and local >>> accounts/groups >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> # idmap config for domain SAMDOM >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:schema_mode = rfc2307 >>> idmap config DOMAIN:range = 10000-99999 >>> >>> # Use template settings for login shell and home directory >>> winbind nss info = template >>> template shell = /nfs/homes/%U/.default_shell >>> template homedir = /nfs/homes/%U >>> >>> Though as you seem to be using uidNumber & gidNumber attributes, >>> you could also store the loginShell and unixHomedir in AD as well. >>> >>> Rowland >>> >>> >>> allowing users to pick their shell using >>> ln -s /bin/bash ~/.default_shell >>> or >>> ln -s /bin/tcsh ~/.default_shell >>> ... >>> >>> It will be easy to create the .default shell for each user >>> using a simple >>> script I can run on a machine that has power broker but I am >>> wondering what >>> others have done to allow users to pick their shell using samba >>> to >>> authenticate? >>> What are the downsides of doing it the way I did it? >>> >>> is there a way to use the loginShell provided by rfc2307 that >>> I haven't >>> found documented in samba? >>> >>> I'm using samba version 4.1.6 if that makes a difference. I >>> could probably >>> find a way to upgrade if there is support in newer versions. >>> >>> >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> Samba AD as standard comes with the ability to add RFC2307 attributes to >> a user or group (see here for more info: >> https://www.ietf.org/rfc/rfc2307.txt) >> What this means is, if you give a user a uidNumber and at least 'Domain >> Users' a gidNumber, then the user will become visible on a Unix domain >> member (aka Unix workstation). >> If you study the list of attributes on the link above, you will find that >> there are more attributes available, amongst them are loginShell and >> homeDirectory. The first is where you can store the users login shell >> (obviously), but there is a problem with the second, AD already has an >> attribute with the same name to store the users windows home directory >> path, so this became unixHomeDirectory and is where you can store the users >> Unix home directory. >> If you require more info on the RFC2307 attributes, please ask. >> >> Now, as for the 'idmap config' block and which to use, this is down to >> the sysadmin (i.e. you) and is based on what you require. >> There are several backends available, but only two are regularly used, >> the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this >> is used if you don't want (or need) to add RFC2307 attributes to AD. Your >> users & groups will be mapped to a number inside the range you set i.e. >> idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the >> IDs from the user/group RID and as long as you use the same 'idmap config' >> block on every Unix machine, you will get the same Unix ID on every Unix >> machine. The downside is that you cannot set individual homedirs & shells >> for users and will have to use the template lines in smb.conf. >> >> The 'ad' backend is different, it uses the RFC2307 attributes for the >> user/group IDs, this does of course mean that you have to add a uidNumber >> attribute containing a unique number to any users that you need to be >> visible to Unix *and* add a gidNumber to Domain Users at least. These >> numbers must be inside the range you set in smb.conf, any numbers outside >> the range will be ignored. >> You can go further with the 'ad' backend, you can add the loginShell >> attribute containing the users shell (/bin/bash for instance), you can also >> add the unixHomeDirectory attribute containing the path to the users home >> directory. To use these, you would also need to have the line 'winbind nss >> info = rfc2307' in smb.conf. If you don't want to add these further >> attributes, you can add 'winbind nss info = template' instead and also add >> the template lines. >> >> You need these lines in smb.conf: >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> These lines are where Samba will store the mappings for the builtin users >> & groups, without these, it is very unlikely Samba will work correctly. >> >> Again, any questions, please ask. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On 07/12/15 15:42, Jeff Sadowski wrote:> I finally got to test it and it works OK > something really strange is occurring though > > It works good as follows except for groups but I'll look at that > latter as I see others have mentioned some issues with groups > here is my /etc/samba/smb.conf > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 900-999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 1000-99999 > idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = > rfc2307 winbind use default domain = yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > What is strange is when I use the ranges like so > > idmap config * : range = 1000-9999 > idmap config DOMAIN:range = 10000-99999 > > only a small fraction of my users show up when I do a "getent passwd" > they all seem to show up when I do a "wbinfo -u" > and all my users uids are over 10000 > > when I set it back to > > idmap config * : range = 900-999 > idmap config DOMAIN:range = 1000-99999 > > I see all my users > > > So going further I find that when I run "id" as myuser I didn't see > all my groups but if I ran "id myuser" I did see all my users > So I tried > > idmap config * : range = 100000-1099999 > idmap config DOMAIN:range = 0-99999 > > and now when I run "id" as myuser I see all my groupYou posted that you were using Samba version 4.1.6, this usually means Ubuntu, in which case: 0-999 is reserved for the system users & groups (root etc), 1000 upwards is where you should be putting your local Unix users & groups. This means that you shouldn't really use any number under a '1000' for AD users & groups and you should also leave a small space for local users & groups, hence the advice on the wiki is to use '2000-9999' for your builtin AD users & groups and to use '10000' upwards for your AD users & groups. This means if you give 'Domain Users' the gidNumber of '10000' and then give your users uidNumbers starting from '10000' and use the 'idmap config' block from the wiki, you will be able to see all your users & groups via getent. Note that 'getent group' will not show anything, but 'getent group Domain\ Users' will. You can start both your user & group IDs from '10000', there is no reason to use different ranges. using wbinfo to show users works differently to getent, using 'wbinfo -u' to show your users ensures that winbind can connect to AD, you need to use getent to make sure that your OS can connect to AD, if getent doesn't show your user or group, then the OS will not know about it. Rowland> > > On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 05/12/15 02:47, Jeff Sadowski wrote: > > Thank you Rowland for looking at it. > I did read the wiki here > https://wiki.samba.org/index.php/Idmap_config_ad that is how I > got as far as I did; that and the idmap_ad man page. I could > not find how to use the loginShell is there a variable I can > use for it in the template or an option to set to use it? > loginShell and unixHomedir are not mentioned on the wiki that > I could find. I'm good with the templated homedir but curious > how to use the unixHomedir. It seems that the schema_mode > rfc2307 is the default as it works fine except for the default > shells which I have the workaround for. I think I will move > them out of their home directories and set them else ware, > where users will need to ask to change the shell. I > purposefully set rid as the default backend if one does not > exist explicit for the domain as it worked better for me. What > I did with the default backend should stop the login if the > domain isn't explicitly defined. > > > > On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny > <rpenny at samba.org <mailto:rpenny at samba.org> > <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote: > > On 04/12/15 22:43, Jeff Sadowski wrote: > > We use power broker here at work and where wondering > why we > need it. > > I was able to setup a new linux server using samba and > am able > to login > with my active directory accounts but I couldn't > figure out > how to set the > login shells. > I have a work around but would like feedback > in my /etc/samba/smb.conf I have the following > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config DOMAIN : backend = ad > idmap config DOMAIN : range = 1000-999999999 > #should not get here > idmap config * : range = 999999998-999999999 > idmap config * :backend =rid > template homedir = /nfs/homes/%U > template shell = /nfs/homes/%U/.default_shell > winbind use default domain = yes > restrict anonymous = 2 > > > Have you considered reading the Samba wiki ? > Your 'idmap config' block should look similar to this: > > # Default idmap config used for BUILTIN and local > accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home > directory > winbind nss info = template > template shell = /nfs/homes/%U/.default_shell > template homedir = /nfs/homes/%U > > Though as you seem to be using uidNumber & gidNumber > attributes, > you could also store the loginShell and unixHomedir in AD > as well. > > Rowland > > > allowing users to pick their shell using > ln -s /bin/bash ~/.default_shell > or > ln -s /bin/tcsh ~/.default_shell > ... > > It will be easy to create the .default shell for each user > using a simple > script I can run on a machine that has power broker > but I am > wondering what > others have done to allow users to pick their shell > using samba to > authenticate? > What are the downsides of doing it the way I did it? > > is there a way to use the loginShell provided by > rfc2307 that > I haven't > found documented in samba? > > I'm using samba version 4.1.6 if that makes a > difference. I > could probably > find a way to upgrade if there is support in newer > versions. > > > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > Samba AD as standard comes with the ability to add RFC2307 > attributes to a user or group (see here for more info: > https://www.ietf.org/rfc/rfc2307.txt) > What this means is, if you give a user a uidNumber and at least > 'Domain Users' a gidNumber, then the user will become visible on a > Unix domain member (aka Unix workstation). > If you study the list of attributes on the link above, you will > find that there are more attributes available, amongst them are > loginShell and homeDirectory. The first is where you can store the > users login shell (obviously), but there is a problem with the > second, AD already has an attribute with the same name to store > the users windows home directory path, so this became > unixHomeDirectory and is where you can store the users Unix home > directory. > If you require more info on the RFC2307 attributes, please ask. > > Now, as for the 'idmap config' block and which to use, this is > down to the sysadmin (i.e. you) and is based on what you require. > There are several backends available, but only two are regularly > used, the 'ad' and 'rid' backends. Lets deal with the 'rid' > backend first, this is used if you don't want (or need) to add > RFC2307 attributes to AD. Your users & groups will be mapped to a > number inside the range you set i.e. idmap config SAMDOM:range > 10000-99999. It uses an algorithm to create the IDs from the > user/group RID and as long as you use the same 'idmap config' > block on every Unix machine, you will get the same Unix ID on > every Unix machine. The downside is that you cannot set individual > homedirs & shells for users and will have to use the template > lines in smb.conf. > > The 'ad' backend is different, it uses the RFC2307 attributes for > the user/group IDs, this does of course mean that you have to add > a uidNumber attribute containing a unique number to any users that > you need to be visible to Unix *and* add a gidNumber to Domain > Users at least. These numbers must be inside the range you set in > smb.conf, any numbers outside the range will be ignored. > You can go further with the 'ad' backend, you can add the > loginShell attribute containing the users shell (/bin/bash for > instance), you can also add the unixHomeDirectory attribute > containing the path to the users home directory. To use these, you > would also need to have the line 'winbind nss info = rfc2307' in > smb.conf. If you don't want to add these further attributes, you > can add 'winbind nss info = template' instead and also add the > template lines. > > You need these lines in smb.conf: > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > These lines are where Samba will store the mappings for the > builtin users & groups, without these, it is very unlikely Samba > will work correctly. > > Again, any questions, please ask. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
But that doesn't work for me. As I am saying If I set it like that I only see 7 domain users with getent passwd experimenting I see if I set idmap config * : range = 2000-7999 idmap config DOMAIN:range = 8000-99999 I see all my users. which is really odd because all my users have uids above 10000 What other trouble shooting steps can I take to see why this is acting this way? I edit /etc/samba/smb.conf I run a script with the following service winbind stop service samba stop net cache flush rm -f /var/lib/samba/*.tdb rm -f /var/lib/samba/group_mapping.ldb sleep 1 service samba start service winbind start then I do getent passwd|wc -l ########################3 when idmap config DOMAIN:range = 10000-99999 # getent passwd|wc -l 47 when idmap config DOMAIN:range = 9000-99999 # getent passwd|wc -l 109 when idmap config DOMAIN:range = 8000-99999 # getent passwd|wc -l 801 that seems to be as many as I can get still doesn't add up as # cat /etc/passwd|wc -l 40 # wbinfo -u|wc -l 798 So I should have 838 users. But no matter what I set idmap config DOMAIN:range to I don't see any more than 801 users with getent passwd On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:> On 07/12/15 15:42, Jeff Sadowski wrote: > >> I finally got to test it and it works OK >> something really strange is occurring though >> >> It works good as follows except for groups but I'll look at that latter >> as I see others have mentioned some issues with groups >> here is my /etc/samba/smb.conf >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 900-999 >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:range = 1000-99999 >> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info >> rfc2307 winbind use default domain = yes >> # so that the users show up in getent >> winbind enum users = Yes >> # doesn't seem to do the same for groups :-/ >> winbind enum groups = Yes >> restrict anonymous = 2 >> >> What is strange is when I use the ranges like so >> >> idmap config * : range = 1000-9999 >> idmap config DOMAIN:range = 10000-99999 >> >> only a small fraction of my users show up when I do a "getent passwd" >> they all seem to show up when I do a "wbinfo -u" >> and all my users uids are over 10000 >> >> when I set it back to >> >> idmap config * : range = 900-999 >> idmap config DOMAIN:range = 1000-99999 >> >> I see all my users >> >> >> So going further I find that when I run "id" as myuser I didn't see all >> my groups but if I ran "id myuser" I did see all my users >> So I tried >> >> idmap config * : range = 100000-1099999 >> idmap config DOMAIN:range = 0-99999 >> >> and now when I run "id" as myuser I see all my group >> > > You posted that you were using Samba version 4.1.6, this usually means > Ubuntu, in which case: 0-999 is reserved for the system users & groups > (root etc), 1000 upwards is where you should be putting your local Unix > users & groups. This means that you shouldn't really use any number under a > '1000' for AD users & groups and you should also leave a small space for > local users & groups, hence the advice on the wiki is to use '2000-9999' > for your builtin AD users & groups and to use '10000' upwards for your AD > users & groups. > > This means if you give 'Domain Users' the gidNumber of '10000' and then > give your users uidNumbers starting from '10000' and use the 'idmap config' > block from the wiki, you will be able to see all your users & groups via > getent. Note that 'getent group' will not show anything, but 'getent group > Domain\ Users' will. > > You can start both your user & group IDs from '10000', there is no reason > to use different ranges. > > using wbinfo to show users works differently to getent, using 'wbinfo -u' > to show your users ensures that winbind can connect to AD, you need to use > getent to make sure that your OS can connect to AD, if getent doesn't show > your user or group, then the OS will not know about it. > > Rowland > > >> >> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>> wrote: >> >> On 05/12/15 02:47, Jeff Sadowski wrote: >> >> Thank you Rowland for looking at it. >> I did read the wiki here >> https://wiki.samba.org/index.php/Idmap_config_ad that is how I >> got as far as I did; that and the idmap_ad man page. I could >> not find how to use the loginShell is there a variable I can >> use for it in the template or an option to set to use it? >> loginShell and unixHomedir are not mentioned on the wiki that >> I could find. I'm good with the templated homedir but curious >> how to use the unixHomedir. It seems that the schema_mode >> rfc2307 is the default as it works fine except for the default >> shells which I have the workaround for. I think I will move >> them out of their home directories and set them else ware, >> where users will need to ask to change the shell. I >> purposefully set rid as the default backend if one does not >> exist explicit for the domain as it worked better for me. What >> I did with the default backend should stop the login if the >> domain isn't explicitly defined. >> >> >> >> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny >> <rpenny at samba.org <mailto:rpenny at samba.org> >> <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote: >> >> On 04/12/15 22:43, Jeff Sadowski wrote: >> >> We use power broker here at work and where wondering >> why we >> need it. >> >> I was able to setup a new linux server using samba and >> am able >> to login >> with my active directory accounts but I couldn't >> figure out >> how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> >> Have you considered reading the Samba wiki ? >> Your 'idmap config' block should look similar to this: >> >> # Default idmap config used for BUILTIN and local >> accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SAMDOM >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home >> directory >> winbind nss info = template >> template shell = /nfs/homes/%U/.default_shell >> template homedir = /nfs/homes/%U >> >> Though as you seem to be using uidNumber & gidNumber >> attributes, >> you could also store the loginShell and unixHomedir in AD >> as well. >> >> Rowland >> >> >> allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user >> using a simple >> script I can run on a machine that has power broker >> but I am >> wondering what >> others have done to allow users to pick their shell >> using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by >> rfc2307 that >> I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a >> difference. I >> could probably >> find a way to upgrade if there is support in newer >> versions. >> >> >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> Samba AD as standard comes with the ability to add RFC2307 >> attributes to a user or group (see here for more info: >> https://www.ietf.org/rfc/rfc2307.txt) >> What this means is, if you give a user a uidNumber and at least >> 'Domain Users' a gidNumber, then the user will become visible on a >> Unix domain member (aka Unix workstation). >> If you study the list of attributes on the link above, you will >> find that there are more attributes available, amongst them are >> loginShell and homeDirectory. The first is where you can store the >> users login shell (obviously), but there is a problem with the >> second, AD already has an attribute with the same name to store >> the users windows home directory path, so this became >> unixHomeDirectory and is where you can store the users Unix home >> directory. >> If you require more info on the RFC2307 attributes, please ask. >> >> Now, as for the 'idmap config' block and which to use, this is >> down to the sysadmin (i.e. you) and is based on what you require. >> There are several backends available, but only two are regularly >> used, the 'ad' and 'rid' backends. Lets deal with the 'rid' >> backend first, this is used if you don't want (or need) to add >> RFC2307 attributes to AD. Your users & groups will be mapped to a >> number inside the range you set i.e. idmap config SAMDOM:range >> 10000-99999. It uses an algorithm to create the IDs from the >> user/group RID and as long as you use the same 'idmap config' >> block on every Unix machine, you will get the same Unix ID on >> every Unix machine. The downside is that you cannot set individual >> homedirs & shells for users and will have to use the template >> lines in smb.conf. >> >> The 'ad' backend is different, it uses the RFC2307 attributes for >> the user/group IDs, this does of course mean that you have to add >> a uidNumber attribute containing a unique number to any users that >> you need to be visible to Unix *and* add a gidNumber to Domain >> Users at least. These numbers must be inside the range you set in >> smb.conf, any numbers outside the range will be ignored. >> You can go further with the 'ad' backend, you can add the >> loginShell attribute containing the users shell (/bin/bash for >> instance), you can also add the unixHomeDirectory attribute >> containing the path to the users home directory. To use these, you >> would also need to have the line 'winbind nss info = rfc2307' in >> smb.conf. If you don't want to add these further attributes, you >> can add 'winbind nss info = template' instead and also add the >> template lines. >> >> You need these lines in smb.conf: >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> These lines are where Samba will store the mappings for the >> builtin users & groups, without these, it is very unlikely Samba >> will work correctly. >> >> Again, any questions, please ask. >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >