I always wondered why to reserve 8000 IDs for built-in accounts. I see
~40 built-in groups in ADUC and 2 such users (Administrator and Guest)...
Ole
Am 07.12.2015 um 17:27 schrieb Rowland penny:> On 07/12/15 16:08, Nico De Ranter wrote:
>>
>> I'm coming from a Debian system so my system accounts are below
1000,
>> regular accounts start at 1000. For some historical reason somebody
>> gave our main group id 500 so therefor I want my usable range to
>> start at 500.
>
> Bad idea, you will probably need at least one local Unix user, where
> are you going to put it. My advice would be to follow the Samba wiki
> and use the numbers you will find there.
>
>>
>> Do I need both idmap config *:range and idmap config SAMDOM:range?
>> I also tried with only 'idmap config *:range' but that
didn't seem to
>> help. I'll try again tomorrow.
>
> Yes you do, the first is for the builtin user & group mappings and the
> second is for your AD users & groups.
>
>>
>> I also noticed that my second AD didn't have rfc2307 enabled so
that
>> may also have introduced some issues.
>
> Not really, all the info should be in AD, you probably just need to
> add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC.
>
> Rowland
>
>>
>> @Stefan Kania, thanks for the 'net cache flush', I didn't
know that.
>>
>> Nico
>>
>>
>> On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org
>> <mailto:rpenny at samba.org>> wrote:
>>
>> On 07/12/15 12:52, Nico De Ranter wrote:
>>
>> Hello again,
>>
>> I'm getting close to a working setup but still run into
>> glitches here and
>> there.
>>
>> I have 2 Ubuntu servers working as AD server, one Ubuntu
>> desktop with
>> winbind configured. I've setup a number of accounts with
Unix
>> properties. I've been primarily testing with my own
account
>> which works
>> just fine. I've now assigned Unix properties to another
>> account. When I
>> run 'wbinfo -i' on the AD server I see the correct
info:
>>
>> root at dc1:~# wbinfo -i test
>> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false
>>
>> When I try the same thing on the client I get:
>>
>> root at testpc2:~# wbinfo -i test
>> test:*:4294967295:4294967295::/home/test:/bin/bash
>>
>> I also tried some other accounts and got the same result. The
>> only account
>> that seems to work fine is my own account (and no it is not in
>> /etc/passwd
>> :-)
>>
>> Any idea what might be wrong?
>>
>> smb.conf on the client:
>>
>> [global]
>> security = ADS
>> workgroup = OFFICE
>> realm = WIN.OFFICE
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> winbind refresh tickets = yes
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind offline logon = yes
>>
>> client signing = yes
>> client use spnego = yes
>>
>> idmap config = ad
>> winbind nss info = rfc2307
>>
>> # Default idmap config used for BUILTIN and local
>> accounts/groups
>> idmap backend = tdb
>> idmap range = 100-499
>>
>> # idmap config for domain OFFICE
>> idmap config OFFICE : backend = ad
>> idmap config OFFICE : schema_mode = rfc2307
>> idmap config OFFICE : range = 500-29999
>>
>>
>> Your 'idmap config' block really should look like this:
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:range = 10000-99999
>>
>> Also why are you using such strange ID numbers?
>>
>> Rowland
>>
>> It worked for the user with uid 1048, it doesn't work for
uid
>> 1059, 1000,
>> 9999, 10000
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and
>> read the
>> instructions: lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>> --
>> Nico De Ranter
>>
>> Operations Engineer
>>
>> T. +32 16 40 12 82
>>
>> M. +32 497 91 53 78
>>
>>
>> <esaturnus.com>
>>
>>
>>
>> <esaturnus.com>
>>
>>
>>
>>
>> **
>>
>> *
>> * <esaturnus.com/company/news/313>
>>
>>
>> <esaturnus.com>
>