I dont see the difference, i think its all how you interper it. ( sorry about the spelling errors.. ) For example> wbinfo can get a whole list of all Samba users (I believe it can do that > with AD or NT4 or standaloneWhich is exact what i want.> wbinfo does not show system users..which is also exact what i want.> wbinfo does not show system users, it > shows Samba users which can become system users once they are transformed > (with pam tools as winbind, sssd or nslcd).Again exact what i want.> I feel > confusion (for me and for some users of that mailing list) between Samba's > system users (users from Samba usable on system side, here the system it > the one hosting Samba, the server system), Samba users (Samba internal > users) and client system users (system users which access to the share). > With domains there is also system users built from the domain (Windows > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbindYeah, that sucks.. wel, dont think in samba system users.> Samba's system users (users from Samba usable on system side, >here the system it >the one hosting Samba, the server system), >Samba users (Samba internal users) and >client system users (system users which access to the share).You have "local" users/groups, per server/client (adduser username) You have "Domain" users/groups, per domain You have "mapped users" i call them. And last, you have "local system users". ( UID lower than 1000 ) Based on this example : ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config DOMAINNAME: backend = ad idmap config DOMAINNAME: schema_mode = rfc2307 idmap config DOMAINNAME: range = 10000-3999999 A local user, any user UID lower than 2000 A domain user idmap config DOMAINNAME : range = 10000-3999999 A mapped user, is a local user with its UID in the * range. (idmap config * : range = 2000-9999 ) if you want any local users to be mapped to samba, change : (idmap config * : range = 1000-9999 ) And i dont advice to map "local system users" to be mapped. Any can access shares, but all depending on your setup. I think you make an easy thing a hard one and probely due to the setup your having. I'm not saying you setup is bad or wrong, but maybe to complex or not well thought about. I spent about a year testing and configureing and testing for a good base setup, and here it all starts, i started at least 10 times over, because i forgot a "thing/process" running on a server and which users and/group should be able to access it. Its pretty simple, only use "domain users" when when you have a domain. And only use local users for local needs. I only have 1 user on my linux server for administring the server. And i gave also some of domain users access to a local server. You can add an domain user to a local group if you setup is working correct. System users are just to run processes/services on the server, and/or for Administering the server. So sorry, but i dont see the problem your having. I do the same in samba 4 as i did in samba 3 and more. And this all looks to me normal. But ... i do agree, there should be more examples how things work with these users. And some examples when you for example use a "mapped" user, of a local users etc. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: dinsdag 8 december 2015 14:56 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > That's what I thought, and why I told there is no enumeration for system > users. > wbinfo can get a whole list of all Samba users (I believe it can do that > with AD or NT4 or standalone). But wbinfo does not show system users, it > shows Samba users which can become system users once they are transformed > (with pam tools as winbind, sssd or nslcd). > > I insist because after months spent here and years with Samba I feel > confusion (for me and for some users of that mailing list) between Samba's > system users (users from Samba usable on system side, here the system it > the one hosting Samba, the server system), Samba users (Samba internal > users) and client system users (system users which access to the share). > With domains there is also system users built from the domain (Windows > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > or > sssd or nslcd). > > Just my 2 cents, best regards, > > mathias > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > On the DC, when i run > > > > getent passwd i only see my linux users. > > > > getent passwd username shows the ad user. > > > > > > > > Same for the groups > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > Verzonden: dinsdag 8 december 2015 14:35 > > Aan: L.P.H. van Belle > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > Hi! > > If you run 'getent passwd', do you see all the users (ad+local) or only > > local users ? > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > Wel, thats wrong, when i to the following. > > > > > > > > wbinfo –u i get all my users. > > > > wbinfo –g i get all my groups > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > id username gives also the correct info.. (uid= .. gid= ) groups > etc.. > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > Verzonden: dinsdag 8 december 2015 14:11 > > Aan: L.P.H. van Belle > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use to > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > Cheers, > > > > > > > > > > > > mathias > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > Hai, > > > > Few things. > > > > > idmap gid = 1000-9999999 > > did you also change the start GID in the AD? > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > #Defining_the_next_UID.2FGID_to_use > > > > > "getent group" and "getent passwd" > > On a DC, use : getent group "domain users" > > shows only the group name + GID. > > > > You setup looks almost good, im only missing something like : > > > > ## map id's outside to domain to tdb files. > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > > > Verzonden: dinsdag 8 december 2015 13:28 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > -with getent group "Domain Users" and getent passwd "remote_user" I > can > > > see > > > the info about the specific group and specific user. > > > -with getent group and getent passwd I only see my local group/users. > > > > > > -I believe that using "getent group" and "getent passwd" I must see > all > > > users, right ? > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > -ps auxf show me: > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > /usr/sbin/samba -D > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > > /usr/sbin/samba -D > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > \_ > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > foreground > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > > /usr/sbin/samba -D > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > \_ > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > > -ls /lib64 > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > > libnss_winbind.so.2 > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > -/etc/nsswitch.conf > > > passwd: files winbind > > > shadow: files winbind > > > group: files winbind > > > > > > -smb.conf > > > [global] > > > workgroup = INTRANET > > > realm = INTRANET.UNV > > > netbios name = ITU > > > server role = active directory domain controller > > > dns forwarder = 10.2.3.4 > > > idmap_ldb:use rfc2307 = yes > > > > > > idmap config INTRANET:backend = ad > > > idmap config INTRANET:schema_mode = rfc2307 > > > idmap config INTRANET:range = 10000-9999999 > > > > > > idmap uid = 10000-9999999 > > > idmap gid = 1000-9999999 > > > > > > # Use settings from AD for login shell and home directory > > > winbind nss info = rfc2307 > > > > > > winbind use default domain = yes > > > winbind enum users = yes > > > winbind enum groups = yes > > > > > > I appreciate any help about this issue. > > > Thank you. > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
The "troubleshoot Note" in Samba Wiki ( https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands) must be performed only when setup Samba as an AD Member, not when setup as an AD/DC ?? 2015-12-08 12:54 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:> I dont see the difference, i think its all how you interper it. > ( sorry about the spelling errors.. ) > > For example > > wbinfo can get a whole list of all Samba users (I believe it can do that > > with AD or NT4 or standalone > Which is exact what i want. > > > wbinfo does not show system users.. > which is also exact what i want. > > > wbinfo does not show system users, it > > shows Samba users which can become system users once they are transformed > > (with pam tools as winbind, sssd or nslcd). > Again exact what i want. > > > I feel > > confusion (for me and for some users of that mailing list) between > Samba's > > system users (users from Samba usable on system side, here the system it > > the one hosting Samba, the server system), Samba users (Samba internal > > users) and client system users (system users which access to the share). > > With domains there is also system users built from the domain (Windows > > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > > Yeah, that sucks.. wel, dont think in samba system users. > > > Samba's system users (users from Samba usable on system side, > >here the system it > >the one hosting Samba, the server system), > >Samba users (Samba internal users) and > >client system users (system users which access to the share). > > You have "local" users/groups, per server/client (adduser username) > You have "Domain" users/groups, per domain > You have "mapped users" i call them. > And last, you have "local system users". ( UID lower than 1000 ) > > Based on this example : > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ## map ids from the domain and (*) the range may not overlap ! > idmap config DOMAINNAME: backend = ad > idmap config DOMAINNAME: schema_mode = rfc2307 > idmap config DOMAINNAME: range = 10000-3999999 > > > A local user, any user UID lower than 2000 > > A domain user > idmap config DOMAINNAME : range = 10000-3999999 > > A mapped user, is a local user with its UID in the * range. > (idmap config * : range = 2000-9999 ) > > if you want any local users to be mapped to samba, change : > (idmap config * : range = 1000-9999 ) > > And i dont advice to map "local system users" to be mapped. > > Any can access shares, but all depending on your setup. > I think you make an easy thing a hard one and probely due to the setup > your having. I'm not saying you setup is bad or wrong, but maybe to complex > or not well thought about. I spent about a year testing and configureing > and testing for a good base setup, and here it all starts, i started at > least 10 times over, because i forgot a "thing/process" running on a server > and which users and/group should be able to access it. > > Its pretty simple, only use "domain users" when when you have a domain. > And only use local users for local needs. > I only have 1 user on my linux server for administring the server. > And i gave also some of domain users access to a local server. > You can add an domain user to a local group if you setup is working > correct. > > System users are just to run processes/services on the server, and/or for > Administering the server. > > So sorry, but i dont see the problem your having. > > I do the same in samba 4 as i did in samba 3 and more. > And this all looks to me normal. > > But ... > i do agree, there should be more examples how things work with these users. > And some examples when you for example use a "mapped" user, of a local > users etc. > > > > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > dufresne > > Verzonden: dinsdag 8 december 2015 14:56 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > That's what I thought, and why I told there is no enumeration for system > > users. > > wbinfo can get a whole list of all Samba users (I believe it can do that > > with AD or NT4 or standalone). But wbinfo does not show system users, it > > shows Samba users which can become system users once they are transformed > > (with pam tools as winbind, sssd or nslcd). > > > > I insist because after months spent here and years with Samba I feel > > confusion (for me and for some users of that mailing list) between > Samba's > > system users (users from Samba usable on system side, here the system it > > the one hosting Samba, the server system), Samba users (Samba internal > > users) and client system users (system users which access to the share). > > With domains there is also system users built from the domain (Windows > > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > > or > > sssd or nslcd). > > > > Just my 2 cents, best regards, > > > > mathias > > > > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > On the DC, when i run > > > > > > getent passwd i only see my linux users. > > > > > > getent passwd username shows the ad user. > > > > > > > > > > > > Same for the groups > > > > > > > > > > > > Greetz, > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > > Verzonden: dinsdag 8 december 2015 14:35 > > > Aan: L.P.H. van Belle > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > Hi! > > > If you run 'getent passwd', do you see all the users (ad+local) or only > > > local users ? > > > > > > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > > Wel, thats wrong, when i to the following. > > > > > > > > > > > > wbinfo –u i get all my users. > > > > > > wbinfo –g i get all my groups > > > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > > > id username gives also the correct info.. (uid= .. gid= ) groups > > etc.. > > > > > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > > Verzonden: dinsdag 8 december 2015 14:11 > > > Aan: L.P.H. van Belle > > > CC: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use > to > > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > mathias > > > > > > > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > > Hai, > > > > > > Few things. > > > > > > > idmap gid = 1000-9999999 > > > did you also change the start GID in the AD? > > > > > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > > #Defining_the_next_UID.2FGID_to_use > > > > > > > "getent group" and "getent passwd" > > > On a DC, use : getent group "domain users" > > > shows only the group name + GID. > > > > > > You setup looks almost good, im only missing something like : > > > > > > ## map id's outside to domain to tdb files. > > > ## map ids from the domain and (*) the range may not overlap ! > > > idmap config * : backend = tdb > > > idmap config * : range = 2000-9999 > > > > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio > Costa > > > > Verzonden: dinsdag 8 december 2015 13:28 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > > -with getent group "Domain Users" and getent passwd "remote_user" I > > can > > > > see > > > > the info about the specific group and specific user. > > > > -with getent group and getent passwd I only see my local group/users. > > > > > > > > -I believe that using "getent group" and "getent passwd" I must see > > all > > > > users, right ? > > > > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > > -ps auxf show me: > > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > > /usr/sbin/samba -D > > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > > > /usr/sbin/samba -D > > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > > \_ > > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > > foreground > > > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > > > /usr/sbin/samba -D > > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > > \_ > > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > foreground > > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > foreground > > > > > > > > -ls /lib64 > > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > > > libnss_winbind.so.2 > > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > > > -/etc/nsswitch.conf > > > > passwd: files winbind > > > > shadow: files winbind > > > > group: files winbind > > > > > > > > -smb.conf > > > > [global] > > > > workgroup = INTRANET > > > > realm = INTRANET.UNV > > > > netbios name = ITU > > > > server role = active directory domain controller > > > > dns forwarder = 10.2.3.4 > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > idmap config INTRANET:backend = ad > > > > idmap config INTRANET:schema_mode = rfc2307 > > > > idmap config INTRANET:range = 10000-9999999 > > > > > > > > idmap uid = 10000-9999999 > > > > idmap gid = 1000-9999999 > > > > > > > > # Use settings from AD for login shell and home directory > > > > winbind nss info = rfc2307 > > > > > > > > winbind use default domain = yes > > > > winbind enum users = yes > > > > winbind enum groups = yes > > > > > > > > I appreciate any help about this issue. > > > > Thank you. > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
AD DC do not need AD users available from system side. Make "getent" able to retrieve AD users is to make AD users available from system side. By "make AD users available from system side" I mean you can use AD users as system users locally declared into /etc/passwd. AD DC can be fully managed using root account. When a Samba command need to authenticate (obviously with some AD user having access to Samba AD resource aimed) these commands should come with authentication switch (--user or -U or --kerberos...) to authenticate these commands with some AD user rather than local root account (which is unknown from AD, it's local). With my little experience of Samba AD I'd say the only bad point not having getent working on AD DC is ACLs in your Sysvol won't be showing user names and group names but UID and GID. 2015-12-08 17:03 GMT+01:00 Marcio Costa <marciofoz at gmail.com>:> The "troubleshoot Note" in Samba Wiki ( > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands > ) > must be performed only when setup Samba as an AD Member, not when setup as > an AD/DC ?? > > > 2015-12-08 12:54 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>: > > > I dont see the difference, i think its all how you interper it. > > ( sorry about the spelling errors.. ) > > > > For example > > > wbinfo can get a whole list of all Samba users (I believe it can do > that > > > with AD or NT4 or standalone > > Which is exact what i want. > > > > > wbinfo does not show system users.. > > which is also exact what i want. > > > > > wbinfo does not show system users, it > > > shows Samba users which can become system users once they are > transformed > > > (with pam tools as winbind, sssd or nslcd). > > Again exact what i want. > > > > > I feel > > > confusion (for me and for some users of that mailing list) between > > Samba's > > > system users (users from Samba usable on system side, here the system > it > > > the one hosting Samba, the server system), Samba users (Samba internal > > > users) and client system users (system users which access to the > share). > > > With domains there is also system users built from the domain (Windows > > > system users SAMDOM\my-user or Linux user from AD/NT4 built with > winbind > > > > Yeah, that sucks.. wel, dont think in samba system users. > > > > > Samba's system users (users from Samba usable on system side, > > >here the system it > > >the one hosting Samba, the server system), > > >Samba users (Samba internal users) and > > >client system users (system users which access to the share). > > > > You have "local" users/groups, per server/client (adduser username) > > You have "Domain" users/groups, per domain > > You have "mapped users" i call them. > > And last, you have "local system users". ( UID lower than 1000 ) > > > > Based on this example : > > > > ## map id's outside to domain to tdb files. > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config DOMAINNAME: backend = ad > > idmap config DOMAINNAME: schema_mode = rfc2307 > > idmap config DOMAINNAME: range = 10000-3999999 > > > > > > A local user, any user UID lower than 2000 > > > > A domain user > > idmap config DOMAINNAME : range = 10000-3999999 > > > > A mapped user, is a local user with its UID in the * range. > > (idmap config * : range = 2000-9999 ) > > > > if you want any local users to be mapped to samba, change : > > (idmap config * : range = 1000-9999 ) > > > > And i dont advice to map "local system users" to be mapped. > > > > Any can access shares, but all depending on your setup. > > I think you make an easy thing a hard one and probely due to the setup > > your having. I'm not saying you setup is bad or wrong, but maybe to > complex > > or not well thought about. I spent about a year testing and configureing > > and testing for a good base setup, and here it all starts, i started at > > least 10 times over, because i forgot a "thing/process" running on a > server > > and which users and/group should be able to access it. > > > > Its pretty simple, only use "domain users" when when you have a domain. > > And only use local users for local needs. > > I only have 1 user on my linux server for administring the server. > > And i gave also some of domain users access to a local server. > > You can add an domain user to a local group if you setup is working > > correct. > > > > System users are just to run processes/services on the server, and/or for > > Administering the server. > > > > So sorry, but i dont see the problem your having. > > > > I do the same in samba 4 as i did in samba 3 and more. > > And this all looks to me normal. > > > > But ... > > i do agree, there should be more examples how things work with these > users. > > And some examples when you for example use a "mapped" user, of a local > > users etc. > > > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > > dufresne > > > Verzonden: dinsdag 8 december 2015 14:56 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > That's what I thought, and why I told there is no enumeration for > system > > > users. > > > wbinfo can get a whole list of all Samba users (I believe it can do > that > > > with AD or NT4 or standalone). But wbinfo does not show system users, > it > > > shows Samba users which can become system users once they are > transformed > > > (with pam tools as winbind, sssd or nslcd). > > > > > > I insist because after months spent here and years with Samba I feel > > > confusion (for me and for some users of that mailing list) between > > Samba's > > > system users (users from Samba usable on system side, here the system > it > > > the one hosting Samba, the server system), Samba users (Samba internal > > > users) and client system users (system users which access to the > share). > > > With domains there is also system users built from the domain (Windows > > > system users SAMDOM\my-user or Linux user from AD/NT4 built with > winbind > > > or > > > sssd or nslcd). > > > > > > Just my 2 cents, best regards, > > > > > > mathias > > > > > > > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > > > On the DC, when i run > > > > > > > > getent passwd i only see my linux users. > > > > > > > > getent passwd username shows the ad user. > > > > > > > > > > > > > > > > Same for the groups > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > > > Verzonden: dinsdag 8 december 2015 14:35 > > > > Aan: L.P.H. van Belle > > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > > > Hi! > > > > If you run 'getent passwd', do you see all the users (ad+local) or > only > > > > local users ? > > > > > > > > > > > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > > > > Wel, thats wrong, when i to the following. > > > > > > > > > > > > > > > > wbinfo –u i get all my users. > > > > > > > > wbinfo –g i get all my groups > > > > > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > > > > > id username gives also the correct info.. (uid= .. gid= ) groups > > > etc.. > > > > > > > > > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > > > Verzonden: dinsdag 8 december 2015 14:11 > > > > Aan: L.P.H. van Belle > > > > CC: samba at lists.samba.org > > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use > > to > > > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > > > > mathias > > > > > > > > > > > > > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>: > > > > > > > > Hai, > > > > > > > > Few things. > > > > > > > > > idmap gid = 1000-9999999 > > > > did you also change the start GID in the AD? > > > > > > > > > > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > > > #Defining_the_next_UID.2FGID_to_use > > > > > > > > > "getent group" and "getent passwd" > > > > On a DC, use : getent group "domain users" > > > > shows only the group name + GID. > > > > > > > > You setup looks almost good, im only missing something like : > > > > > > > > ## map id's outside to domain to tdb files. > > > > ## map ids from the domain and (*) the range may not overlap > ! > > > > idmap config * : backend = tdb > > > > idmap config * : range = 2000-9999 > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio > > Costa > > > > > Verzonden: dinsdag 8 december 2015 13:28 > > > > > Aan: samba at lists.samba.org > > > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > > > -with getent group "Domain Users" and getent passwd "remote_user" I > > > can > > > > > see > > > > > the info about the specific group and specific user. > > > > > -with getent group and getent passwd I only see my local > group/users. > > > > > > > > > > -I believe that using "getent group" and "getent passwd" I must see > > > all > > > > > users, right ? > > > > > > > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > > > -ps auxf show me: > > > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > > > /usr/sbin/samba -D > > > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 > \_ > > > > > /usr/sbin/samba -D > > > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > > > \_ > > > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > > > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 > \_ > > > > > /usr/sbin/samba -D > > > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > > > \_ > > > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > > foreground > > > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > > foreground > > > > > > > > > > -ls /lib64 > > > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so > -> > > > > > libnss_winbind.so.2 > > > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > > > > > -/etc/nsswitch.conf > > > > > passwd: files winbind > > > > > shadow: files winbind > > > > > group: files winbind > > > > > > > > > > -smb.conf > > > > > [global] > > > > > workgroup = INTRANET > > > > > realm = INTRANET.UNV > > > > > netbios name = ITU > > > > > server role = active directory domain controller > > > > > dns forwarder = 10.2.3.4 > > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > > > idmap config INTRANET:backend = ad > > > > > idmap config INTRANET:schema_mode = rfc2307 > > > > > idmap config INTRANET:range = 10000-9999999 > > > > > > > > > > idmap uid = 10000-9999999 > > > > > idmap gid = 1000-9999999 > > > > > > > > > > # Use settings from AD for login shell and home directory > > > > > winbind nss info = rfc2307 > > > > > > > > > > winbind use default domain = yes > > > > > winbind enum users = yes > > > > > winbind enum groups = yes > > > > > > > > > > I appreciate any help about this issue. > > > > > Thank you. > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hai, marcio, below pointed a thing .. https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands This looks wrong to me. Using domain accounts/groups in OS commands administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash We should not use administrator as example... In this example we now have 2 ! administrators Administrator UID=0 ( on the DC ) Administrator UID=1000 ( on the Member ) Very confusing. Can anyone explain why administrator is abused here en mainwhile we are telling not to give Administrator a UID ? What now happens, people do configure administrator with uid.. what if you now want to login and you have your home dir shared over nfs. =>> error... inaccessable home dir. Greetz, Louis Van: Marcio Costa [mailto:marciofoz at gmail.com] Verzonden: dinsdag 8 december 2015 17:04 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 The "troubleshoot Note" in Samba Wiki (https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands) must be performed only when setup Samba as an AD Member, not when setup as an AD/DC ??
On 09/12/15 10:43, L.P.H. van Belle wrote:> Hai, marcio, below pointed a thing .. > > > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands > > > > This looks wrong to me. > > > > Using domain accounts/groups in OS commands > > administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash > > > > We should not use administrator as example... > > In this example we now have 2 ! administrators > > Administrator UID=0 ( on the DC ) > > Administrator UID=1000 ( on the Member ) > > > > Very confusing. > > > > Can anyone explain why administrator is abused here en mainwhile we are telling not to give Administrator a UID ?The problem is that there are two ways to use the windows user 'Administrator' on a Unix machine, you can map 'Administrator' to the Unix user 'root' via a line in smb.conf and a mapping file, this is the easiest way. You can also give the 'Administrator' user a uidNumber, this turns it into a normal Unix user and further setup is required to allow this user to work as the root user, something that in essence gives you two 'root' users and is probably not a good idea. I will think how to edit the page, I do not think giving a uidNumber to 'Administrator' is a good idea and probably the wiki shouldn't show it. Rowland> > > What now happens, people do configure administrator with uid.. what if you now want to login and you have your home dir shared over nfs. > > =>> error... inaccessable home dir. > > > > > > > >