root at aphrodite:~# getent passwd administrator
root at aphrodite:~# wbinfo -u
administrator
krbtgt
guest
root at aphrodite:~# cat /etc/samba/smb.conf
[global]
netbios name = APHRODITE
security = ADS
workgroup = DOMAIN
realm = AD.DOMAIN.COM.AU
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain DOMAIN
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/bash
template homedir = /home/%U
root at aphrodite:~#
root at aphrodite:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root at aphrodite:~#
On 30/01/16 11:55, Henry McLaughlin wrote:> root at aphrodite:~# getent passwd administratorOn a domain member this is quite correct, what you are missing from your smb.conf is something like this line: username map = /etc/samba/samba_usermapping with 'samba_usermapping' containing: !root = SAMDOM\Administrator SAMDOM\administrator NOTE: replace 'SAMDOM' with your domain name. Try adding a user with a uidNumber (probably containing 10000 as this would seem to be your first real user) and ensure Domain Users has a gidNumber (you can again use 10000) Rowland> root at aphrodite:~# wbinfo -u > administrator > krbtgt > guest > > > root at aphrodite:~# cat /etc/samba/smb.conf > [global] > > netbios name = APHRODITE > security = ADS > workgroup = DOMAIN > realm = AD.DOMAIN.COM.AU > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > # Important: The ranges of the default (*) idmap config > # and the domain(s) must not overlap! > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain DOMAIN > idmap config DOMAIN:backend = rid > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /sbin/bash > template homedir = /home/%U > root at aphrodite:~# > > > root at aphrodite:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > root at aphrodite:~#
On 30 January 2016 at 23:16, Rowland penny <rpenny at samba.org> wrote:> On 30/01/16 11:55, Henry McLaughlin wrote: > >> root at aphrodite:~# getent passwd administrator >> > > On a domain member this is quite correct, what you are missing from your > smb.conf is something like this line: > > username map = /etc/samba/samba_usermapping > > with 'samba_usermapping' containing: > > !root = SAMDOM\Administrator SAMDOM\administrator > > NOTE: replace 'SAMDOM' with your domain name. > > Try adding a user with a uidNumber (probably containing 10000 as this > would seem to be your first real user) and ensure Domain Users has a > gidNumber (you can again use 10000) > > Rowland >Thanks Rowland (once again) with the usermapping in the smb.conf file and it's associated file there are still no domain accounts returned from getent (user or group) Regarding UIDs & GIDs I understood the advantage of using RID what that there were no UIDs or GIDs required as they are calculated on the run based upon SID. Accordingly do I still need to add them as I am using RID ? root at aphrodite:~# wbinfo -u>> administrator >> krbtgt >> guest >> >> >> root at aphrodite:~# cat /etc/samba/smb.conf >> [global] >> >> netbios name = APHRODITE >> security = ADS >> workgroup = DOMAIN >> realm = AD.DOMAIN.COM.AU >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = yes >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> # Important: The ranges of the default (*) idmap config >> # and the domain(s) must not overlap! >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain DOMAIN >> idmap config DOMAIN:backend = rid >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /sbin/bash >> template homedir = /home/%U >> root at aphrodite:~# >> >> >> root at aphrodite:~# cat /etc/nsswitch.conf >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages installed, >> try: >> # `info libc "Name Service Switch"' for information about this file. >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> root at aphrodite:~# >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >