On 30 January 2016 at 23:16, Rowland penny <rpenny at samba.org> wrote:> On 30/01/16 11:55, Henry McLaughlin wrote: > >> root at aphrodite:~# getent passwd administrator >> > > On a domain member this is quite correct, what you are missing from your > smb.conf is something like this line: > > username map = /etc/samba/samba_usermapping > > with 'samba_usermapping' containing: > > !root = SAMDOM\Administrator SAMDOM\administrator > > NOTE: replace 'SAMDOM' with your domain name. > > Try adding a user with a uidNumber (probably containing 10000 as this > would seem to be your first real user) and ensure Domain Users has a > gidNumber (you can again use 10000) > > Rowland >Thanks Rowland (once again) with the usermapping in the smb.conf file and it's associated file there are still no domain accounts returned from getent (user or group) Regarding UIDs & GIDs I understood the advantage of using RID what that there were no UIDs or GIDs required as they are calculated on the run based upon SID. Accordingly do I still need to add them as I am using RID ? root at aphrodite:~# wbinfo -u>> administrator >> krbtgt >> guest >> >> >> root at aphrodite:~# cat /etc/samba/smb.conf >> [global] >> >> netbios name = APHRODITE >> security = ADS >> workgroup = DOMAIN >> realm = AD.DOMAIN.COM.AU >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = yes >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> # Important: The ranges of the default (*) idmap config >> # and the domain(s) must not overlap! >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain DOMAIN >> idmap config DOMAIN:backend = rid >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /sbin/bash >> template homedir = /home/%U >> root at aphrodite:~# >> >> >> root at aphrodite:~# cat /etc/nsswitch.conf >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages installed, >> try: >> # `info libc "Name Service Switch"' for information about this file. >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> >> hosts: files dns >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> root at aphrodite:~# >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 30/01/16 21:01, Henry McLaughlin wrote:> On 30 January 2016 at 23:16, Rowland penny <rpenny at samba.org> wrote: > > > Thanks Rowland (once again) > > with the usermapping in the smb.conf file and it's associated file there > are still no domain accounts returned from getent (user or group)The root usermapping has nothing to do with getent, but you need it on domain member to change file & directory ACLs from a windows machine.> > Regarding UIDs & GIDs I understood the advantage of using RID what that > there were no UIDs or GIDs required as they are calculated on the run based > upon SID. Accordingly do I still need to add them as I am using RID ?No, I was in rush to go somewhere and missed the word 'rid', sorry :-) But getent still won't show anything for the users you posted i.e. Administrator, krbtgt and guest, they come under the heading of builtin users and will be mapped to numbers from the range '2000-9999' and as such will not be shown by getent. Try adding a new domain user, this user should get a RID of 1000 or above, the idmap_rid backend should calculate the users UID from 'ID = RID - BASE_RID + LOW_RANGE_ID', so if his RID is 1000, this becomes: ID = 1000 - 0 + 10000 ID = 11000 This is what 'getent passwd domainuser' should return, there is however another gotcha, the later versions (I forget at which version it started from) of Samba do not return any domain users if you just run 'getent passwd', you must ask for the user by name i.e. 'getent passwd domainuser' Rowland
On 31 January 2016 at 08:32, Rowland penny <rpenny at samba.org> wrote:> On 30/01/16 21:01, Henry McLaughlin wrote: > >> On 30 January 2016 at 23:16, Rowland penny <rpenny at samba.org> wrote: >> >> >> Thanks Rowland (once again) >> >> with the usermapping in the smb.conf file and it's associated file there >> are still no domain accounts returned from getent (user or group) >> > > The root usermapping has nothing to do with getent, but you need it on > domain member to change file & directory ACLs from a windows machine. > > >> Regarding UIDs & GIDs I understood the advantage of using RID what that >> there were no UIDs or GIDs required as they are calculated on the run >> based >> upon SID. Accordingly do I still need to add them as I am using RID ? >> > > No, I was in rush to go somewhere and missed the word 'rid', sorry :-) > But getent still won't show anything for the users you posted i.e. > Administrator, krbtgt and guest, they come under the heading of builtin > users and will be mapped to numbers from the range '2000-9999' and as such > will not be shown by getent. > > Try adding a new domain user, this user should get a RID of 1000 or above, > the idmap_rid backend should calculate the users UID from 'ID = RID - > BASE_RID + LOW_RANGE_ID', so if his RID is 1000, this becomes: > > ID = 1000 - 0 + 10000 > ID = 11000 > This is what 'getent passwd domainuser' should return, there is however > another gotcha, the later versions (I forget at which version it started > from) of Samba do not return any domain users if you just run 'getent > passwd', you must ask for the user by name i.e. 'getent passwd domainuser' > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Still no success: root at aphrodite:~# wbinfo -u henry administrator krbtgt guest root at aphrodite:~# getent passwd henry root at aphrodite:~# id henry id: henry: no such user root at aphrodite:~#