Lol... I dont know.. and i did learn know most from you :-P And you have reset the idmap? Greetz, .. hihi... Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 29 januari 2016 16:22 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > On 29/01/16 15:15, L.P.H. van Belle wrote: > > Yes, im sure.. > > > > > > > > Check : > > > > dc1:~# samba-tool testparm -v | grep winbind > > > > > > > > winbind separator = \ > > > > winbind cache time = 300 > > > > winbind reconnect delay = 30 > > > > winbind request timeout = 60 > > > > winbind max clients = 200 > > > > winbind enum users = No > > > > winbind enum groups = No > > > > winbind use default domain = Yes <===> > > > winbind trusted domains only = No > > > > winbind nested groups = Yes > > > > winbind expand groups = 4 > > > > winbind nss info = rfc2307 > > > > winbind refresh tickets = No > > > > winbind offline logon = No > > > > winbind normalize names = No > > > > winbind rpc only = No > > > > winbind max domain connections = 1 > > > > winbindd socket directory = /var/run/samba/winbindd > > > > winbindd privileged socket directory > /var/lib/samba/winbindd_privileged > > > > winbind sealed pipes = Yes > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > > > > > If you want a copy of my complete config, let me know. > > > > > > > > OK, I believe you, I wonder why it has never worked for me ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 29/01/16 15:29, L.P.H. van Belle wrote:> Lol... > I dont know.. and i did learn know most from you :-PI could never get a DC to use any rfc2307 attributes other than the uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. I even created a bug report about it.> > And you have reset the idmap?If you mean remove rowland's record from idmap.ldb, then no, hang on I will go and try it. OK, back again, rowland's record never made it into idmap.ldb, so we can rule that out. Rowland> > Greetz, > > .. hihi... > > Louis > > >
Ah.. A misunderstanding.. i dont pull from ldap. I abuse settings. I use UID/GID from AD, only the UID/GID, dont really care about the others. But i do obey some rules.. i'll explain. This on the DC: getent passwd obell myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash Its bit diffent on the member. getent passwd myuser myuser:*:10002:10000::/home/users/ myuser:/bin/bash but ! on the member running only getent passwd | grep myuser ( results same again as the DC ) myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash how/why, dont really know, but it works perfect.. and only thing i make sure is that the in AD the Unix in is always same what i set in the server. Which means only 1 ! user homedir And thats why i have : template shell = /bin/bash template homedir = /home/users/%U All my users user homedir /home/users/%U If you need to seperate that, well then above probely wont work. And the users share/folders are good protected so nobody can walk through userdirs.. not even root, if not kerberos authenticated. Now im really gone... Beer time.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 29 januari 2016 16:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > On 29/01/16 15:29, L.P.H. van Belle wrote: > > Lol... > > I dont know.. and i did learn know most from you :-P > > I could never get a DC to use any rfc2307 attributes other than the > uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. > I even created a bug report about it. > > > > And you have reset the idmap? > > If you mean remove rowland's record from idmap.ldb, then no, hang on I > will go and try it. > > OK, back again, rowland's record never made it into idmap.ldb, so we can > rule that out. > > Rowland > > > > > Greetz, > > > > .. hihi... > > > > Louis > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hello! And my DCs now the station Ids equal, in my Fileserver this way: DC01: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false DC02: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false My Fileserver: wbinfo -i userteste01 userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / userteste01: / bin / false My smb.conf the Fileserver [global] netbios name = FILESERVER workgroup = SERVERAD #security = domain #client schannel = no security = ADS realm = INTERNO.MYDOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *: backend = tdb idmap config *: range = 5000-16777216 idmap config SERVERAD: backend = rid idmap config SERVERAD: range = 5000-33554431 idmap_ldb: use RFC2307 = Yes winbind nss info = RFC2307 winbind trusted domains only = on winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store the attributes = Yes I'm having doubts that way would have problems? and another on the config idmap I'm with means values "suspicious"? Thanks, Em 29-01-2016 14:07, L.P.H. van Belle escreveu:> Ah.. > A misunderstanding.. i dont pull from ldap. I abuse settings. > > I use UID/GID from AD, only the UID/GID, dont really care about the others. > But i do obey some rules.. i'll explain. > > This on the DC: > getent passwd obell > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > Its bit diffent on the member. > getent passwd myuser > myuser:*:10002:10000::/home/users/ myuser:/bin/bash > > but ! on the member running only > getent passwd | grep myuser ( results same again as the DC ) > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > how/why, dont really know, but it works perfect.. > > and only thing i make sure is that the in AD the Unix in is always same > what i set in the server. > Which means only 1 ! user homedir > And thats why i have : > > template shell = /bin/bash > template homedir = /home/users/%U > > All my users user homedir /home/users/%U > If you need to seperate that, well then above probely wont work. > > And the users share/folders are good protected so nobody can walk through userdirs.. not even root, if not kerberos authenticated. > > > > Now im really gone... > Beer time.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: vrijdag 29 januari 2016 16:44 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Validate Ids Multiple DC >> >> On 29/01/16 15:29, L.P.H. van Belle wrote: >>> Lol... >>> I dont know.. and i did learn know most from you :-P >> I could never get a DC to use any rfc2307 attributes other than the >> uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. >> I even created a bug report about it. >>> And you have reset the idmap? >> If you mean remove rowland's record from idmap.ldb, then no, hang on I >> will go and try it. >> >> OK, back again, rowland's record never made it into idmap.ldb, so we can >> rule that out. >> >> Rowland >> >>> Greetz, >>> >>> .. hihi... >>> >>> Louis >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >