Lol... I dont know.. and i did learn know most from you :-P And you have reset the idmap? Greetz, .. hihi... Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 29 januari 2016 16:22 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > On 29/01/16 15:15, L.P.H. van Belle wrote: > > Yes, im sure.. > > > > > > > > Check : > > > > dc1:~# samba-tool testparm -v | grep winbind > > > > > > > > winbind separator = \ > > > > winbind cache time = 300 > > > > winbind reconnect delay = 30 > > > > winbind request timeout = 60 > > > > winbind max clients = 200 > > > > winbind enum users = No > > > > winbind enum groups = No > > > > winbind use default domain = Yes <===> > > > winbind trusted domains only = No > > > > winbind nested groups = Yes > > > > winbind expand groups = 4 > > > > winbind nss info = rfc2307 > > > > winbind refresh tickets = No > > > > winbind offline logon = No > > > > winbind normalize names = No > > > > winbind rpc only = No > > > > winbind max domain connections = 1 > > > > winbindd socket directory = /var/run/samba/winbindd > > > > winbindd privileged socket directory > /var/lib/samba/winbindd_privileged > > > > winbind sealed pipes = Yes > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > > > > > If you want a copy of my complete config, let me know. > > > > > > > > OK, I believe you, I wonder why it has never worked for me ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 29/01/16 15:29, L.P.H. van Belle wrote:> Lol... > I dont know.. and i did learn know most from you :-PI could never get a DC to use any rfc2307 attributes other than the uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. I even created a bug report about it.> > And you have reset the idmap?If you mean remove rowland's record from idmap.ldb, then no, hang on I will go and try it. OK, back again, rowland's record never made it into idmap.ldb, so we can rule that out. Rowland> > Greetz, > > .. hihi... > > Louis > > >
Ah..
A misunderstanding.. i dont pull from ldap. I abuse settings.
I use UID/GID from AD, only the UID/GID, dont really care about the others.
But i do obey some rules.. i'll explain.
This on the DC:
getent passwd obell
myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
Its bit diffent on the member.
getent passwd myuser
myuser:*:10002:10000::/home/users/ myuser:/bin/bash
but ! on the member running only
getent passwd | grep myuser ( results same again as the DC )
myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
how/why, dont really know, but it works perfect..
and only thing i make sure is that the in AD the Unix in is always same
what i set in the server.
Which means only 1 ! user homedir
And thats why i have :
template shell = /bin/bash
template homedir = /home/users/%U
All my users user homedir /home/users/%U
If you need to seperate that, well then above probely wont work.
And the users share/folders are good protected so nobody can walk through
userdirs.. not even root, if not kerberos authenticated.
Now im really gone...
Beer time..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 29 januari 2016 16:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>
> On 29/01/16 15:29, L.P.H. van Belle wrote:
> > Lol...
> > I dont know.. and i did learn know most from you :-P
>
> I could never get a DC to use any rfc2307 attributes other than the
> uidNumber & gidNumber, even after 'winbind' was replaced by
'winbindd'.
> I even created a bug report about it.
> >
> > And you have reset the idmap?
>
> If you mean remove rowland's record from idmap.ldb, then no, hang on I
> will go and try it.
>
> OK, back again, rowland's record never made it into idmap.ldb, so we
can
> rule that out.
>
> Rowland
>
> >
> > Greetz,
> >
> > .. hihi...
> >
> > Louis
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hello! And my DCs now the station Ids equal, in my Fileserver this way: DC01: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false DC02: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false My Fileserver: wbinfo -i userteste01 userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / userteste01: / bin / false My smb.conf the Fileserver [global] netbios name = FILESERVER workgroup = SERVERAD #security = domain #client schannel = no security = ADS realm = INTERNO.MYDOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *: backend = tdb idmap config *: range = 5000-16777216 idmap config SERVERAD: backend = rid idmap config SERVERAD: range = 5000-33554431 idmap_ldb: use RFC2307 = Yes winbind nss info = RFC2307 winbind trusted domains only = on winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store the attributes = Yes I'm having doubts that way would have problems? and another on the config idmap I'm with means values "suspicious"? Thanks, Em 29-01-2016 14:07, L.P.H. van Belle escreveu:> Ah.. > A misunderstanding.. i dont pull from ldap. I abuse settings. > > I use UID/GID from AD, only the UID/GID, dont really care about the others. > But i do obey some rules.. i'll explain. > > This on the DC: > getent passwd obell > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > Its bit diffent on the member. > getent passwd myuser > myuser:*:10002:10000::/home/users/ myuser:/bin/bash > > but ! on the member running only > getent passwd | grep myuser ( results same again as the DC ) > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > how/why, dont really know, but it works perfect.. > > and only thing i make sure is that the in AD the Unix in is always same > what i set in the server. > Which means only 1 ! user homedir > And thats why i have : > > template shell = /bin/bash > template homedir = /home/users/%U > > All my users user homedir /home/users/%U > If you need to seperate that, well then above probely wont work. > > And the users share/folders are good protected so nobody can walk through userdirs.. not even root, if not kerberos authenticated. > > > > Now im really gone... > Beer time.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: vrijdag 29 januari 2016 16:44 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Validate Ids Multiple DC >> >> On 29/01/16 15:29, L.P.H. van Belle wrote: >>> Lol... >>> I dont know.. and i did learn know most from you :-P >> I could never get a DC to use any rfc2307 attributes other than the >> uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. >> I even created a bug report about it. >>> And you have reset the idmap? >> If you mean remove rowland's record from idmap.ldb, then no, hang on I >> will go and try it. >> >> OK, back again, rowland's record never made it into idmap.ldb, so we can >> rule that out. >> >> Rowland >> >>> Greetz, >>> >>> .. hihi... >>> >>> Louis >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >