Hello! And my DCs now the station Ids equal, in my Fileserver this way: DC01: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false DC02: wbinfo -i userteste01 SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD / userteste01: / bin / false My Fileserver: wbinfo -i userteste01 userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / userteste01: / bin / false My smb.conf the Fileserver [global] netbios name = FILESERVER workgroup = SERVERAD #security = domain #client schannel = no security = ADS realm = INTERNO.MYDOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *: backend = tdb idmap config *: range = 5000-16777216 idmap config SERVERAD: backend = rid idmap config SERVERAD: range = 5000-33554431 idmap_ldb: use RFC2307 = Yes winbind nss info = RFC2307 winbind trusted domains only = on winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store the attributes = Yes I'm having doubts that way would have problems? and another on the config idmap I'm with means values "suspicious"? Thanks, Em 29-01-2016 14:07, L.P.H. van Belle escreveu:> Ah.. > A misunderstanding.. i dont pull from ldap. I abuse settings. > > I use UID/GID from AD, only the UID/GID, dont really care about the others. > But i do obey some rules.. i'll explain. > > This on the DC: > getent passwd obell > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > Its bit diffent on the member. > getent passwd myuser > myuser:*:10002:10000::/home/users/ myuser:/bin/bash > > but ! on the member running only > getent passwd | grep myuser ( results same again as the DC ) > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > how/why, dont really know, but it works perfect.. > > and only thing i make sure is that the in AD the Unix in is always same > what i set in the server. > Which means only 1 ! user homedir > And thats why i have : > > template shell = /bin/bash > template homedir = /home/users/%U > > All my users user homedir /home/users/%U > If you need to seperate that, well then above probely wont work. > > And the users share/folders are good protected so nobody can walk through userdirs.. not even root, if not kerberos authenticated. > > > > Now im really gone... > Beer time.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: vrijdag 29 januari 2016 16:44 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Validate Ids Multiple DC >> >> On 29/01/16 15:29, L.P.H. van Belle wrote: >>> Lol... >>> I dont know.. and i did learn know most from you :-P >> I could never get a DC to use any rfc2307 attributes other than the >> uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'. >> I even created a bug report about it. >>> And you have reset the idmap? >> If you mean remove rowland's record from idmap.ldb, then no, hang on I >> will go and try it. >> >> OK, back again, rowland's record never made it into idmap.ldb, so we can >> rule that out. >> >> Rowland >> >>> Greetz, >>> >>> .. hihi... >>> >>> Louis >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
On 01/02/16 17:41, Carlos A. P. Cunha wrote:> Hello! > And my DCs now the station Ids equal, in my Fileserver this way: > > DC01: > wbinfo -i userteste01 > SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / > SERVERAD / userteste01: / bin / false > > DC02: > wbinfo -i userteste01 > SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / > SERVERAD / userteste01: / bin / false > > My Fileserver: > wbinfo -i userteste01 > userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / > userteste01: / bin / false > > My smb.conf the Fileserver > > [global] > > netbios name = FILESERVER > workgroup = SERVERAD > #security = domain > #client schannel = no > security = ADS > > realm = INTERNO.MYDOMAIN.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > > idmap config *: backend = tdb > idmap config *: range = 5000-16777216 > idmap config SERVERAD: backend = rid > idmap config SERVERAD: range = 5000-33554431 > idmap_ldb: use RFC2307 = Yes >Sorry, but that will not work, the idmap ranges *must not* overlap. Why don't you try the settings on the Samba wiki domain member page, you will need to alter your uidNumber & gidNumber attributes in AD to start from 10000, but the smb.conf on the wiki page is known to work, I know because it's mine and is running on the laptop I am typing this on. Rowland> winbind nss info = RFC2307 > winbind trusted domains only = on > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > vfs objects = acl_xattr > map acl inherit = Yes > store the attributes = Yes > > > I'm having doubts that way would have problems? and another on the > config idmap I'm with means values "suspicious"? > > Thanks, >
Okay, but my great doubt, the problems that have different Ids? thank you Em 01-02-2016 16:35, Rowland penny escreveu:> On 01/02/16 17:41, Carlos A. P. Cunha wrote: >> Hello! >> And my DCs now the station Ids equal, in my Fileserver this way: >> >> DC01: >> wbinfo -i userteste01 >> SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / >> SERVERAD / userteste01: / bin / false >> >> DC02: >> wbinfo -i userteste01 >> SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / >> SERVERAD / userteste01: / bin / false >> >> My Fileserver: >> wbinfo -i userteste01 >> userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / >> userteste01: / bin / false >> >> My smb.conf the Fileserver >> >> [global] >> >> netbios name = FILESERVER >> workgroup = SERVERAD >> #security = domain >> #client schannel = no >> security = ADS >> >> realm = INTERNO.MYDOMAIN.COM >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> >> idmap config *: backend = tdb >> idmap config *: range = 5000-16777216 >> idmap config SERVERAD: backend = rid >> idmap config SERVERAD: range = 5000-33554431 >> idmap_ldb: use RFC2307 = Yes >> > > Sorry, but that will not work, the idmap ranges *must not* overlap. > > Why don't you try the settings on the Samba wiki domain member page, > you will need to alter your uidNumber & gidNumber attributes in AD to > start from 10000, but the smb.conf on the wiki page is known to work, > I know because it's mine and is running on the laptop I am typing this > on. > > Rowland > >> winbind nss info = RFC2307 >> winbind trusted domains only = on >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store the attributes = Yes >> >> >> I'm having doubts that way would have problems? and another on the >> config idmap I'm with means values "suspicious"? >> >> Thanks, >> > >