samba - Jun 2016 - Samba4 Domain Member Server "Getent show diferents UID"

On 15/06/16 14:49, Juan Ignacio wrote:
> Are there any test I can do to see if need to configure something in 
> the member server?
>
If you have set up a domain member as show here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

If you have given your users a uidNumber attribute and 'Domain Users' a 
gidNumber attribute, 'getent passwd username' should display info for 
each user. If you do not info for any users, check that libnss-winbind 
is setup correctly.

Rowland

The UID of the users in the command output: "getent passwd" remain
different in the member server.
I give to the user uanaco a gid and a uid throw RSAT.

root at memberserver:/usr/local/samba/etc# getent passwd | less
uanaco:*:100642:100008:uanaco:/home/ADSERVER/uanaco:/bin/false

There is a service besides winbindd need to be running on the member server?

I'm currently running all manually, "nmbd, smbd, samba, winbindd"
The startup script here I did not work properly on Debian.

https://wiki.samba.org/index.php/Samba4/InitScript

How can we verify that the AD Domain Controller is using the RFC2307
attribute correctly?

How can we verify that the Member server is using the RFC2307 attribute and
receiving data?

I remember seeing configured correctly and from windows UIDs can be added
without problem, so I think the ADDC is doing its job well.

Thanks

2016-06-15 12:54 GMT-03:00 Rowland penny <rpenny at samba.org>:
> On 15/06/16 14:49, Juan Ignacio wrote:
>
>> Are there any test I can do to see if need to configure something in
the
>> member server?
>>
>>
> If you have set up a domain member as show here:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> If you have given your users a uidNumber attribute and 'Domain
Users' a
> gidNumber attribute, 'getent passwd username' should display info
for each
> user. If you do not info for any users, check that libnss-winbind is setup
> correctly.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 15/06/16 18:55, Juan Ignacio wrote:
> The UID of the users in the command output: "getent passwd"
remain
> different in the member server.
> I give to the user uanaco a gid and a uid throw RSAT.
OK, this is me on a DC:

root at dc2:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

and this is me an a domain member:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I have added the required RFC2307 attributes to my AD object and 
libnss_winbind is setup correctly.
>
> root at memberserver:/usr/local/samba/etc# getent passwd | less
> uanaco:*:100642:100008:uanaco:/home/ADSERVER/uanaco:/bin/false
>
> There is a service besides winbindd need to be running on the member 
> server?
>
> I'm currently running all manually, "nmbd, smbd, samba,
winbindd"
> The startup script here I did not work properly on Debian.
You should not be running all of them on a domain member, turn off 
'samba', this should only be run on a DC and this will start any other 
required binaries.
>
> https://wiki.samba.org/index.php/Samba4/InitScript
Download the debian samba packages and extract the 'smbd',
'nmbd' and
'winbindd' init scripts, now alter the paths in them to match where your
Samba binaries are.
>
> How can we verify that the AD Domain Controller is using the RFC2307 
> attribute correctly?
>
> How can we verify that the Member server is using the RFC2307 
> attribute and receiving data?
If every thing is set up correctly, you should get the same IDs 
everywhere on Linux, see above, if you are not getting the same UIDs on 
DCs & domain members, then it sounds like something is incorrectly set up.

You say that you gave your user a uidNumber, is this number inside the 
domain range in the domain member smb.conf, the relevant line in my 
smb.conf is:

  idmap config SAMDOM : range = 10000-999999

if it isn't, it will be ignored.

Have you given the 'Domain Users' group a gidNumber attribute, if not, 
all Unix users will be ignored, again, this number needs to be inside 
the range.

Can you run 'pam-auth-update' on the domain member and post the result.

Rowland