I have created a Samab AD-DC on a FreeBSZD-10.3 host. The setup checks out and I am able to join the domain from a Win7 workstation and run the ADUC management console in RAST. I have opened the UNIX Attributed properties tab for "Domain Admins" in the ADUC and set the unix properties. However, I get this notice "UNIX Attributes Unwilling To Perform" and after making the changes I cannot get this test to pass: getent group "Domain Admins" returns nothing.>From what I have found from searching it appears that the issue isrelated to settings in /etc/nsswitch.conf. However, I cannot find an authoritative reference as to what these settings should be for Samba43. Can anyone provide me with such a reference or authoratiavely state what the settings should be? The default settings for FreeBSD-10.3 in /etc/nsswitch.conf are: # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files Any help with this is gratefully appreciated. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 15/07/16 14:31, James B. Byrne wrote:> I have created a Samab AD-DC on a FreeBSZD-10.3 host. The setup > checks out and I am able to join the domain from a Win7 workstation > and run the ADUC management console in RAST. I have opened the UNIX > Attributed properties tab for "Domain Admins" in the ADUC and set the > unix properties. > > However, I get this notice "UNIX Attributes Unwilling To Perform" and > after making the changes I cannot get this test to pass: > > getent group "Domain Admins" > > returns nothing. > > From what I have found from searching it appears that the issue is > related to settings in /etc/nsswitch.conf. However, I cannot find an > authoritative reference as to what these settings should be for > Samba43. Can anyone provide me with such a reference or > authoratiavely state what the settings should be? > > The default settings for FreeBSD-10.3 in /etc/nsswitch.conf are: > > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z > dougb $ > # > group: compat > group_compat: nis > hosts: files dns > networks: files > passwd: compat > passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > Any help with this is gratefully appreciated. > >Well, if it was Linux, you would change: passwd: compat group: compat To passwd: compat winbind group: compat winbind You would also need to set up the libnss_winbind links, see here for Linux info: https://wiki.samba.org/index.php/Libnss_winbind_links I suspect you will require something very similar Rowland
On 07/15/16 15:31, James B. Byrne wrote:> getent group "Domain Admins" > > returns nothing.Are you trying this on the DC itself? I've never been able to get this working; I even think I read somewhere that it's not possible.> From what I have found from searching it appears that the issue is > related to settings in /etc/nsswitch.conf. However, I cannot find an > authoritative reference as to what these settings should be for > Samba43. Can anyone provide me with such a reference or > authoratiavely state what the settings should be?On every other box except the DC I have it working with: group: files winbind passwd: files winbind bye av.
Reply cross-posted to FreeBSD list. On Fri, July 15, 2016 09:31, James B. Byrne wrote:> I have created a Samab AD-DC on a FreeBSZD-10.3 host. The setup > checks out and I am able to join the domain from a Win7 workstation > and run the ADUC management console in RAST. I have opened the UNIX > Attributed properties tab for "Domain Admins" in the ADUC and set the > unix properties. > > However, I get this notice "UNIX Attributes Unwilling To Perform" and > after making the changes I cannot get this test to pass: > > getent group "Domain Admins" > > returns nothing. > > From what I have found from searching it appears that the issue is > related to settings in /etc/nsswitch.conf. However, I cannot find an > authoritative reference as to what these settings should be for > Samba43. Can anyone provide me with such a reference or > authoratiavely state what the settings should be? > > The default settings for FreeBSD-10.3 in /etc/nsswitch.conf are: > > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z > dougb $ > # > group: compat > group_compat: nis > hosts: files dns > networks: files > passwd: compat > passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > Any help with this is gratefully appreciated. > >Rowland penny rpenny at samba.org Fri Jul 15 14:23:10 UTC 2016> >> Well, if it was Linux, you would change: >> >> >> passwd: compat >> group: compat >> >> To >> >> passwd: compat winbind >> group: compat winbind >> >> You would also need to set up the libnss_winbind links, see here for >> Linux info: >> >> https://wiki.samba.org/index.php/Libnss_winbind_links >> >> I suspect you will require something very similar >> >> Rowland >>The FreeBSD manpage says this about nsswitch WRT compat: compat support `+/-' in the ``passwd'' and ``group'' databases. If this is present, it must be the only source for that entry. Likewise there are no libnss_windbind.so files of nay description on the FreeBSD system. The nearest to this I could find is: find / -name \*libnss\* /usr/local/lib/samba/libnss-info-samba4.so I think that this is a configuration issue but I cannot tell where or what I am to change to get this to work on FreeBSD. There is nothing the the FreeBSD handbook that covers setting up an AD-DC in any detail beyond the bare acknowledgement that it is possible. I am cross-posting this to the BSD in case anyone on the BSD list reads this and has an answer specific to BSD. I would appreciate receiving the information form any source. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 15/07/16 15:42, Andrea Venturoli wrote:> On 07/15/16 15:31, James B. Byrne wrote: > >> getent group "Domain Admins" >> >> returns nothing. > > Are you trying this on the DC itself? > I've never been able to get this working; I even think I read > somewhere that it's not possible.It works on Linux: root at dc1:~# getent group "Domain Admins" SAMDOM\domain admins:x:10001:> > > >> From what I have found from searching it appears that the issue is >> related to settings in /etc/nsswitch.conf. However, I cannot find an >> authoritative reference as to what these settings should be for >> Samba43. Can anyone provide me with such a reference or >> authoratiavely state what the settings should be? > > On every other box except the DC I have it working with: > > group: files winbind > passwd: files winbind > > bye > av. >
On Fri, July 15, 2016 10:56, James B. Byrne wrote:> Reply cross-posted to FreeBSD list. > > On Fri, July 15, 2016 09:31, James B. Byrne wrote: >> I have created a Samab AD-DC on a FreeBSZD-10.3 host. The setup >> checks out and I am able to join the domain from a Win7 workstation >> and run the ADUC management console in RAST. I have opened the UNIX >> Attributed properties tab for "Domain Admins" in the ADUC and set >> the >> unix properties. >> >> However, I get this notice "UNIX Attributes Unwilling To Perform" >> and >> after making the changes I cannot get this test to pass: >> >> getent group "Domain Admins" >> >> returns nothing. >> >> From what I have found from searching it appears that the issue is >> related to settings in /etc/nsswitch.conf. However, I cannot find >> an >> authoritative reference as to what these settings should be for >> Samba43. Can anyone provide me with such a reference or >> authoratiavely state what the settings should be? >> >> The default settings for FreeBSD-10.3 in /etc/nsswitch.conf are: >> >> # >> # nsswitch.conf(5) - name service switch configuration file >> # $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 >> 20:52:02Z >> dougb $ >> # >> group: compat >> group_compat: nis >> hosts: files dns >> networks: files >> passwd: compat >> passwd_compat: nis >> shells: files >> services: compat >> services_compat: nis >> protocols: files >> rpc: files >> >> Any help with this is gratefully appreciated. >> >> > > Rowland penny rpenny at samba.org > Fri Jul 15 14:23:10 UTC 2016 >> >>> Well, if it was Linux, you would change: >>> >>> >>> passwd: compat >>> group: compat >>> >>> To >>> >>> passwd: compat winbind >>> group: compat winbind >>> >>> You would also need to set up the libnss_winbind links, see here >>> for >>> Linux info: >>> >>> https://wiki.samba.org/index.php/Libnss_winbind_links >>> >>> I suspect you will require something very similar >>> >>> Rowland >>> > > The FreeBSD manpage says this about nsswitch WRT compat: > > compat support `+/-' in the ``passwd'' and ``group'' databases. > If this is present, it must be the only source for that entry. > > Likewise there are no libnss_windbind.so files of nay description on > the FreeBSD system. The nearest to this I could find is: > > find / -name \*libnss\* > /usr/local/lib/samba/libnss-info-samba4.so > > I think that this is a configuration issue but I cannot tell where or > what I am to change to get this to work on FreeBSD. There is nothing > the the FreeBSD handbook that covers setting up an AD-DC in any detail > beyond the bare acknowledgement that it is possible. > > I am cross-posting this to the BSD in case anyone on the BSD list > reads this and has an answer specific to BSD. I would appreciate > receiving the information form any source. > > Thanks, >I experimented and changed the entries in nsswitch.conf to passwd: files winbind group: files winbind and things seemed to work thereafter. The combination 'group: compat winbind' definitely does not work. If someone has a reference where this information is provided then I would be most appreciative if you could send it to me. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3