> Hmm, the numbers seem extremely large, did you set this number in the > users 'uidnumber' attribute in AD ?How do I do this uidNumber configuration? I'm running all services: smbd, nmbd and winbind It's hard to run the file server as a domain member. When was a file server with DC was much more easy.
On Thu, 11 Aug 2016 20:22:32 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> > > > Hmm, the numbers seem extremely large, did you set this number in > > the users 'uidnumber' attribute in AD ? > > How do I do this uidNumber configuration? > I'm running all services: smbd, nmbd and winbind > > It's hard to run the file server as a domain member. When was a file > server with DC was much more easy. >No, it is easy, once you understand it. I take it you have windows clients, what version ? Hopefully win7, if so, see here on how to install RSAT: https://wiki.samba.org/index.php/Installing_RSAT You can then use the 'UNIX Attributes' tab in ADUC to add the required attributes. Basically, if you join a Unix computer to an AD domain, it becomes a Unix domain member. If you then set up libnss_winbind and PAM it can connect to AD and obtain the RFC2307 attributes for a user or group. However, you have to add these, they are not created for you. You can do this another way, which is similar to the way a Samba DC works. This the winbind 'rid' backend and does not entail adding anything to AD. To use this backend, replace 'idmap config DOMAIN: backend = ad' with 'idmap config DOMAIN: backend = 'rid' and remove this line 'idmap config DOMAIN: schema_mode = RFC2307' Clear out the cache with 'net flush cache' and then restart the Samba binaries. Rowland
> > > Yes wbinfo shows the user but does 'getent passwd iuser' show > > > anything ? > > > > # wbinfo -i iuser > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false > > > > > > > > # getent passwd iuser > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false > > > > > > # id iuser > > id: iuser: no such user> > concentrating on the number, I missed > > '/home/DOMAIN/iuser:/bin/false'> > Is this on the DC ? > > and if so, what do get if you run the same command on the fileserver ?> > Just to double check, are you running sssd on any of the machines ?Rowland, os comandos acima foram executados no file server. I will show the output of the commands, running directly in DC: # wbinfo -i iuser DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false # getent passwd iuser # id iuser id: iuser: no such user I need to configure winbind in the main DC? The sssd service is disabled in the main DC. But in the nsswitch.conf file set: passwd: files sss shadow: files sss group: files sss The client stations, all are Windows 10. The RSAT I have already installed on my PC. No file server, quando compilei o pacote do Samba, eu não usei a opção: "--without-ad-dc" When changing the backend to rid it seems to be working, for the following command does not return error. Through Windows, by giving permission to share, I see the "Domain Admins" group: # setfacl -R -m g:"Domain Admins":rwx /mnt/dados/ # getfacl /mnt/dados getfacl: Removing leading '/' from absolute path names # file: mnt/dados # owner: root # group: root user::rwx user:root:rwx user:domain\040admins:rwx user:ti-infra:rwx group::r-x group:root:r-x group:domain\040admins:rwx group:ti-infra:rwx mask::rwx other::r-x default:user::rwx default:user:root:rwx default:user:domain\040admins:rwx default:user:ti-infra:rwx default:group::r-x default:group:root:r-x default:group:domain\040admins:rwx default:group:ti-infra:rwx default:mask::rwx default:other::r-x About RSAT on Windows 10, I can not see the UNIX attributes options. The smb.conf the fileserver looked like this: # Global parameters [global] netbios name = SRV16 server string = Samba4 Server security = ADS encrypt passwords = yes realm = domain.local workgroup = DOMAIN log file = /var/log/samba/%m.log log level = 1 # winbind enum users = yes winbind enum groups = yes winbind use default domain = Yes winbind nss info = RFC2307 #idmap_ldb: Use vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Idmap config for domain DOMAIN #idmap config DOMAIN: backend = ad idmap config DOMAIN: backend = rid #idmap config DOMAIN: schema_mode = RFC2307 idmap config DOMAIN: range = 10000-99999 idmap config * : backend = tdb idmap config * : range = 2000-9999 # guest account = guest # guest ok=yes [data] comment = Folder data path = /mnt/dados read only = No browseable = yes inherit acls = Yes inherit permissions = Yes guest account = guest guest ok=yes writeable = Yes In smb.conf the primary DC, I can take this line? idmap_ldb:use rfc2307 = yes
On Fri, 12 Aug 2016 13:06:00 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> > > > > > > Yes wbinfo shows the user but does 'getent passwd iuser' show > > > > anything ? > > > > > > # wbinfo -i iuser > > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false > > > > > > > > > > > > # getent passwd iuser > > > iuser:*:4294967295:4294967295:iuser:/home/DOMAIN/iuser:/bin/false > > > > > > > > > # id iuser > > > id: iuser: no such user > > > > > concentrating on the number, I missed > > > '/home/DOMAIN/iuser:/bin/false' > > > > Is this on the DC ? > > > and if so, what do get if you run the same command on the > > > fileserver ? > > > > Just to double check, are you running sssd on any of the > > > machines ? > > Rowland, os comandos acima foram executados no file server. > > I will show the output of the commands, running directly in DC: > > # wbinfo -i iuser > DOMAIN\iuser:*:3000166:100:iuser:/home/DOMAIN/iuser:/bin/false > > # getent passwd iuser > > > # id iuser > id: iuser: no such user > > > > I need to configure winbind in the main DC?Only if you want to use the DC as a fileserver.> > The sssd service is disabled in the main DC. But in the nsswitch.conf > file set: passwd: files sss > shadow: files sss > group: files sssIf sssd isn't being used, then you might as well remove all instances of 'sss' from /etc/nsswitch.conf, if you do setup winbind, then replace 'sss' with winbind except for the 'shadow' line, this line should only have 'files'> > The client stations, all are Windows 10. The RSAT I have already > installed on my PC. >That is not good, you don't get the 'UNIX Atrributes' tab with RSAT on windows 10, microsoft removed it. You will have to add the Unix Attributes with a script using ldbtools, have you had any experience writing scripts ?> No file server, quando compilei o pacote do Samba, eu não usei a > opção: "--without-ad-dc"I don't bother, I always compile Samba the same way, it is how you set Samba up that counts.> > When changing the backend to rid it seems to be working, for the > following command does not return error. Through Windows, by giving > permission to share, I see the "Domain Admins" group: > > # setfacl -R -m g:"Domain Admins":rwx /mnt/dados/ > > # getfacl /mnt/dados > getfacl: Removing leading '/' from absolute path names > # file: mnt/dados > # owner: root > # group: root > user::rwx > user:root:rwx > user:domain\040admins:rwx > user:ti-infra:rwx > group::r-x > group:root:r-x > group:domain\040admins:rwx > group:ti-infra:rwx > mask::rwx > other::r-x > default:user::rwx > default:user:root:rwx > default:user:domain\040admins:rwx > default:user:ti-infra:rwx > default:group::r-x > default:group:root:r-x > default:group:domain\040admins:rwx > default:group:ti-infra:rwx > default:mask::rwx > default:other::r-x > > > About RSAT on Windows 10, I can not see the UNIX attributes options.I already mentioned the reason.> The smb.conf the fileserver looked like this: > > # Global parameters > [global] > netbios name = SRV16 > server string = Samba4 Server > security = ADS > encrypt passwords = yes > realm = domain.local > workgroup = DOMAIN > log file = /var/log/samba/%m.log > log level = 1 > # > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = Yes > winbind nss info = RFC2307 > #idmap_ldb: Use > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > # Idmap config for domain DOMAIN > #idmap config DOMAIN: backend = ad > idmap config DOMAIN: backend = rid > #idmap config DOMAIN: schema_mode = RFC2307 > idmap config DOMAIN: range = 10000-99999 > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > # guest account = guest > # guest ok=yes > > [data] > comment = Folder data > path = /mnt/dados > read only = No > browseable = yes > inherit acls = Yes > inherit permissions = Yes > guest account = guest > guest ok=yes > writeable = Yes > >Thats better, but can I suggest you read here: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs You will do a better job if you set the ACLs from windows.> > In smb.conf the primary DC, I can take this line? > > idmap_ldb:use rfc2307 = yes >No, you still need it Rowland