On Wed, 2 Nov 2016 22:00:57 +0000
niya levi via samba <samba at lists.samba.org> wrote:
> hi Roland
>
> > On Tue, 1 Nov 2016 11:00:15 +0000
> > niya levi via samba <samba at lists.samba.org> wrote:
> >
> >> hi everyone
> >>
> >> i have configured 2 domain controllers and a domain member
> >>
> >> the domain member is joined to the domain and
> >>
> >> ad and rfc2307 is configured for idmap backend,
> >>
> >> wbinfo returns domain builtins for groups and users on both the
> >> member servers an the dc's
> >>
> >> nsswitch.conf is configured with winbind,
> >>
> >> getent only returns local users and groups, is getent also suppose
> >> to return the builtins without me setting any unix attributes in
> >> the ad ?
> >>
> >> shadrock
> >>
> >>
> >>
> >>
> > No, getent only returns users and groups that it can find and, on a
> > unix machine, this means using either the 'rid' backend ( and
you
> > still don't get all the BUILTIN's) or the 'ad'
backend. If you use
> > the 'ad' backend, you will only get users & groups with
> > uid/gidNumbers.
> >
> > Rowland
> >
> >
> i don't think i'm explaining myself properly
>
> from my reading of setup samba as a domain member on the wiki
>
> under the section using domain accounts/groups in OS commands
>
> it shows getent groups displaying 'domain users' and 'domain
admin' in
> the list
>
> which you can then use with the chown command,
>
> neither the domain controllers or the member displays these groups
> with getent
>
> these are the idmap and winbind lines in the smb.conf on the member
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config TISSISAT:backend = ad
> idmap config TISSISAT:schema_mode = rfc2307
> idmap config TISSISAT:range = 3000000-4000000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind refresh tickets = yes
> winbind expand groups = 4
> winbind offline logon = yes
> winbind cache time = 300
> and nsswitch.conf on the domain conrollers and the member has
>
> passwd: files winbind
> group: files winbind
>
> and smb.conf on the domain controllers has
>
> idmap_ldb:use rfc2307 = yes
>
> do i need to include the winbind lines on the domain controllers ?
>
> shadrock
>
>
>
OK, lets start with a DC, if you run getent straight after the
provision of the DC, you will only get the local Unix users. To
get anything in AD, you will need to ensure that the libnss_winbind
links exist, see here:
https://wiki.samba.org/index.php/Libnss_winbind_Links
Once the links exist and 'winbind' is added to 'passwd' &
'group'
lines in /etc/nsswitch.conf , if you then run 'getent passwd
Administrator', you should get something like this:
EXAMPLE\administrator:*:0:100::/home/EXAMPLE/administrator:/bin/false
NOTE: you should only get an output like the above on a DC, never on a
domain member.
The relevant part to look at is the numbers ':0:100:' , the first
ensures that Administrator is mapped to 'root' and '100' is the
local
Unix group 'users' and 'Domain Users' is mapped to this. Both of
these
mappings are done via 'idmap.ldb'
If you then add a user and run 'getent passwd <username>' , you
will
find that the user will have an UID in the '3000000' range and their
GID will be '100'
If you then go to a domain member and setup smb.conf to use the winbind
'ad' backend, it will not matter what range you set at this point, you
will not get any output from getent for AD users. If you use the 'rid'
backend you should.
If you want to use the 'ad' backend, you will need to give any users,
that you want to be visible to Unix, a uidNumber and you must then give
Domain Users a gidNumber. You must then set the 'idmap config DOMAIN'
range in smb.conf based on these numbers i.e. if the lowest number is
10000 and the highest possible will be 20000, the range would be
'10000-20000'. The uidNumber & gidNumber attributes are not added
automatically.
If you go back to the DC and run 'getent passwd Administrator', you
should find that the group ID is now '10000' (provided you gave
Domain Users the gidNumber 10000). At this point, if run 'getent
passwd <username>' you should get back the uidNumber you set in AD
and the gidNumber should be what you set for Domain Users, you
should also get the same result on the DC.
You do not have to use the '3000000' numbers, you can use any range
you like.
If, after adding the uid/gidNumber attributes, you still get the old
numbers, try running 'net cache flush'.
If you have followed the above, you should be able to work out how to
make 'Domain Admins' visible to Unix.
See here for more info on setting up a domain member:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Finally, you should never add the 'idmap config' lines to a DC smb.conf.
Rowland