> On 9 Dec 2016, at 15:55, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Fri, 9 Dec 2016 15:23:24 +0000 > Kevin Davidson via samba <samba at lists.samba.org> wrote: > >> >>> On 9 Dec 2016, at 14:26, lingpanda101 via samba >>> <samba at lists.samba.org> wrote: >>> >>> Still no luck getting getent to retrieve user information. I have >>> uid's and gid's setup for all users I am attempting to query. >> >> >> But did you give Domain Users a gid? If you don’t do that, winbind >> and getent will not find any UNIX users (doesn’t matter if the users >> have a uid and gid within the range you’ve specified in smb.conf). >> It’s been a while since I had this problem - my memory is it’s not >> clearly mentioned in the wiki at all. >> > > It is mentioned on the wiki, to be precise here: > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Do you think it needs more emphasis ?I think I’d move it further up the list to be the first thing listed. As all the other requirements seem obvious to a UNIX admin (UNIX users must have a shell, homedir, uid and gid) it’s easy to miss this one non-obvious requirement that a group that is meaningless to UNIX admins also needs to be changed. There’s also no warning there that the primary group of users should be left as “Domain Users” and not changed to match what the UNIX admin regards as that user’s primary group. I think I’d expect UNIX admins to be reading that section and they may have little, no or wrong knowledge of AD and AD builtin groups. Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On Fri, 9 Dec 2016 17:54:29 +0000 Kevin Davidson via samba <samba at lists.samba.org> wrote:> > > On 9 Dec 2016, at 15:55, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > On Fri, 9 Dec 2016 15:23:24 +0000 > > Kevin Davidson via samba <samba at lists.samba.org> wrote: > > > >> > >>> On 9 Dec 2016, at 14:26, lingpanda101 via samba > >>> <samba at lists.samba.org> wrote: > >>> > >>> Still no luck getting getent to retrieve user information. I have > >>> uid's and gid's setup for all users I am attempting to query. > >> > >> > >> But did you give Domain Users a gid? If you don’t do that, winbind > >> and getent will not find any UNIX users (doesn’t matter if the > >> users have a uid and gid within the range you’ve specified in > >> smb.conf). It’s been a while since I had this problem - my memory > >> is it’s not clearly mentioned in the wiki at all. > >> > > > > It is mentioned on the wiki, to be precise here: > > > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > > > Do you think it needs more emphasis ? > > I think I’d move it further up the list to be the first thing listed. > As all the other requirements seem obvious to a UNIX admin (UNIX > users must have a shell, homedir, uid and gid) it’s easy to miss this > one non-obvious requirement that a group that is meaningless to UNIX > admins also needs to be changed. There’s also no warning there that > the primary group of users should be left as “Domain Users” and not > changed to match what the UNIX admin regards as that user’s primary > group. I think I’d expect UNIX admins to be reading that section and > they may have little, no or wrong knowledge of AD and AD builtin > groups. > >I have altered the wiki page: https://wiki.samba.org/index.php/Idmap_config_ad Hopefully it is a bit more obvious now ;-) Rowland
> On 9 Dec 2016, at 19:07, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Fri, 9 Dec 2016 17:54:29 +0000 > Kevin Davidson via samba <samba at lists.samba.org> wrote: > >> >>> On 9 Dec 2016, at 15:55, Rowland Penny via samba >>> <samba at lists.samba.org> wrote: >>> >>> On Fri, 9 Dec 2016 15:23:24 +0000 >>> Kevin Davidson via samba <samba at lists.samba.org> wrote: >>> >>>> >>>>> On 9 Dec 2016, at 14:26, lingpanda101 via samba >>>>> <samba at lists.samba.org> wrote: >>>>> >>>>> Still no luck getting getent to retrieve user information. I have >>>>> uid's and gid's setup for all users I am attempting to query. >>>> >>>> >>>> But did you give Domain Users a gid? If you don’t do that, winbind >>>> and getent will not find any UNIX users (doesn’t matter if the >>>> users have a uid and gid within the range you’ve specified in >>>> smb.conf). It’s been a while since I had this problem - my memory >>>> is it’s not clearly mentioned in the wiki at all. >>>> >>> >>> It is mentioned on the wiki, to be precise here: >>> >>> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites >>> >>> Do you think it needs more emphasis ? >> >> I think I’d move it further up the list to be the first thing listed. >> As all the other requirements seem obvious to a UNIX admin (UNIX >> users must have a shell, homedir, uid and gid) it’s easy to miss this >> one non-obvious requirement that a group that is meaningless to UNIX >> admins also needs to be changed. There’s also no warning there that >> the primary group of users should be left as “Domain Users” and not >> changed to match what the UNIX admin regards as that user’s primary >> group. I think I’d expect UNIX admins to be reading that section and >> they may have little, no or wrong knowledge of AD and AD builtin >> groups. >> >> > > I have altered the wiki page: > > https://wiki.samba.org/index.php/Idmap_config_ad > > Hopefully it is a bit more obvious now ;-) > > Rowland!!!!! Yes, that's a little harder to miss now !!!!! Sent from my iPhone -- Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT Members of the Apple Consultants Network - consultants.apple.com/uk http://www.indigospring.co.uk/terms-and-conditions