On 09/12/2016 15:55, Rowland Penny wrote:>> But did you give Domain Users a gid? If you don’t do that, winbind >> and getent will not find any UNIX users (doesn’t matter if the users >> have a uid and gid within the range you’ve specified in smb.conf). >> It’s been a while since I had this problem - my memory is it’s not >> clearly mentioned in the wiki at all. >> > It is mentioned on the wiki, to be precise here: > > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Do you think it needs more emphasis ?I think there's plenty of emphasis now, but I think there is a part which is misleading: > To enable Samba to retrieve user and group information from Active Directory (AD): > > * Users must have at least the uidNumber and groups the gidNumber attribute set. As far as I can tell there is no need at all to set the gidNumber on the user entry, at least not when using the winbind component of Samba. By saying it has to be set, the implication is that it does something useful. So the admin sets e.g. uidNumber: 1000 gidNumber: 1000 and is surprised when the user's primary group is the gidNumber from Domain Users (or that the user doesn't appear at all, if Domain Users has no gidNumber) I think it would be clearer like this: "To enable Samba to retrieve user and group information from Active Directory (AD): * Users must have the uidNumber attribute set. When using the rfc2307 winbind NSS info mode, user accounts must also have the loginShell and unixHomeDirectory set. * The group which the user's PrimaryGroupID refers to (normally "Domain Users") must have the gidNumber attribute set. * It is recommended that you do not change any user's primaryGroupID. Windows expects all the users primary group to be "Domain Users". This implies that all Unix logins will use the same primary gid. * The user and group IDs must be within the range configured in the smb.conf for this domain. ...etc" Regards, Brian.
On 10/12/2016 16:25, Brian Candler wrote:> I think there's plenty of emphasis now, but I think there is a part > which is misleading: > > > To enable Samba to retrieve user and group information from Active > Directory (AD): > > > > * Users must have at least the uidNumber and groups the gidNumber > attribute set.I'm so sorry: I misread this as "Users must have at least the uidNumber and gidNumber attribute set", which is of course *not* what it says. Hence the text is accurate (if you read it correctly); it's my brain which is at fault. I do still think that the alternative text I gave is clearer - for my brain anyway :-) Regards, Brian.
On 12/11/2016 8:59 AM, Brian Candler via samba wrote:> On 10/12/2016 16:25, Brian Candler wrote: >> I think there's plenty of emphasis now, but I think there is a part >> which is misleading: >> >> > To enable Samba to retrieve user and group information from Active >> Directory (AD): >> > >> > * Users must have at least the uidNumber and groups the gidNumber >> attribute set. > > I'm so sorry: I misread this as "Users must have at least the > uidNumber and gidNumber attribute set", which is of course *not* what > it says. Hence the text is accurate (if you read it correctly); it's > my brain which is at fault. > > I do still think that the alternative text I gave is clearer - for my > brain anyway :-) > > Regards, > > Brian. > >OK I have progress.... I needed to disable avahi. Totally forgot about this. Probably should be added to the wiki for folks who are stuck with .local domains at the moment. vi /etc/nsswitch.conf #hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 hosts: files dns I heard changing the avahi suffix might work as well but didn't confirm. I couldn't ping my DC's FQDN until I disabled it either. The strange thing is 'getent passwd user' returns nothing still. However if I use 'getent passwd user at DOMAIN.LOCAL' It works and returns expected results. Any reason why? -- - James
On 12/11/2016 8:59 AM, Brian Candler via samba wrote:> On 10/12/2016 16:25, Brian Candler wrote: >> I think there's plenty of emphasis now, but I think there is a part >> which is misleading: >> >> > To enable Samba to retrieve user and group information from Active >> Directory (AD): >> > >> > * Users must have at least the uidNumber and groups the gidNumber >> attribute set. > > I'm so sorry: I misread this as "Users must have at least the > uidNumber and gidNumber attribute set", which is of course *not* what > it says. Hence the text is accurate (if you read it correctly); it's > my brain which is at fault. > > I do still think that the alternative text I gave is clearer - for my > brain anyway :-) > > Regards, > > Brian. > >OK finally solved. Added to my smb.conf 'winbind use default domain = yes' Disabling Avahi and using the above was the issue. Next to attempt actually signing in from the login screen and not via. SSH. -- - James