Stefan G. Weichinger
2017-Jan-01 16:05 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
ok, edited etc
all uidNumber now > 10000
except that "root", I was unsure now (?)
gidNumber:
# ldbsearch -H /var/lib/samba/private/sam.ldb cn=Domain\ Users | grep
'gidNumber'
gidNumber: 10001
-
smb.conf on member:
idmap config * : backend = tdb
idmap config * : range = 2000-2999
idmap config ARBEITSGRUPPE:backend = ad
idmap config ARBEITSGRUPPE:range = 10000-99999
idmap config ARBEITSGRUPPE:schema_mode = rfc2307
username map = /etc/samba/user.map
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
-
restarted all samba daemons on DC and member server, flushed cache
On DC:
# wbinfo -i sgw
sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
# getent passwd sgw
sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
(good, afaik)
On member server:# wbinfo -i sgw
sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
main samba # getent passwd sgw
sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
- nice, correct??
I even did an additional change and set the gidNumber to 10513 to match
the former gid (in the shared directory the group-id was 10513, now it
is displayed as "domain users" as well).
so now I have:
# getent passwd sgw
sgw:*:10000:10513:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
*phew*
Any idea what else might be missing? ;-)
thanks!
On Sun, 1 Jan 2017 17:05:44 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > ok, edited etc > > all uidNumber now > 10000 > > except that "root", I was unsure now (?)If you have a user called 'root', then it is easy, remove it, 'root' shouldn't exist in AD, it is a Unix only user and you need to map Administrator to 'root' in the user.map> > gidNumber: > > # ldbsearch -H /var/lib/samba/private/sam.ldb cn=Domain\ Users | grep > 'gidNumber' > gidNumber: 10001 > > - > > smb.conf on member: > > > idmap config * : backend = tdb > idmap config * : range = 2000-2999 > > idmap config ARBEITSGRUPPE:backend = ad > idmap config ARBEITSGRUPPE:range = 10000-99999 > idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > > username map = /etc/samba/user.map > > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > > - > > restarted all samba daemons on DC and member server, flushed cache > > On DC: > > # wbinfo -i sgw > sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false > > # getent passwd sgw > sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false > > (good, afaik) > > On member server:# wbinfo -i sgw > sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false > > main samba # getent passwd sgw > sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false > > - nice, correct??Looking good> > I even did an additional change and set the gidNumber to 10513 to > match the former gid (in the shared directory the group-id was 10513, > now it is displayed as "domain users" as well). > > so now I have: > > # getent passwd sgw > sgw:*:10000:10513:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false > > *phew* > > Any idea what else might be missing? ;-) > > thanks! > >The only thing is, do any of your users need to actually login into the domain member ? If so, this is where using the 'ad' backend comes into its own, you just need to add 'loginshell' and 'unixHomeDirectory' attributes to the required users i.e. loginshell: /bin/bash unixHomeDirectory: /home/sgw Rowland
Stefan G. Weichinger
2017-Jan-01 16:50 UTC
[Samba] ADS domain member: winbind fails [SOLVED]
Am 2017-01-01 um 17:32 schrieb Rowland Penny via samba:> If you have a user called 'root', then it is easy, remove it, 'root' > shouldn't exist in AD, it is a Unix only user and you need to map > Administrator to 'root' in the user.mapremoved from AD now. the user.map was there already, as mentioned.> The only thing is, do any of your users need to actually login into the > domain member ?not really> If so, this is where using the 'ad' backend comes into its own, you > just need to add 'loginshell' and 'unixHomeDirectory' attributes > to the required users i.e. > > loginshell: /bin/bash > unixHomeDirectory: /home/sgwboth attributes are there already, but in getent I get /bin/false # getent passwd sgw sgw:*:10000:10513::/home/ARBEITSGRUPPE/sgw:/bin/false that is optional, but nice to know, sure!