Hello,
I have install samba ad.
On AD the config look like
# Global parameters
[global]
netbios name = DC1
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = SAMDOM
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the KES domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 1001-999999
[netlogon]
path = /var/lib/samba/sysvol/kes.carlmarie.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
when I use "getent passwd someuser" it return a valid entry
SAMDOM\someuser:*:7072:513:someuser:/home/SAMDOM/someuser:/bin/false
On a domainmember the smb.conf looks like
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 3
# idmap config for the KES domain
idmap config KES:backend = ad
idmap config KES:schema_mode = rfc2307
idmap config KES:range = 4000-999999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
and "getent passwd someuser" return different entrys
someuser:*:7072:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash
after "net cache flush" I get
someuser:*:4294967295:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash
I read the samba config again and agian but i do not understand the
problem above. I have import the users from nt4 doamin an all my users
starts at uid 3000 and have a gid of 513 (Domain Users).
how can I map the gid 513 to AD?, i can't chown all the files on all
fileservers inmy domain.
whats wrong there?
Hai, Your ADDC and member setup is incorrect. ADDC => https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD ( hint: remove all : idmap config lines ) Member => https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member (hint: add the lines removed from the AD. ) And this is always wrong so correct them.> idmap config SAMDOM:range = 1001-999999 > idmap config * : range = 3000-7999These overlap, which is not allowed. After the changed, run : net cache flush Restart samba and winbind File server setttings: https://wiki.samba.org/index.php/Samba_File_Serving and also very helpfull https://wiki.samba.org/index.php/User_Documentation Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens basti via samba > Verzonden: maandag 20 februari 2017 13:07 > Aan: samba at lists.samba.org > Onderwerp: [Samba] id maping > > Hello, > I have install samba ad. > On AD the config look like > > # Global parameters > [global] > netbios name = DC1 > realm = SAMDOM.EXAMPLE.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = SAMDOM > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > # Default idmap config for local BUILTIN accounts and groups > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > # idmap config for the KES domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 1001-999999 > > [netlogon] > path = /var/lib/samba/sysvol/kes.carlmarie.de/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > when I use "getent passwd someuser" it return a valid entry > SAMDOM\someuser:*:7072:513:someuser:/home/SAMDOM/someuser:/bin/false > > On a domainmember the smb.conf looks like > > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 3 > > # idmap config for the KES domain > idmap config KES:backend = ad > idmap config KES:schema_mode = rfc2307 > idmap config KES:range = 4000-999999 > > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > > and "getent passwd someuser" return different entrys > > someuser:*:7072:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash > > after "net cache flush" I get > > someuser:*:4294967295:4294967295:someuser:/home/SAMDOM/someuser:/bin/bash > > I read the samba config again and agian but i do not understand the > problem above. I have import the users from nt4 doamin an all my users > starts at uid 3000 and have a gid of 513 (Domain Users). > > how can I map the gid 513 to AD?, i can't chown all the files on all > fileservers inmy domain. > whats wrong there? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Mon, 20 Feb 2017 13:07:29 +0100 basti via samba <samba at lists.samba.org> wrote:> Hello, > I have install samba ad. > On AD the config look like > > > # Default idmap config for local BUILTIN accounts and groups > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > # idmap config for the KES domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 1001-999999 >Remove the above lines, they shouldn't be in a DC smb.conf> > when I use "getent passwd someuser" it return a valid entry > SAMDOM\someuser:*:7072:513:someuser:/home/SAMDOM/someuser:/bin/false > > On a domainmember the smb.conf looks like> > # idmap config for the KES domain > idmap config KES:backend = ad > idmap config KES:schema_mode = rfc2307 > idmap config KES:range = 4000-999999 >You are missing the '*' settings> > and "getent passwd someuser" return different entrys > > someuser:*:7072:4294967295:someuser:/home/SAMDOM/someuser:/bin/bashWell it would, Domain Users seems to have the gidNuber '513' and this is lower than your lower domain setting '4000' Rowland
On Mon, 20 Feb 2017 12:40:00 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> Well it would, Domain Users seems to have the gidNuber '513' and this > is lower than your lower domain setting '4000' >I am beginning to wonder if upgrading an NT4-style PDC to a DC is a good idea. Linux starts its normal user base at '1000' (and yes, red-hat used to start at 500) and it has been like this for a long time. Samba allowed Domain user & group RIDs to be used for u/gidNumbers, this was a stupid idea in my opinion. 'Domain Users' is 513 'Domain Admins' is 512 So we now have the problem that a user is trying to setup a 'idmap config' line in smb.conf on a domain member, he is going to have to use something like this: idmap config DOMAIN: range = 500-999999 Which means that he cannot have any local Unix users at all, so what happens if something goes wrong with Samba on that domain member and root login is disabled except at the console and the console isn't easily accessible ? Should we be recommending setting up a new domain instead of upgrading the old PDC, or changing any low u/gidNumbers ??? or what ??? Rowland