samba - Aug 2017 - Windows pre-requisites for login with winbind?

On Thu, 24 Aug 2017 12:26:11 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:
> Well, network connectivity to the other DC would probably also be
> required... and I don't have that currently... so there's the first
> hurdle... but thanks for confirming that there's no other
> configuration required.
> 
> I'm slightly surprised that the smb.conf does not require the full
> realm name like "DOMAIN2.LOCAL" somewhere in there.
> 
No you only need it for the realm the Unix domain member is joined to.

Rowland

Rowland,


I'm following this thread because I'm trying to use Linux member server
(Debian 9) and use Windows AD users in Linux (filesystem etc).

It seems I have working Kerberos and to a degree, Winbind too, because both

wbinfo -u

wbinfo -g

give me valid and complete results.


However I'm stuck with NIS.

First I attempted to use AD idmap with settings (smb.conf)

idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : range = 10000-9999999
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind use default domain = true
winbind enum users = yes
winbind enum groups = yes


When I issue

#getent group

I get only few groups with nonempty gidnumber attribute. This I can
understand, but

#getent passwd

dosen't bring me any AD user, althought they all have valid uidnumber
attribute that is well inside the idmap range.


Now, I also try to use RID, as it seems better to go this way, however
it dosen't work for me either, and it still displays only those groups
as before, and they still have gidnumber from AD, not the computed one
from RID.

It seems I'm missing something.



Dňa 24.08.2017 o 14:48 Rowland Penny via samba
napísal(a):
> On Thu, 24 Aug 2017 12:26:11 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
>
>> Well, network connectivity to the other DC would probably also be
>> required... and I don't have that currently... so there's the
first
>> hurdle... but thanks for confirming that there's no other
>> configuration required.
>>
>> I'm slightly surprised that the smb.conf does not require the full
>> realm name like "DOMAIN2.LOCAL" somewhere in there.
>>
> No you only need it for the realm the Unix domain member is joined to.
>
> Rowland
>

On Fri, 25 Aug 2017 16:03:08 +0200
"Mgr. Peter Tuharsky via samba" <samba at lists.samba.org>
wrote:
> Rowland,
> 
> 
> I'm following this thread because I'm trying to use Linux member
> server (Debian 9) and use Windows AD users in Linux (filesystem etc).
> 
> It seems I have working Kerberos and to a degree, Winbind too,
> because both
> 
> wbinfo -u
> 
> wbinfo -g
> 
> give me valid and complete results.
This just shows that winbind can contact and connect to AD
> 
> 
> However I'm stuck with NIS.
> 
> First I attempted to use AD idmap with settings (smb.conf)
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : schema_mode = rfc2307
> idmap config DOMAIN : range = 10000-9999999
The above looks okay
> idmap_ldb:use rfc2307 = yes
You should only use the above line on a DC
> 
> winbind nss info = rfc2307
> winbind use default domain = true
The above two lines are okay
> winbind enum users = yes
> winbind enum groups = yes
You should only add the above two lines for testing purposes.
> 
> 
> When I issue
> 
> #getent group
> 
> I get only few groups with nonempty gidnumber attribute. This I can
> understand, but
> 
> #getent passwd
> 
> dosen't bring me any AD user, althought they all have valid uidnumber
> attribute that is well inside the idmap range.
Does 'Domain Users' have a gidNumber inside '10000-9999999'
If it doesn't, then ALL your users will be ignored
> 
> 
> Now, I also try to use RID, as it seems better to go this way, however
> it dosen't work for me either, and it still displays only those groups
> as before, and they still have gidnumber from AD, not the computed one
> from RID.
> 
> It seems I'm missing something.
Try running 'net cache flush' 

The 'rid' backend should work without any changes to AD, as long as the
user is in AD and isn't in /etc/passwd.

Rowland
> 
> 
>