To have users accessibles from UNIX side (ie your member server) with any tool (winbind, sssd...) you must (ie that's mandatory) to have all needed informations to build a UNIX user in LDAP tree. What I mean here is you must have uidNumber, gidNumber but also something to fill login shell, home directory and perhaps gecos too (but I expect that last one is not mandatory). This because a UNIX is always something like that: username:password or hash or x:uidNumber:gidNumber:Gecos:homedir:loginShell which gives for example: root:x:0:0:root:/root:/bin/bash So the tool you will use must find extractable information in LDAP tree to fill these fields. There are LDAP attributes in AD LDAP tree to store them, default attributes used by SSSD or winbind or others: loginShell for shell unixHomeDirectory for home dir (there's also a homeDirectory attribute but I expect that one is rather meant for Windows homeDir) gecos should exist too. Winbind is not configurable regarding what attribute it will use, you have to fill the right ones in AD LDAP tree. I'm not sure but I think it uses displayName for filling Gecos field. So configure for one user all that: uidNumber gidNumber loginShell unixHomeDirectory displayName should already be set Plus that to avoid issue you can set up in member's smb.conf fallback using, as shown Rowland in his last mail: template shell = /bin/bash template homedir = /home/%U With these two lines, an user without loginShell will get value of "template shell" for his shell. Same for homeDir. That's for concepts and LDAP attributes, now you will have to configure NSS and PAM too, in addition of smb.conf (again, I don't read carefully what gave Rowland but he's a good source of information, so you should try his smb.conf ;) 2017-08-30 12:26 GMT+02:00 Gaetan SLONGO <gslongo at it-optics.com>:> > Thank you for your answer Mathias. > > Unix attributes are OK in the Samba 4 DB ("Unix Attributes" tab also OK in > ADUC). What I cannot do is to ask to winbind to use uidNumber and gidNumber > on a member server setup (in DC mode it is OK) instead of "mapped ids" > (idmap range) > > Regards, > >2017-08-30 12:47 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 30 Aug 2017 12:20:04 +0200 (CEST) > Gaetan SLONGO <gslongo at it-optics.com> wrote: > > > > > Hi Rowland My test SMB have several test lines and is dirty, for sure > > not correct :-) Could you share your setup to achieve this ? > > > > This is my working smb.conf (note: I use Samba 4.6.x) > > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > > # Uncomment the next two lines if you require a keytab for dovecot etc > #dedicated keytab file = /etc/krb5.keytab > #kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind use default domain = yes > winbind expand groups = 4 > winbind refresh tickets = Yes > winbind offline logon = yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : unix_nss_info = yes > idmap config SAMDOM : range = 10000-999999 > # uncomment next two lines if not storing shell & unixhomedir in AD > #template shell = /bin/bash > #template homedir = /home/%U > > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > host msdfs = no > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/user.map > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # Share Setting Globally > unix extensions = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # logging > log level = 0 > > If you using a version of Samba before 4.6.0, you should remove: > > idmap config SAMDOM : unix_nss_info = yes > > and replace it with: > > winbind nss info = rfc2307 > > For this to work, all my users have a uidNumber attribute containing a > unique number inside the 'SAMDOM' range set in smb.conf (10000-999999) > and 'Domain Users' has a gidNumber inside the same range (note: you can > start the uidNumbers & gidNumbers at the same number, there is no need > to use different start numbers) > > I also have a user.map, which contains this: > > !root = SAMDOM\Administrator SAMDOM\administrator Administrator > administrator > > NOTE 'SAMDOM' is my workgroup name and 'SAMDOM.EXAMPLE.COM' is my realm > name, you should replace them with yours. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 30 Aug 2017 14:32:40 +0200 mathias dufresne via samba <samba at lists.samba.org> wrote:> To have users accessibles from UNIX side (ie your member server) with > any tool (winbind, sssd...) you must (ie that's mandatory) to have > all needed informations to build a UNIX user in LDAP tree. What I > mean here is you must have uidNumber, gidNumber but also something to > fill login shell, home directory and perhaps gecos too (but I expect > that last one is not mandatory). >Sorry but that is wrong, the only rfc2307 attribute you must have in a users AD object is uidNumber. You can set the shell and unix homedir via template lines in smb.conf. The 'Domain Users' group must have a gidNumber attribute. Rowland
2017-08-30 14:49 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 30 Aug 2017 14:32:40 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > To have users accessibles from UNIX side (ie your member server) with > > any tool (winbind, sssd...) you must (ie that's mandatory) to have > > all needed informations to build a UNIX user in LDAP tree. What I > > mean here is you must have uidNumber, gidNumber but also something to > > fill login shell, home directory and perhaps gecos too (but I expect > > that last one is not mandatory). > > > > Sorry but that is wrong, the only rfc2307 attribute you must have in a > users AD object is uidNumber. You can set the shell and unix homedir > via template lines in smb.conf. The 'Domain Users' group must have a > gidNumber attribute. >That's not wrong as template are here replace the missing information in AD. In any case the tool (winbind or anything) must have these information available to build the UNIX user. But we're playing with words and we are drifting away from the subject.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Small addition.> have in a users AD object is uidNumber. You can set the shell > and unix homedir via template lines in smb.conf. > The 'Domain Users' group must have a gidNumber attribute. >No, the primary group, which is set for the user, must have a gidNumber. But preffered "Domain Users" Then, a users with ONLY a uid and templates as fallback, work. At least i have a few with this setup and that works fine. Even with homedirs over nfs. (v4 and kerberized ) Greetz, Louis
Ok, on the subject, shares not acceccable when using fqdn. The server must have a A and PTR record for the real hostname within the REALM, then any CNAME should work. But if the Primary domain or the search domain is incorrect ( on the client) then, \\FQDN(CNAME)\share wont work, since it cannot find the "real" hostname Which resolve to A/PTR. I did ask for an IPCONFIG /all from a working and not working pc. But .. .. I cant check it, i've not seen anything. The cluster part, thats not yet my thing, so i cant tell anything about that. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > mathias dufresne via samba > Verzonden: woensdag 30 augustus 2017 14:57 > Aan: Rowland Penny > CC: samba > Onderwerp: Re: [Samba] Shares not accessible when using FQDN > > 2017-08-30 14:49 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Wed, 30 Aug 2017 14:32:40 +0200 > > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > > > To have users accessibles from UNIX side (ie your member server) > > > with any tool (winbind, sssd...) you must (ie that's > mandatory) to > > > have all needed informations to build a UNIX user in LDAP > tree. What > > > I mean here is you must have uidNumber, gidNumber but > also something > > > to fill login shell, home directory and perhaps gecos too (but I > > > expect that last one is not mandatory). > > > > > > > Sorry but that is wrong, the only rfc2307 attribute you > must have in a > > users AD object is uidNumber. You can set the shell and > unix homedir > > via template lines in smb.conf. The 'Domain Users' group > must have a > > gidNumber attribute. > > > > That's not wrong as template are here replace the missing > information in AD. In any case the tool (winbind or anything) > must have these information available to build the UNIX user. > > But we're playing with words and we are drifting away from > the subject. > > > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 30 Aug 2017 15:01:05 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Small addition. > > > have in a users AD object is uidNumber. You can set the shell > > and unix homedir via template lines in smb.conf. > > The 'Domain Users' group must have a gidNumber attribute. > > > > No, the primary group, which is set for the user, must have a > gidNumber. But preffered "Domain Users"Well yes, but unless you are running Samba 4.6.x and have set up smb.conf to use other groups, then the primary group will be Domain Users, unless you are a computer and then it is Domain Computers ;-) Rowland