k.wirski
2017-Sep-19 07:56 UTC
[Samba] ODP: Re: samba 4 ad member - idmap = ad for machine accounts
Basically that was my initial question, should adding GID and UID to domain computers group (gid) and machine accounts (uid) be enough, and if it should, and it doesnt work - what else should be done to make it work, or what am I missong? I'm not sure what You mean about invalidating cache? Wysłano z mojego smartfona w PLAY <div>-------- Oryginalna wiadomość --------</div><div>Od: Marco Gaiarin via samba <samba at lists.samba.org> </div><div>Data:09.19.2017 9:11 (GMT+01:00) </div><div>Do: samba at lists.samba.org </div><div>Temat: Re: [Samba] samba 4 ad member - idmap = ad for machine accounts </div><div> </div>Mandi! Kacper Wirski via samba In chel di` si favelave...> getent passwd gives same, OK result, still unable to authenticateI'm still curious to know how rfc23037 does not work, and RID insted work. Seems to me that assigning a GID to 'Domain Computers' is the same as using RID. Kacper: i don't want to offend you but... have you invalidate the eventually used cache, eg restart for example nscd? Louis, Rowland: can you explain why? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2017-Sep-19 08:00 UTC
[Samba] ODP: Re: samba 4 ad member - idmap = ad for machine accounts
Depending on you setup, and this makes it hard. domain computers group , Yes, possible, but often not needed. machine accounts No, never. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > k.wirski via samba > Verzonden: dinsdag 19 september 2017 9:56 > Aan: samba at lists.samba.org > Onderwerp: [Samba] ODP: Re: samba 4 ad member - idmap = ad > for machine accounts > > Basically that was my initial question, should adding GID and > UID to domain computers group (gid) and machine accounts > (uid) be enough, and if it should, and it doesnt work - what > else should be done to make it work, or what am I missong? > > I'm not sure what You mean about invalidating cache? > > > Wys??ano z mojego smartfona w PLAY > > <div>-------- Oryginalna wiadomo???? --------</div><div>Od: > Marco Gaiarin via samba <samba at lists.samba.org> > </div><div>Data:09.19.2017 9:11 (GMT+01:00) </div><div>Do: > samba at lists.samba.org </div><div>Temat: Re: [Samba] samba 4 > ad member - idmap = ad for machine accounts </div><div> > </div>Mandi! Kacper Wirski via samba > In chel di` si favelave... > > > getent passwd gives same, OK result, still unable to authenticate > > I'm still curious to know how rfc23037 does not work, and RID > insted work. > Seems to me that assigning a GID to 'Domain Computers' is the > same as using RID. > > > Kacper: i don't want to offend you but... have you invalidate > the eventually used cache, eg restart for example nscd? > > Louis, Rowland: can you explain why? > > > Thanks. > > -- > dott. Marco Gaiarin GNUPG Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Marco Gaiarin
2017-Sep-19 10:29 UTC
[Samba] ODP: Re: samba 4 ad member - idmap = ad for machine accounts
Mandi! k.wirski via samba In chel di` si favelave...> I'm not sure what You mean about invalidating cache?'nscd' is a generic Name Services Caching Daemon normally installed automatically alongside winbind. In the past, when playing with winbind, i get confused by the cache, and confusion grow considering that: getent passwd user does not query the cache, so all seems to work byt winbind continue to get data from the cache, until expire (or you invalidate/restart nscd). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2017-Sep-19 10:42 UTC
[Samba] ODP: Re: samba 4 ad member - idmap = ad for machine accounts
On Tue, 19 Sep 2017 12:29:37 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! k.wirski via samba > In chel di` si favelave... > > > I'm not sure what You mean about invalidating cache? > > 'nscd' is a generic Name Services Caching Daemon normally installed > automatically alongside winbind. > > In the past, when playing with winbind, i get confused by the cache, > and confusion grow considering that: > > getent passwd user > > does not query the cache, so all seems to work byt winbind continue to > get data from the cache, until expire (or you invalidate/restart > nscd). >There is only one problem with that, the nscd cache isn't really used by winbind, in fact, you shouldn't use nscd with winbind. Winbind has its own cache. Rowland