I found what I needed to do
DOMAIN=MIND.UNM.EDU
SHORT=MIND
authconfig --enablekrb5 --krb5kdc=${DOMAIN}
--krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
--enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
--smbservers=${DOMAIN} --smbworkgroup=${SHORT}
--winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
--enablemkhomedir --enablewinbindusedefaultdomain --update
this worked
On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
<samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 09:49:24 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
>> OS:fedora-26
>> SAMBA:4.6.8
>> [root at squints ~]# cat /etc/samba/smb.conf
>> [global]
>> security = ads
>> realm = MIND.UNM.EDU
>> workgroup = MIND
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-7999
>> idmap config MIND:backend = ad
>> idmap config MIND:schema_mode = rfc2307
>> idmap config MIND:range = 8000-9999999
>> winbind nss info = rfc2307
>> winbind use default domain = yes
>> # so that the users show up in getent
>> winbind enum users = yes
>> # so that the groups show up in getent
>> winbind enum groups = yes
>> restrict anonymous = 2
>> #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>> ldap server require strong auth = no
>> client ldap sasl wrapping = plain
>>
>> [root at squints ~]# getent passwd jsadowski
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>
>> however from an ubuntu machine with the same smb.conf it looks like so
>> OS:ubuntu-16.04
>> SAMBA:4.3.11
>> root at daddles:~# getent passwd jsadowski
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> which is how AD shows it as well.
>>
>> Did something change in newer versions of samba that I need to add
>> more config options?
>>
>
> Yes, there have been changes and no, you don't have to use them and
> they wouldn't cause your problem.
>
> Your smb.conf shows you are using the 'ad' backend and you say you
are
> using the same smb.conf on both machines.
>
> So, why are there these different:
>
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> Which RFC2307 attributes have you added to AD ?
> The above user seems to have the same uidNumber, but Domain Users
> seems to have two different gidNumbers (8513 and 8000), the
> unixHomeDirectory also has two identities, as does loginShell
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
fedora's authconfig must edit a bunch of files On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I found what I needed to do > DOMAIN=MIND.UNM.EDU > SHORT=MIND > authconfig --enablekrb5 --krb5kdc=${DOMAIN} > --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind > --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN} > --smbservers=${DOMAIN} --smbworkgroup=${SHORT} > --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash > --enablemkhomedir --enablewinbindusedefaultdomain --update > > this worked > > On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: >> On Mon, 30 Oct 2017 09:49:24 -0600 >> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >> >>> OS:fedora-26 >>> SAMBA:4.6.8 >>> [root at squints ~]# cat /etc/samba/smb.conf >>> [global] >>> security = ads >>> realm = MIND.UNM.EDU >>> workgroup = MIND >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-7999 >>> idmap config MIND:backend = ad >>> idmap config MIND:schema_mode = rfc2307 >>> idmap config MIND:range = 8000-9999999 >>> winbind nss info = rfc2307 >>> winbind use default domain = yes >>> # so that the users show up in getent >>> winbind enum users = yes >>> # so that the groups show up in getent >>> winbind enum groups = yes >>> restrict anonymous = 2 >>> #added the following 2 for the Badlock updates that change the >>> defaults #to no longer work with my domain controllers >>> ldap server require strong auth = no >>> client ldap sasl wrapping = plain >>> >>> [root at squints ~]# getent passwd jsadowski >>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>> >>> however from an ubuntu machine with the same smb.conf it looks like so >>> OS:ubuntu-16.04 >>> SAMBA:4.3.11 >>> root at daddles:~# getent passwd jsadowski >>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>> >>> which is how AD shows it as well. >>> >>> Did something change in newer versions of samba that I need to add >>> more config options? >>> >> >> Yes, there have been changes and no, you don't have to use them and >> they wouldn't cause your problem. >> >> Your smb.conf shows you are using the 'ad' backend and you say you are >> using the same smb.conf on both machines. >> >> So, why are there these different: >> >> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >> >> Which RFC2307 attributes have you added to AD ? >> The above user seems to have the same uidNumber, but Domain Users >> seems to have two different gidNumbers (8513 and 8000), the >> unixHomeDirectory also has two identities, as does loginShell >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
My smb.conf file now looks like so [global] #--authconfig--start-line-- # Generated by authconfig on 2017/10/30 10:47:34 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MIND password server = MIND.UNM.EDU realm = MIND.UNM.EDU security = ads idmap config * : range = 2000-7999 template homedir = /na/homes/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false #--authconfig--end-line-- ; security = ads ; realm = MIND.UNM.EDU ; workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 ; winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain ; template homedir=/na/homes/%U ; template shell=/bin/bash On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> fedora's authconfig must edit a bunch of files > > On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> I found what I needed to do >> DOMAIN=MIND.UNM.EDU >> SHORT=MIND >> authconfig --enablekrb5 --krb5kdc=${DOMAIN} >> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind >> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN} >> --smbservers=${DOMAIN} --smbworkgroup=${SHORT} >> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash >> --enablemkhomedir --enablewinbindusedefaultdomain --update >> >> this worked >> >> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >>> On Mon, 30 Oct 2017 09:49:24 -0600 >>> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>> >>>> OS:fedora-26 >>>> SAMBA:4.6.8 >>>> [root at squints ~]# cat /etc/samba/smb.conf >>>> [global] >>>> security = ads >>>> realm = MIND.UNM.EDU >>>> workgroup = MIND >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-7999 >>>> idmap config MIND:backend = ad >>>> idmap config MIND:schema_mode = rfc2307 >>>> idmap config MIND:range = 8000-9999999 >>>> winbind nss info = rfc2307 >>>> winbind use default domain = yes >>>> # so that the users show up in getent >>>> winbind enum users = yes >>>> # so that the groups show up in getent >>>> winbind enum groups = yes >>>> restrict anonymous = 2 >>>> #added the following 2 for the Badlock updates that change the >>>> defaults #to no longer work with my domain controllers >>>> ldap server require strong auth = no >>>> client ldap sasl wrapping = plain >>>> >>>> [root at squints ~]# getent passwd jsadowski >>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>>> >>>> however from an ubuntu machine with the same smb.conf it looks like so >>>> OS:ubuntu-16.04 >>>> SAMBA:4.3.11 >>>> root at daddles:~# getent passwd jsadowski >>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>>> >>>> which is how AD shows it as well. >>>> >>>> Did something change in newer versions of samba that I need to add >>>> more config options? >>>> >>> >>> Yes, there have been changes and no, you don't have to use them and >>> they wouldn't cause your problem. >>> >>> Your smb.conf shows you are using the 'ad' backend and you say you are >>> using the same smb.conf on both machines. >>> >>> So, why are there these different: >>> >>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>> >>> Which RFC2307 attributes have you added to AD ? >>> The above user seems to have the same uidNumber, but Domain Users >>> seems to have two different gidNumbers (8513 and 8000), the >>> unixHomeDirectory also has two identities, as does loginShell >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba