See inline Comments:
On Thu, 9 Nov 2017 16:11:49 -0000
Roy Eastwood via samba <samba at lists.samba.org> wrote:
> Hi,
> I have a Debian Stretch machine with Louis' samba 4.7.1 package
> installed. I have configured it as a member server and joined it to
> my test domain. I tried the idmap rid back end and all worked ok,
> but am now trying the idmap ad back end. I have users' home folders
> saved to a users share on the member server, configured to allow
> auto-creation of home folders when the windows user logs in for the
> first time. That's working OK after some adjustments to the ntfs
> and share permissions which vary from the samba WiKi page
> (https://wiki.samba.org/index.php/User_Home_Folders ) after reading
> this https://support.microsoft.com/en-gb/help/555046. Also if users
> are allowed to log in locally as a unix user to the member server, I
> found that the unix permissions had to include rwx for the domain
> users group otherwise they are unable to access their home
> folder. Does the WiKi need updating?
Probably not.
>
> Am I right in assuming from the WiKI that all users in the domain
> have to have at least the UID and GID set in AD (when using the idmap
> ad back end)?
It depends on what version of Samba you are using and how you set up
smb.conf, more on this later ;-)
>
> My problem is that if I want to log on as administrator,
Log on where ?
If you mean to a Unix machine, then no you don't, you might think you
do, but really you don't.
> I either
> allocate a UID/GID in AD - in which case I can log in OK. However, if
> I use the username map parameter in smb.conf along with the
> appropriate file user.map to map administrator to root, the WiKi says
> do not allocate a UID and GID in AD. So I took these off but I
> cannot log in now to the member server as administrator. Neither does
> administrator show up in the output of getent passwd.
Ah, but you are using a user.map, which maps 'Administrator' to
'root', so guess who you should log onto the Unix machine as ?
>
> However, wbinfo -u produces:
> root at debian-m1:/home/linuxadmin# wbinfo -u
> test1
> test2
> test3
> administrator
> roy
> krbtgt
> guest
>
> But wbinfo -i administrator produces:
> root at debian-m1:/home/linuxadmin# wbinfo -i administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user administrator
Yes, that is correct for a Unix Domain member. All that wbinfo shows
is that winbind can connect to AD, you need to have 'getent passwd
username' produce output to prove that the OS knows your AD users as
Unix users (note that 'getent passwd Administrator' wont work either)
>
> I have tried also with wbinfo -i MICROLYNX\administrator but the same
> result as above.
>
> My smb.conf from the member server:
> ============================> [global]
> netbios name = debian-m1
> security = ADS
> workgroup = MICROLYNX
> realm = MICROLYNX.CO.UK
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
>
> # Default idmap config used for BUILTIN and local
> accounts/groups idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain MICROLYNX
> idmap config MICROLYNX:backend = ad
> idmap config MICROLYNX:schema_mode = rfc2307
> idmap config MICROLYNX:range = 10000-99999
>
> # Use settings from AD for login shell and home directory and
> primary group idmap config MICROLYNX:unix_nss_info=yes
> idmap config MICROLYNX:unix_primary_group=yes
Remember when I said 'more on this later', well it is later ;-)
With the above 'idmap config' lines, your users will need a uidNumber
attribute containing a unique number from the '10000-99999' range, they
will also need a gidNumber attribute that contains the gidNumber of a
group, this means that the group MUST have a gidNumber attribute
containing the same number, this must also be in the '10000-99999'
range.
If you do not want this, give Domain Users a gidNumber and remove the
'unix_primary_group' line and restart Samba.
>
> # enable getent passwd & getent group to display domain users
> & groups winbind enum users = yes
> winbind enum groups = yes
You should remove the two 'winbind enum' lines, you do not need them
and they only slow things down.
Rowland