samba - Feb 2018 - idmap config ad: can't resolve domain users' uids

Il 16/02/18 12:58, Rowland Penny via samba ha scritto:
> On Fri, 16 Feb 2018 12:39:37 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
[...]
>>
>> should I remove tout-court this part?
> 
> Not sure I understand that, but it sounds like you are asking if you
> should remove the lines, if so, the answer is yes.
You understood correctly.

[...]
>>
>> self compiled
> 
> Why ? You could use the packages from Louis
I'll give it a try. I've got the habit to place software in /opt and
I'm
pretty happy and updating when a newer release comes out is easy thanks
to ansible,
> 
>>
>>> Have you set up libnss_winbind ?
> 
> That is why it doesn't work ;-)
fine, thank you for your time.

So just to recap: there were two problems:

1) the syntax mistake in smb.conf pointed up before;
2) a logical mistake because wbinfo can't possibily work without the
full setup that includes the nss part.

Thank you,

Francesco

On Fri, 16 Feb 2018 13:10:16 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
> So just to recap: there were two problems:
> 
> 1) the syntax mistake in smb.conf pointed up before;
This wouldn't have helped.
> 2) a logical mistake because wbinfo can't possibily work without the
> full setup that includes the nss part.
No, wbinfo will work without the libnss_winbind links, but the OS will
not know who the AD users & groups are without the links.

Rowland

Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> On Fri, 16 Feb 2018 13:10:16 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
>>
>> So just to recap: there were two problems:
>>
>> 1) the syntax mistake in smb.conf pointed up before;
> 
> This wouldn't have helped.
> 
>> 2) a logical mistake because wbinfo can't possibily work without
the
>> full setup that includes the nss part.
> 
> No, wbinfo will work without the libnss_winbind links, but the OS will
> not know who the AD users & groups are without the links.
Rowland, you are helping me a lot.

Let me make a step backwards.

The problem is bugging me is to allow Domain Users to access samba
shares (on a linux os) and to create file with the same uidNumber I have
put in the AD directory.

Domanin Users have been exported from a samba3-ldap domain.

In a samba3-ldap domain the trick to have files with the same ownership
[1] was to record the uidNumber data in the OpenLDAP.

How does it work in samba4? I started with
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
have been populating the users' uidNumber ad attribute and the groups'
gidNumber.

So I was wrong starting talking about sssd, nss and so on. Those tools
are required to allow Domain Users to access linux server (ssh for
instance). I am more interested to deploy windows share on a samba4
server (a AD DC, actually) and to see users create file with the
familiar uidNumber and not the exotic number taken from the idmap.ldb

thank you,

Francesco


[1] means the same user, both as a linux user or as a Domain User,
create files with same uidNumber.