Francesco Malvezzi
2018-Feb-16 12:10 UTC
[Samba] idmap config ad: can't resolve domain users' uids
Il 16/02/18 12:58, Rowland Penny via samba ha scritto:> On Fri, 16 Feb 2018 12:39:37 +0100 > Francesco Malvezzi via samba <samba at lists.samba.org> wrote: >[...]>> >> should I remove tout-court this part? > > Not sure I understand that, but it sounds like you are asking if you > should remove the lines, if so, the answer is yes.You understood correctly. [...]>> >> self compiled > > Why ? You could use the packages from LouisI'll give it a try. I've got the habit to place software in /opt and I'm pretty happy and updating when a newer release comes out is easy thanks to ansible,> >> >>> Have you set up libnss_winbind ? > > That is why it doesn't work ;-)fine, thank you for your time. So just to recap: there were two problems: 1) the syntax mistake in smb.conf pointed up before; 2) a logical mistake because wbinfo can't possibily work without the full setup that includes the nss part. Thank you, Francesco
Rowland Penny
2018-Feb-16 12:43 UTC
[Samba] idmap config ad: can't resolve domain users' uids
On Fri, 16 Feb 2018 13:10:16 +0100 Francesco Malvezzi via samba <samba at lists.samba.org> wrote:> > So just to recap: there were two problems: > > 1) the syntax mistake in smb.conf pointed up before;This wouldn't have helped.> 2) a logical mistake because wbinfo can't possibily work without the > full setup that includes the nss part.No, wbinfo will work without the libnss_winbind links, but the OS will not know who the AD users & groups are without the links. Rowland
Francesco Malvezzi
2018-Feb-16 13:26 UTC
[Samba] idmap config ad: can't resolve domain users' uids
Il 16/02/18 13:43, Rowland Penny via samba ha scritto:> On Fri, 16 Feb 2018 13:10:16 +0100 > Francesco Malvezzi via samba <samba at lists.samba.org> wrote: > >> >> So just to recap: there were two problems: >> >> 1) the syntax mistake in smb.conf pointed up before; > > This wouldn't have helped. > >> 2) a logical mistake because wbinfo can't possibily work without the >> full setup that includes the nss part. > > No, wbinfo will work without the libnss_winbind links, but the OS will > not know who the AD users & groups are without the links.Rowland, you are helping me a lot. Let me make a step backwards. The problem is bugging me is to allow Domain Users to access samba shares (on a linux os) and to create file with the same uidNumber I have put in the AD directory. Domanin Users have been exported from a samba3-ldap domain. In a samba3-ldap domain the trick to have files with the same ownership [1] was to record the uidNumber data in the OpenLDAP. How does it work in samba4? I started with https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I have been populating the users' uidNumber ad attribute and the groups' gidNumber. So I was wrong starting talking about sssd, nss and so on. Those tools are required to allow Domain Users to access linux server (ssh for instance). I am more interested to deploy windows share on a samba4 server (a AD DC, actually) and to see users create file with the familiar uidNumber and not the exotic number taken from the idmap.ldb thank you, Francesco [1] means the same user, both as a linux user or as a Domain User, create files with same uidNumber.