On Thu, 3 May 2018 18:08:20 +0100 Zdravko Zdravkov via samba <samba at lists.samba.org> wrote:> Hi Rowland. > > As suggested I switched to winbind with rid backend, since I had free > time for tests today. This is what I've done for few min. > > smb.conf from the testing pc > > [global] > workgroup = XXXX > security = ads > realm = XXXX.X.XX > > log file = /var/log/samba/%m.log > log level = 1 > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > winbind use default domain = yes > template shell = /usr/bin/bash > template homedir = /home/%U > > idmap config XXXX : backend = rid > idmap config XXXX : range = 10000-999999 >The above should work> > with the current config I successfully join the domain, can list > users and groups with both the wbinfo command and getent > passwd/group, but if I want to *su testdomainuser* it goes to > bash-4.2$, no home dir is created which obviously means that I can't > login with domain account.You need to use pam_mkhomedir, you can do this on debian by adding this to /etc/pam.d/common-account: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 This will create the users homedir the first time the user logs in. I believe it is called something else on red hat, pam_oddjob ??> > My AD server config is untouched (yet)Good, you don't really want you users to log into the DC, but if you do, you just set it up in the same way as a Unix domain member. Rowland
True that. oddjob wasn't running, now it's fine, but apparently everything is the same. In CentOS I see a folder created by my new "testuser" in Windows. The folder's owner is 1000024 while getent passwd testuser responds with 11184 which is nowhere near the same. I guess I'm not making something right during the whole configuration. On Thu, May 3, 2018 at 6:24 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 3 May 2018 18:08:20 +0100 > Zdravko Zdravkov via samba <samba at lists.samba.org> wrote: > > > Hi Rowland. > > > > As suggested I switched to winbind with rid backend, since I had free > > time for tests today. This is what I've done for few min. > > > > smb.conf from the testing pc > > > > [global] > > workgroup = XXXX > > security = ads > > realm = XXXX.X.XX > > > > log file = /var/log/samba/%m.log > > log level = 1 > > > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > > > winbind use default domain = yes > > template shell = /usr/bin/bash > > template homedir = /home/%U > > > > idmap config XXXX : backend = rid > > idmap config XXXX : range = 10000-999999 > > > > The above should work > > > > > with the current config I successfully join the domain, can list > > users and groups with both the wbinfo command and getent > > passwd/group, but if I want to *su testdomainuser* it goes to > > bash-4.2$, no home dir is created which obviously means that I can't > > login with domain account. > > You need to use pam_mkhomedir, you can do this on debian by adding this > to /etc/pam.d/common-account: > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > This will create the users homedir the first time the user logs in. > > I believe it is called something else on red hat, pam_oddjob ?? > > > > > My AD server config is untouched (yet) > > Good, you don't really want you users to log into the DC, but if you > do, you just set it up in the same way as a Unix domain member. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Fri, 4 May 2018 11:53:08 +0100 Zdravko Zdravkov <nirayah at gmail.com> wrote:> True that. > > oddjob wasn't running, now it's fine, but apparently everything is the > same. In CentOS I see a folder created by my new "testuser" in > Windows. The folder's owner is 1000024 while getent passwd testuser > responds with 11184 which is nowhere near the same. > I guess I'm not making something right during the whole configuration. >Windows uses the RID to identify users & groups A samba DC uses xidNumbers to identify users & groups, unless uidNumber & gidNumber attributes are added to AD. If they are added, these are used. On a Unix domain member, it depends on which winbind backend you use. If you use the 'rid' backend, then the IDs are calculated from the RID If you use the 'ad' backend, then you need to add 'uidNumber' & 'gidNumber' attributes to AD. If you use the 'rid' backend on a Unix domain member, you will never get the same ID as on a Samba DC. The only way to get the same numeric ID on all Unix machines is to use the 'ad' backend. Does it matter if you get different numeric IDs on Unix machines, no, just as long as the individual Unix machine can map the numeric ID to the correct user or group name. Rowland