On Mon, 02 Jul 2018 12:04:10 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> Do you agree that this is a valid smb.conf that should work: > [global] > security = ADS > encrypt passwords = yes > workgroup = MD-DZNE > realm = MAGDEBURG.DZNE.DS > > log file = /opt/samba4/var/log/%m.log > log level = 1 > > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > idmap config MD-DZNE:backend = ad > idmap config MD-DZNE:schema_mode = rfc2307 > idmap config MD-DZNE:range = 10000-999999 > > winbind nss info = rfc2307 > winbind use default domain = yes > winbind enum users = Yes > winbind enum groups = Yes > kerberos method = system keytab >Provided that your users have a uidNumber attribute containing a unique number inside the '10000-999999' range AND Domain Users has a gidNumber attribute containing a number inside the same range, then, yes it is a valid smb.conf. These attributes are not added automatically, you must add them manually. There are lines I would remove though: encrypt passwords = yes # This a default setting winbind enum users = Yes winbind enum groups = Yes # These are not required and can slow things down. kerberos method = system keytab # you shouldn't really have this. Rowland
On Mon, 2018-07-02 at 11:30 +0100, Rowland Penny via samba wrote:> Provided that your users have a uidNumber attribute containing a > unique number inside the '10000-999999' range AND Domain Users has a > gidNumber attribute containing a number inside the same range, then, > yes it is a valid smb.conf. These attributes are not added > automatically, you must add them manually.Yes all UID/GID numbers stored in the AD user objects are unique and start at 10000. Both attributes are set for all users.> There are lines I would remove though: > > encrypt passwords = yes # This a default setting > > winbind enum users = Yes > winbind enum groups = Yes # These are not required and can slow > things > down.Thanks, I removed them now.> kerberos method = system keytab # you shouldn't really have this.Removed too. What's wrong with that line? My understanding was that it tells samba to use the system's global keytab. I don't see much harm in that? So now that I have a valid smb.conf - the initial problem persists. How do I proceed to resolve this issue? Bernd
On Mon, 02 Jul 2018 12:38:54 +0200 Bernd Markgraf <bernd.markgraf at med.ovgu.de> wrote:> On Mon, 2018-07-02 at 11:30 +0100, Rowland Penny via samba wrote: > > > Provided that your users have a uidNumber attribute containing a > > unique number inside the '10000-999999' range AND Domain Users has a > > gidNumber attribute containing a number inside the same range, then, > > yes it is a valid smb.conf. These attributes are not added > > automatically, you must add them manually. > Yes all UID/GID numbers stored in the AD user objects are unique and > start at 10000. Both attributes are set for all users. > > > There are lines I would remove though: > > > > encrypt passwords = yes # This a default setting > > > > winbind enum users = Yes > > winbind enum groups = Yes # These are not required and can slow > > things > > down. > Thanks, I removed them now. > > > kerberos method = system keytab # you shouldn't really have this. > Removed too. What's wrong with that line? My understanding was that it > tells samba to use the system's global keytab. I don't see much harm > in that?Because you should be using the default 'secrets.tdb', your setting had turned this off. You only need a separate keytab if there is something that needs it and, if so, you should use 'kerberos method = secrets and keytab'> > So now that I have a valid smb.conf - the initial problem persists. > How do I proceed to resolve this issue?Is there a firewall or similar getting in the way ? Is the output of 'net ads testjoin' 'Join is OK' ? Rowland