Barry D. Adkins
2018-Nov-19 03:23 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
>What is wrong with the Samba wiki, what didn't go exactly like the wiki ?https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC Well take this wiki that I'm trying to follow to add the AD uid/gid to the objects. It's helpful and confusing, but maybe because I'm just not informed enough. I got the property pages to show in AD Users & Computers, but there is no NIS Domain offered to select. No guidance on that, unless I've done something out of sequence that would have populated that. It then Gives this guidance to perform before you use AD U & C... after it has just led you down the path of using AD U & C. # Defining the next UID/GID number to use # Every time a UID/GID number is assigned using Active Directory Users and Computers (ADUC), the next UID/GID number is stored inside the Active Directory. By default, ADUC starts assigning UID and # GID numbers at 10000. # If you setup a new Samba AD and want to use a different start value, you will need to add the counting attributes before using ADUC for the first time: # ldbedit -H /usr/local/samba/private/sam.ldb -b \ CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com # msSFU30MaxUidNumber: 10000 # msSFU30MaxGidNumber: 10000 # With the same command you can change the values. E. g. if you require to start UID numbers at 20000 and GIDs at 50000, adapt the values to your requirements: # msSFU30MaxUidNumber: 20000 # msSFU30MaxGidNumber: 50000 I don't seem to find an "ldb" file anywhere and since we are using an AD Domain, perhaps there shouldn't be one. I wouldn't have gone looking for an "ldb" file except for this wiki. I'll continue to rummage around trying to figure out how to get an entry to choose for the NIS Domain, although I'm not sure what it should be. I would guess it would be the same name as the AD Domain Name. Looking over the above ldbedit command it seems like it will create an entry of samdom.example.com or in my case would be samdom.domain.com but is that what we really want/need to do? Barry
Barry D. Adkins
2018-Nov-19 07:05 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
See below AD schema appended, uid's, gid's assigned, STILL getent will not identify any AD users or groups. I created the AD schema file and imported the NIS schema to the AD Schema Master. Set these 2 values using ADSI Edit # msSFU30MaxUidNumber: 50000 # msSFU30MaxGidNumber: 50000 Assigned uid's to all users Assign all users Primary Group to "Domain Users" as the AD User tool forces you to set that value to something. Assigned gid's to all groups There are 59 users uid's 50000 thru 50059 There are 34 groups gid's 50000 thru 50034 [global] dns proxy = No log file = /var/log/samba/log.%m logging = syslog at 1 /var/log/samba/log.%m map to guest = Bad User max log size = 1000 panic action = /usr/share/samba/panic-action %d realm = DOMAIN.COM security = ADS server role = member server server string = %h server (Samba, Ubuntu) template shell = /bin/bash username map = /etc/samba/user.map usershare allow guests = Yes winbind enum groups = Yes winbind enum users = Yes winbind use default domain = Yes workgroup = DOMAIN idmap config domain : unix_nss_info = yes idmap config domain : range = 50000-1000000 idmap config domain : backend = ad idmap config * : range = 3000-7999 idmap config * : backend = tbd map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr Barry
Barry D. Adkins
2018-Nov-19 07:09 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
Nsswitch.conf passwd: files winbind compat systemd group: files winbind compat systemd shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Barry
Rowland Penny
2018-Nov-19 09:19 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
On Mon, 19 Nov 2018 03:23:29 +0000 "Barry D. Adkins via samba" <samba at lists.samba.org> wrote:> >What is wrong with the Samba wiki, what didn't go exactly like the > >wiki ? > > https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC > > Well take this wiki that I'm trying to follow to add the AD uid/gid > to the objects. It's helpful and confusing, but maybe because I'm > just not informed enough. > > I got the property pages to show in AD Users & Computers, but there > is no NIS Domain offered to select. No guidance on that, unless I've > done something out of sequence that would have populated that. > > It then Gives this guidance to perform before you use AD U & C... > after it has just led you down the path of using AD U & C. > > # Defining the next UID/GID number to use > # Every time a UID/GID number is assigned using Active Directory > Users and Computers (ADUC), the next UID/GID number is stored inside > the Active Directory. By default, ADUC starts assigning UID and # GID > numbers at 10000. > > # If you setup a new Samba AD and want to use a different start > value, you will need to add the counting attributes before using ADUC > for the first time: > > # ldbedit -H /usr/local/samba/private/sam.ldb -b \ > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com > > # msSFU30MaxUidNumber: 10000 > # msSFU30MaxGidNumber: 10000 > > # With the same command you can change the values. E. g. if you > require to start UID numbers at 20000 and GIDs at 50000, adapt the > values to your requirements: > > # msSFU30MaxUidNumber: 20000 > # msSFU30MaxGidNumber: 50000 > > I don't seem to find an "ldb" file anywhere and since we are using an > AD Domain, perhaps there shouldn't be one. > > I wouldn't have gone looking for an "ldb" file except for this wiki. > > I'll continue to rummage around trying to figure out how to get an > entry to choose for the NIS Domain, although I'm not sure what it > should be. I would guess it would be the same name as the AD Domain > Name. Looking over the above ldbedit command it seems like it will > create an entry of samdom.example.com or in my case would be > samdom.domain.com but is that what we really want/need to do? > > BarryReading all of the above a few questions spring to mind: What is the AD DC ? If it is a Windows DC, is 'IDMU' installed (also known as 'services for Unix) ? If it is a Samba DC, did you provision with '--use-rfc2307' ? Rowland
Barry D. Adkins
2018-Nov-19 14:29 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
>What is the AD DC ?Windows 2012 Server DC's>If it is a Windows DC, is 'IDMU' installed (also known as 'services for >Unix) ?No, Services for Unix are not installed, but I did install the NIS for Unix for the AD Users & Computers app and that all works fine. I did however find the Samba LDIF file for preparing a Directory Schema import file, and I did that. That is how I was able to enter the uid's & gid's as I mentioned on my 2nd post last night. I considered installing Windows Services for Unix, but there was no guidance for this requirement in the wiki that seemed clear to me. Furthermore, when I searched for where to obtain the installation for Windows Services for Unix I found it was a CD/DVD with a Key on it, etc. and thus perhaps incorrectly assumed it must be purchased. I'm not opposed to purchasing it but of course would prefer not to, but I'm going to have to find out where to purchase it.>If it is a Samba DC, did you provision with '--use-rfc2307' ?It's not a Samba DC. I first want to prove up just a standalone file server, spending time on that, and then implement with Gluster of some other file system that I can setup a replicated folder, share, or volume. I determined to conquer that Samba DC later. If I must install Unix Services for Windows, I will get it somewhere and do that. Barry
Possibly Parallel Threads
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- samba member logon.. question.