Barry D. Adkins
2018-Nov-19 15:29 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
>> >What is the AD DC ? >> >> Windows 2012 Server DC's > > >>If it is a Windows DC, is 'IDMU' installed (also known as 'services > >>for Unix) ? > > > >No, Services for Unix are not installed, but I did install the NIS for > <Unix for the AD Users & Computers app and that all works fine. > >You can stop looking for 'ldb' files. > > I >> did however find the Samba LDIF file for preparing a Directory Schema>Where did you find this and where have you imported this to and how.Here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD You have to have the schema in the Active Directory Schema. So you either have to add it to a Samba AD Schema or the Windows AD Schema. I used the windows tool LDIFDE to import the schema to the Windows AD Schema. Otherwise there is no schema for the Unix Attributes. From my reading about Unix Services for Windows it would have added to the schema, and I assume it would have at least been the ypServ30 stuff. It's 55 entries. I found and deduced that Samba wasn't adding the needed Schema, and the wiki clearly addressed how to add it for a Samaba AD further indicating that Samba was not somehow otherwise going to add the needed schema entries.>> import file, and I did that. That is how I was able to enter the >> uid's & gid's as I mentioned on my 2nd post last night. I considered >> installing Windows Services for Unix, but there was no guidance for >> this requirement in the wiki that seemed clear to me. > >There wouldn't be, everything on the Samba wiki refers to Samba and there is very little about Windows directly. You need to do an internet search to find out what you need to install on your >Windows 2012 DC and how to do it.Well I understand it's Samba, but it's integrating I suspect quite a lot with Windows companion servers. It provides substantial detail where Windows tools must be used, AD Users & Computers, Access List permissions, etc. I'm not trying to be critical, but if there are assumptions about the Windows Environment it would help if they are stated. Clearly I did miss things that were in the wikis, so your patience with me has been appreciated.>> Furthermore, >> when I searched for where to obtain the installation for Windows >> Services for Unix I found it was a CD/DVD with a Key on it, etc. and >> thus perhaps incorrectly assumed it must be purchased. I'm not >> opposed to purchasing it but of course would prefer not to, but I'm >> going to have to find out where to purchase it.>The big point behind using a Samba AD DC is that you don't need to pay for Server licences and CAL's for the clients. >You could try joining a Samba DC to the domain and then add the yp30server.ldif, replication will then do the rest.But I already have all the Windows Servers, clients, and licenses. I began this journey to migrate away from it. Yes, I could join a Samba DC but I was trying to take one step at a time thinking that would be perhaps a more complicated task, AND my first migration step was based on the need to setup a file server with replicated storage. Never the less, I got the schema into the Windows AD. The uid's and gid's are there for all users and groups. It really was not difficult getting the schema into the Windows AD once I knew I needed to do it.>> >> >If it is a Samba DC, did you provision with '--use-rfc2307' ? > > >> It's not a Samba DC. I first want to prove up just a standalone file >> server, spending time on that, and then implement with Gluster of some > >other file system that I can setup a replicated folder, share, or > >volume. I determined to conquer that Samba DC later.>The Samba DC is the easiest part of that and will be the easiest way to install the required IDMU framework.So, there is more to the IDMU framework than the AD Schema? Should I remove the added schema before doing the Samba DC or just leave it? I don't see a problem leaving it as it will be needed anyway. It would be added to the Samba Schema and then replicated to the Windows DCs, so I wouldn't need to add it to the Samba DC as it would get it from the replica it receives when it joins the Domain. If I do the Samba DC, I'll either have to leave the Windows Servers doing DHCP and DNS or deal with doing all that in Linux/Samba now.... I'd rather do that later. I was thinking for a Samba DC to let it be on its own as my other Windows DCs, without providing other services other than DNS, DHCP, etc. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Nov-19 16:23 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
On Mon, 19 Nov 2018 15:29:44 +0000 "Barry D. Adkins via samba" <samba at lists.samba.org> wrote:> >Where did you find this and where have you imported this to and how. > Here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_ADThat is Samba's version of IDMU, didn't know it worked with a Windows DC, good to know though.> > You have to have the schema in the Active Directory Schema. So you > either have to add it to a Samba AD Schema or the Windows AD Schema.You have to have it for the Unix attributes tab in ADUC. The actual RFC2307 attributes are part of the standard Windows AD schema.> > I used the windows tool LDIFDE to import the schema to the Windows AD > Schema. Otherwise there is no schema for the Unix Attributes.Yes there is.> From > my reading about Unix Services for Windows it would have added to the > schema, and I assume it would have at least been the ypServ30 stuff. > It's 55 entries.It just adds the required framework for ADUC to work.> > I found and deduced that Samba wasn't adding the needed Schema, and > the wiki clearly addressed how to add it for a Samaba AD further > indicating that Samba was not somehow otherwise going to add the > needed schema entries.Samba, when running as a Unix domain member, doesn't add anything to AD.> >There wouldn't be, everything on the Samba wiki refers to Samba and > >there is very little about Windows directly. You need to do an > >internet search to find out what you need to install on your > >>Windows 2012 DC and how to do it. > > Well I understand it's Samba, but it's integrating I suspect quite a > lot with Windows companion servers. It provides substantial detail > where Windows tools must be used, AD Users & Computers, Access List > permissions, etc. I'm not trying to be critical, but if there are > assumptions about the Windows Environment it would help if they are > stated. Clearly I did miss things that were in the wikis, so your > patience with me has been appreciated.The Samba wiki is just that, it is a wiki about using Samba. Whist it touches on using Samba with a Windows AD DC, it is not a Windows wiki. If you are going to continue using a Windows DC, then you really should use Windows documentation for this, for whilst Samba is trying to become compatible with Windows, it isn't quite there yet.> >The big point behind using a Samba AD DC is that you don't need to > >pay for Server licences and CAL's for the clients. You could try > >joining a Samba DC to the domain and then add the yp30server.ldif, > >replication will then do the rest. > > But I already have all the Windows Servers, clients, and licenses. I > began this journey to migrate away from it. Yes, I could join a > Samba DC but I was trying to take one step at a time thinking that > would be perhaps a more complicated task, AND my first migration step > was based on the need to setup a file server with replicated storage.As I said, joining a Samba DC to an existing Windows AD domain is the easiest thing you will have to do.> > Never the less, I got the schema into the Windows AD. The uid's and > gid's are there for all users and groups. It really was not > difficult getting the schema into the Windows AD once I knew I needed > to do it.I personally wouldn't have thought of trying what you did, but it seems to have worked.> > >The Samba DC is the easiest part of that and will be the easiest way > >to install the required IDMU framework.Which you have now proved isn't really the case.> > So, there is more to the IDMU framework than the AD Schema? Should I > remove the added schema before doing the Samba DC or just leave it?Leave it, you need it.> I don't see a problem leaving it as it will be needed anyway. It > would be added to the Samba Schema and then replicated to the Windows > DCs, so I wouldn't need to add it to the Samba DC as it would get it > from the replica it receives when it joins the Domain.Not sure just what Samba packages you have installed on the Debian computer, but you may have the schema text files installed, they are in /usr/share/samba/setup/ad-schema on my Debian computer. These will show you what objectclasses and attributes are available to you, including thr RFC2307 attributes that are standard in AD. You also already have the yp30server.ldif, an examination of this will show you what you added to AD, most of which is never used, the important bit is this: CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com Which is where 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' live, these are required by the Unix attributes tab in AD.> > If I do the Samba DC, I'll either have to leave the Windows Servers > doing DHCP and DNS or deal with doing all that in Linux/Samba now.... > I'd rather do that later.Again this is easy, we have a wiki page for this: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 Rowland
Barry D. Adkins
2018-Nov-20 05:29 UTC
[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
While I have all the uid's and gid's entered on every user and group, the server can't find or recognize them. Not in getent, not in commands referencing AD users or groups. I'm going to go ahead and install another Ubuntu server with Samba and create a Samba DC. I'll keep this stand alone server and see if it starts working after I get the Samba DC properly joined to the domain. The below answers some of your queries and documents how I got the AD Schema into the Windows Schema Master. I don't need help with HOW to do in Windows, just WHAT to do in Windows. I hope to contribute at least a helping hand with linux, samba, and all the other Open systems. I greatly appreciate your assistance and patience with our endeour with Samba!!> >Where did you find this and where have you imported this to and how. >> Here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >That is Samba's version of IDMU, didn't know it worked with a Windows DC, good to know though.>> I used the windows tool LDIFDE to import the schema to the Windows AD >> Schema. Otherwise there is no schema for the Unix Attributes.This is what I did. I had also found an internet article for using Samba tools to get the ldif to the Windows Schema master. I didn't try it because I wasn't certain of the samba tool and knew the MS LDIFDE tool would work. DC1 = Schema Master Find FSMO's on a Windows DC (schema master is one of them): C:\> NetDOM /query FSMO # sed -i -e 's/${DOMAINDN}/DC=example,DC=com/g' \ -e 's/${NETBIOSNAME}/DC1/g' \ -e 's/${NISDOMAIN}/samdom/g' \ /tmp/ypServ30.ldif Move the ypServ30.ldif file you've created here to the Windows DC where you will run ldifde C:\utils\> ldifde -i -f ypServ30.ldif -s SchemaMasterDC>Not sure just what Samba packages you have installed on the Debian computerFrom the wiki: https://wiki.samba.org/index.php/Distribution-specific_Package_Installation I ran the following: apt-get install samba winbind libnss-winbind libpam-winbind One of your comments mentioned: libpam-krb5 So I installed it. -->> and as well I had previously installed an configured Kerberos: Apt-get install krb5-user krb5-config
Maybe Matching Threads
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?
- getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?