Am 22.03.19 um 11:01 schrieb Rowland Penny via samba:>> Would the users itself need some editing as well (inside LDAP/AD)? > > This is really up to you, you could, if you so wish, remove all the > rfc2307 attributes from AD, or you could just ignore them.nice. sounds like my weekend project ;-) *sigh* thanks a lot ... will check my backups asap
Am 22.03.19 um 11:43 schrieb Stefan G. Weichinger via samba:> Am 22.03.19 um 11:01 schrieb Rowland Penny via samba: > >>> Would the users itself need some editing as well (inside LDAP/AD)? >> >> This is really up to you, you could, if you so wish, remove all the >> rfc2307 attributes from AD, or you could just ignore them. > > nice. sounds like my weekend project ;-) *sigh* > > thanks a lot ... will check my backups asapchange is through, my tests look good to me I now run on the DM server: # samba-tool testparm [global] dedicated keytab file = /etc/krb5.keytab interfaces = bond0 kerberos method = secrets and keytab log file = /var/log/samba/%m.log log level = 2 printcap name = /dev/null realm = ARBEITSGRUPPE.MY-TLD.AT security = ADS template homedir = /mnt/samba/Daten/%U template shell = /bin/bash username map = /etc/samba/user.map winbind nss info = template winbind refresh tickets = Yes winbind use default domain = Yes workgroup = ARBEITSGRUPPE idmap config arbeitsgruppe:schema_mode = rfc2307 idmap config arbeitsgruppe:unix_nss_info = yes idmap config arbeitsgruppe:range = 10000-999999 idmap config arbeitsgruppe:backend = rid idmap config * : range = 2000-3999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr I maybe even will reduce the range down to "10000-11000" or so ... only <100 users there for the next years.
On Fri, 22 Mar 2019 16:11:58 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 22.03.19 um 11:43 schrieb Stefan G. Weichinger via samba: > > Am 22.03.19 um 11:01 schrieb Rowland Penny via samba: > > > >>> Would the users itself need some editing as well (inside > >>> LDAP/AD)? > >> > >> This is really up to you, you could, if you so wish, remove all the > >> rfc2307 attributes from AD, or you could just ignore them. > > > > nice. sounds like my weekend project ;-) *sigh* > > > > thanks a lot ... will check my backups asap > > change is through, my tests look good to me > > I now run on the DM server: > > > # samba-tool testparm > > [global] > dedicated keytab file = /etc/krb5.keytab > interfaces = bond0 > kerberos method = secrets and keytab > log file = /var/log/samba/%m.log > log level = 2 > printcap name = /dev/null > realm = ARBEITSGRUPPE.MY-TLD.AT > security = ADS > template homedir = /mnt/samba/Daten/%U > template shell = /bin/bash > username map = /etc/samba/user.map > winbind nss info = template > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = ARBEITSGRUPPE > idmap config arbeitsgruppe:schema_mode = rfc2307 > idmap config arbeitsgruppe:unix_nss_info = yesYou can remove the two lines above, they are not used with the 'rid' backend. Rowland