hi, My user must be able to connect under windows and under linux. The home is common. Their home is on the server. Like there are students - they are identified by their formation( group) and by their login for example /home/specifique/testlundi /home/l1info/testmardi For me the etudiant belong to a group and i have create each group on OU and i take the last number for sid group for gidnumber - it was to find out which group he belonged to - It's not a good idea ? on my smb.conf on the server i put [homes] path=/home/%G/%U read only = no Actually - i can't put my client linux in my ad. net ads join -S nameofsever -U administrator --> doestn't give my response -- It wait ... my client linux smb.conf is [global] security =ADS realm = LENZSPITZE2.CALAIS.FR workgroup =LENZSPITZE2 netbios name = testbugsterl winbind separator = / winbind enum users = yes winbind enum groups = yes idmap config LENZSPITZE2 : backend = ad idmap config LENZSPITZE2 : schema_mode =rfc2307 idmap config LENZSPITZE2 : range = 10000-399999999 idmap config LENZSPITZE2 : unix_nss_info = yes template homedir =/etudiants/%U template shell =/bin/bash winbind nss info = rfc2307 kerberos method = secrets and keytab dedicated keytab file =/etc/krb5.keytab winbind refresh tickets =yes username map = /etc/samba/samba_usermapping winbind use default domain = yes log file =/var/log/samba/log.%m log level = 3 # for acl support on members servers with shares vfs object = acl_xattr map acl inherit = yes store dos attributes = yes winbind nss info = rfc2307 Le 14/05/2019 à 10:51, Rowland penny via samba a écrit :> On 14/05/2019 09:27, nathalie ramat via samba wrote: >> hi, >> >> I modified my file named.conf.options . >> When i use dig lenzspitze2.calais.fr I get an answer which contain >> answer section, authority section and additional section. >> >> I haven't map "Domain users" into "user" >> >> I recover the last number of sid for the uidnumber and the last >> number for sid group for gidnumber > > > It isn't recommended to do that any more, RID's start at '1000' and so > do local Unix ID's, try starting at the same number that ADUC uses > '10000' > >> >> But getent passwd testlundi give me this response : >> >> LENZSPITZE2\testlundi:*:1108:100:testlundi:/home/LENZSPITZE2/testlundi:/bin/bash >> >> >> The uidnumber is good but not the gidnumber. > > I personally don't think the uidNumber is good (see above), but unless > you give 'Domain Users' a gidNumber, the users GID will always be > '100', but only on a the DC, on any Unix domain members (using the > winbind 'ad' backend) you will get no AD users. > > You also do not need to do any of the this if you are either only > going to use the DC for authentication or as the only Unix fileserver > (no other Unix computers). > >> >> getent group specifique >> >> LENZSPITZE2\specifique:x:1105: >> > This will never be used as the users primary group on a Samba AD DC. > > >> >> I have always this response when I run smbclient -L localhost -U >> administrator on my server >> >> Enter LENZSPITZE2\administrator's password: >> >>     Sharename      Type     Comment >>     ---------      ----     ------- >>     netlogon       Disk >>     sysvol         Disk >>     IPC$           IPC      IPC Service (Samba >> 4.9.5-Debian) >> Reconnecting with SMB1 for workgroup listing. >> >>     Server              Comment >>     ---------           ------- >> >>     Workgroup           Master >>     ---------           ------- >> >> >> I don't have any information for my server. > > > Neither do I, this is because there is no network browsing on a DC. > >> >> when I run the command smbclient -L debiantest -U administrator on my >> client linux I have no response . >> >> but I can ping debiantest and dig debiantest.lenzspitze2.calais.fr >> give me a response >> >> I am a little confused. I don't know how to search >> > Try the command like this: > > smbclient -L localhost -N > > Rowland > >-- Nathalie RAMAT-LECLERCQ Service Informatique Universite du Littoral-Côte d'Opale SCoSI - Service Commun du Système d'Information Pôle Systèmes et réseaux Centre de Gestion Universitaire de Calais 50 rue ferdinand Buisson C.S 80699 62228 CALAIS CEDEX
On 14/05/2019 10:58, nathalie ramat wrote:> hi, > > My user must be able to connect under windows and under linux. The > home is common. Their home is on the server.This is easy> > Like there are students - they are identified by their formation( > group) and by their login > > for example /home/specifique/testlundi > /home/l1info/testmardi > > For me the etudiant belong to a group and i have create each group on OUThen you MUST use the winbind 'ad' backend and set smb.conf to use the info stored in AD.> > and i take the last number for sid group for gidnumber - it was to > find out which group he belonged to - It's not a good idea ?Definitely not, SID's start at '1000' and so do the Unix ID's, this means that you cannot have any local Unix users. There is also the problem of Domain Users, its RID is '513' and all your users and groups must have Unix ID's (set by uidNumber & gidNumber attributes in AD) inside the range you set in smb.conf> > > on my smb.conf on the server i put > > [homes] > path=/home/%G/%U > read only = no > > > Actually - i can't put my client linux in my ad. > net ads join -S nameofsever -U administrator --> doestn't give my > response -- It wait ... >You shouldn't need the '-S' option, so is your DNS set up correctly ?> my client linux smb.conf is > > > [global] > security =ADS > realm = LENZSPITZE2.CALAIS.FR > workgroup =LENZSPITZE2 > netbios name = testbugsterl > winbind separator = / > winbind enum users = yes > winbind enum groups = yesOnce you get everything working, remove the two lines above, you only need them for testing purposes.> idmap config LENZSPITZE2 : backend = ad > idmap config LENZSPITZE2 : schema_mode =rfc2307 > idmap config LENZSPITZE2 : range = 10000-399999999Hmm, your lowest ID is probably the one from Domain Users '513', which is less than '10000', this isn't going to work. I would change the uidNumber & gidNumber attributes in AD to match the above range.> idmap config LENZSPITZE2 : unix_nss_info = yes > template homedir =/etudiants/%U > template shell =/bin/bashRemove the two lines above, for what you want to do, you must obtain this information from AD> winbind nss info = rfc2307You do not require the line above> kerberos method = secrets and keytab > dedicated keytab file =/etc/krb5.keytab > winbind refresh tickets =yes > username map = /etc/samba/samba_usermapping > winbind use default domain = yes > log file =/var/log/samba/log.%m > log level = 3 > # for acl support on members servers with shares > vfs object = acl_xattr > map acl inherit = yes > store dos attributes = yes > winbind nss info = rfc2307You still don't need the line above ;-) Rowland
hi I have successfully integrated my linux client in my domain. my problem was that for Linux client was in a virtual machine under proxmox - and some ports seem to block A test with a machine under Virtual box I managed to integrate my client into my ad But I still have questions. I put to unixHomeDirectory the directory of my user . How can I mount it on my client linux ? Is it possible to use the information with pam_mount module? I configurate my smb.conf on my client [global] security = ads realm= lenzspitze2.calais.fr workgroup = LENZSPITZE2 netbios name = clientlinux winbind separator = / # idmap uid = 0-50000 # idmap gid = 0-50000 idmap config * : backend= tdb idmap config * : range =0-1000 winbind enum users = yes winbind enum groups = yes # idmap config LENZSPITZE :backend=rid # idmap config LENZSPITZE :base_rid=0 idmap config LENZSPITZE2 : backend = ad idmap config LENZSPITZE2 : schema_mode =rfc2307 idmap config LENZSPITZE2 : range = 10000-399999999 idmap config LENZSPITZE2 : unix_nss_info = yes #template homedir = /etudiants/%U #template shell = /bin/bash encrypt passwords = yes winbind nss info = rfc2307 kerberos method = secrets and keytab winbind use default domain = yes log file =/var/log/samba/log.%m log level = 3 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes When I use mount -t cifs //namserver/test /etudiants/test -o username=test,rw,file_mode=0700,dir_mode=0700,cifsacl - the irectory mount - I don't see acl for the directory while i see them on the server. Thanks for your help. Le 14/05/2019 à 12:40, Rowland penny via samba a écrit :> On 14/05/2019 10:58, nathalie ramat wrote: >> hi, >> >> My user must be able to connect under windows and under linux. The >> home is common. Their home is on the server. > > This is easy > >> >> Like there are students - they are identified by their formation( >> group) and by their login >> >> for example /home/specifique/testlundi >>                  /home/l1info/testmardi >> >> For me the etudiant belong to a group and i have create each group >> on OU > Then you MUST use the winbind 'ad' backend and set smb.conf to use the > info stored in AD. >> >> and i take the last number for sid group for gidnumber - it was to >> find out which group he belonged to - It's not a good idea ? > > Definitely not, SID's start at '1000' and so do the Unix ID's, this > means that you cannot have any local Unix users. There is also the > problem of Domain Users, its RID is '513' and all your users and > groups must have Unix ID's (set by uidNumber & gidNumber attributes in > AD) inside the range you set in smb.conf > >> >> >> on my smb.conf on the server i put >> >> [homes] >>    path=/home/%G/%U >>    read only = no >> >> >> Actually - i can't put my client linux in my ad. >> net ads join -S nameofsever -U administrator --> doestn't give my >> response -- It wait ... >> > You shouldn't need the '-S' option, so is your DNS set up correctly ? >> my client linux smb.conf is >> >> >>  [global] >>    security =ADS >>    realm = LENZSPITZE2.CALAIS.FR >>    workgroup =LENZSPITZE2 >>    netbios name = testbugsterl >>    winbind separator = / >>    winbind enum users = yes >>    winbind enum groups = yes > Once you get everything working, remove the two lines above, you only > need them for testing purposes. >>    idmap config LENZSPITZE2 : backend = ad >>    idmap config LENZSPITZE2 : schema_mode =rfc2307 >>    idmap config LENZSPITZE2 : range = 10000-399999999 > > Hmm, your lowest ID is probably the one from Domain Users '513', which > is less than '10000', this isn't going to work. I would change the > uidNumber & gidNumber attributes in AD to match the above range. > > >>    idmap config LENZSPITZE2 : unix_nss_info = yes >>    template homedir =/etudiants/%U >>    template shell =/bin/bash > Remove the two lines above, for what you want to do, you must obtain > this information from AD >>    winbind nss info = rfc2307 > You do not require the line above >>    kerberos method = secrets and keytab >>    dedicated keytab file =/etc/krb5.keytab >>    winbind refresh tickets =yes >>    username map = /etc/samba/samba_usermapping >>    winbind use default domain = yes >>    log file =/var/log/samba/log.%m >>    log level = 3 >> # for acl support on members servers with shares >>    vfs object = acl_xattr >>    map acl inherit = yes >>    store dos attributes = yes >>    winbind nss info = rfc2307 > > You still don't need the line above ;-) > > Rowland > > >-- Nathalie RAMAT-LECLERCQ Service Informatique Universite du Littoral-Côte d'Opale SCoSI - Service Commun du Système d'Information Pôle Systèmes et réseaux Centre de Gestion Universitaire de Calais 50 rue ferdinand Buisson C.S 80699 62228 CALAIS CEDEX