Hello, I'm setting up Samba as a Domain Member and there is one thing that does'nt work. This is the configuration : Server 1 : Samba AD DC 4.10.4 and CentOS Server 2 : File Sharing with Samba 4.8.3 (CentOS package) + winbind I follow this wiki : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Server 2 is correctly joined to the domain, wbinfo return good informations. But the 'getent passwd DOMAIN\\user01' command doesn't return anything. However libnss_winbind is enable. This is my smb.conf : ---------------------------------------------------------- [global] workgroup = DOMAIN realm = DOMAIN.COM netbios name = SERVER2 server role = member security = ADS bind interfaces only = yes interfaces = lo em1 log level = 3 log file = /var/log/samba/samba.log max log size = 50 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-999999 idmap config DOMAIN:unix_nss_info = yes idmap config DOMAIN:unix_primary_group = yes acl allow execute always = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes encrypt passwords = yes ------------------------------------------------------------ Is there anything I missed ? Thanks !
On 17/06/2019 10:53, Tom via samba wrote:> Hello, > > I'm setting up Samba as a Domain Member and there is one thing that > does'nt work. > > This is the configuration : > > Server 1 : Samba AD DC 4.10.4 and CentOS > Server 2 : File Sharing with Samba 4.8.3 (CentOS package) + winbind > > I follow this wiki : > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Server 2 is correctly joined to the domain, wbinfo return good > informations. But the 'getent passwd DOMAIN\\user01' command doesn't > return anything. However libnss_winbind is enable. > > This is my smb.conf : > > ---------------------------------------------------------- > [global] > > workgroup = DOMAIN > realm = DOMAIN.COM > > > security = ADS > > bind interfaces only = yes > interfaces = lo em1 > > log level = 3 > log file = /var/log/samba/samba.log > max log size = 50 > > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-999999 > idmap config DOMAIN:unix_nss_info = yes > idmap config DOMAIN:unix_primary_group = yes > > acl allow execute always = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > > ------------------------------------------------------------ > > Is there anything I missed ? > > Thanks ! >OK, I 'pruned' your smb.conf, the lines I removed are not actually required, not that they have any connection with your problem ;-) I think what you are missing is any rfc2307 attributes in AD, have you added any ? Rowland
On 17/06/2019 13:16, Tom wrote:> Hi Rowland, > > Thanks for the pruned SMB ;-) > > Regarding the rfc2307 attributes, AD was provisionning with RFC2307 > options. NIS extensions are installed. But, I did not add rfc 2307 > attributes on users. I thought it was automatic. Should I set this > manually ?I have update the wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member an info box to be precise, it now says: The RFC2307 attributes (|uidNumber|, |gidNumber|, etc) are not added automatically when users or groups are created, you must add them manually. Does that answer your question ? ;-) I should also add, you must give Domain Users a gidNumber and all numbers used must be inside the DOMAIN range you set in smb.conf. Rowland
On 17/06/2019 15:17, Tom wrote:> I succedeed create a new user with attributes. Also, I succedeed > adding attributes to an existing account. Now getent command works, so > thanks for help ;-) > > I've another question. "Domain Users" group already has a gidNumber > (513). So I modified the DOMAIN range in my smb.conf : 'idmap config > DOMAIN:range = 500-999999'. But 'getent group' command still dosn't > work. Another change to make ? > >I wouldn't use '513', Use the first available gidnumber in the 10000 range. Try commenting this line in smb.conf: idmap config MYDOMAIN : unix_primary_group = yes restart smbd etc and try again. Rowland