Hello everyone. I thought I had everything configured correctly but it seems not. I've got two servers. One is the AD DC and another that has been joined to the domain. This is the output I get first from the AD DC when I do a getent: root at dc1:/etc# getent group 'Domain Admins' AD\domain admins:x:3000004: root at dc1:/etc# getent passwd 'stephen' AD\stephen:*:10000:4:Stephen T. Atkins:/home/AD/stephen:/bin/bash And then from my fileserver (joined to the domain): root at fileserver:/etc# getent group 'Domain Admins' domain admins:x:10017: root at fileserver:/etc# getent passwd 'stephen' stephen:*:10000:10004:Stephen Atkins:/home/AD/stephen:/bin/bash The UID is the same on both but the DC returns a GID of 4 but on the fileserver it returns 10004. Also concerning is that the DC returns 3000004 for Domain Admins and the fileserver returns 10017. I know I'm probably missing something but I'm just not sure where to look next. My nsswitch.conf for the DC is: passwd: compat winbind group: compat winbind shadow: compat gshadow: files and for the fileserver: passwd: compat winbind systemd group: compat winbind systemd shadow: compat winbind gshadow: files Let me know if you would like to see any other config files. -- Stephen Atkins
On 22/10/2019 15:32, Stephen Atkins via samba wrote:> Hello everyone.? I thought I had everything configured correctly but > it seems not.? I've got two servers.? One is the AD DC and another > that has been joined to the domain.? This is the output I get first > from the AD DC when I do a getent: > > root at dc1:/etc# getent group 'Domain Admins' > AD\domain admins:x:3000004: > root at dc1:/etc# getent passwd 'stephen' > AD\stephen:*:10000:4:Stephen T. Atkins:/home/AD/stephen:/bin/bash > > And then from my fileserver (joined to the domain): > > root at fileserver:/etc# getent group 'Domain Admins' > domain admins:x:10017: > root at fileserver:/etc# getent passwd 'stephen' > stephen:*:10000:10004:Stephen Atkins:/home/AD/stephen:/bin/bash > > The UID is the same on both? but the DC returns a GID of 4 but on the > fileserver it returns 10004. > > Also concerning is that the DC returns 3000004 for Domain Admins and > the fileserver returns 10017.Have you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File> > Let me know if you would like to see any other config files. >Yes, can we see your smb.conf files. It looks like you have given your user a uidNumber attribute, but haven't? given 'Domain Users' a gidNumber attribute. What OS is this ? '4' isn't an ID for the 'users' group that I have come across. Though thinking about it, perhaps the question is, just where have you set that '4' ? Rowland
On 22/10/2019 8:32 a.m., Stephen Atkins via samba wrote:> Hello everyone.? I thought I had everything configured correctly but it > seems not.? I've got two servers.? One is the AD DC and another that has > been joined to the domain.? This is the output I get first from the AD > DC when I do a getent:I think I got it figured out. It does seem that I had a couple of issued with my smb.conf files but also I had logged in to the DC before I had set the UID/GID on my user. I ran the net cache flush and now it's returning the proper ID's. -- Stephen Atkins
On 22/10/2019 16:01, Stephen Atkins wrote:> On 22/10/2019 8:48 a.m., Rowland penny via samba wrote: > >> Have you read this: >> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File > > > I have and I thought I set it up correctly.? I followed the > idmap_config_ad link to setup my domain member.? But I'm going over it > again as I'm sure I missed something. > >>> >>> Let me know if you would like to see any other config files. >>> >> Yes, can we see your smb.conf files. >> >> It looks like you have given your user a uidNumber attribute, but >> haven't? given 'Domain Users' a gidNumber attribute. What OS is this >> ? '4' isn't an ID for the 'users' group that I have come across. >> Though thinking about it, perhaps the question is, just where have >> you set that '4' ? > > I had set the Primary GID in the Unix Attributes section for that user > to 4 (which I can't remember why I did) but have since changed it to > "Domain Admins".? For the Domain Admins group I have set the GID to > 10004.Try setting the gidNumber for 'Domain Users' to '10000'> > My smb.conf for the AD DC is: > > # Global parameters > [global] > ??????? netbios name = DC1 > ??????? realm = AD.MDWAINWRIGHT.CA > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbi$ > ??????? workgroup = AD > > ??????? idmap_ldb:use rfc2307 = yes > > ??????? template homedir = /home/%D/%UYou do not need the above line, it is the default> template shell = /bin/bashThis is okay, but only required if your users will log into the DC> vfs objects = acl_xattr > ??????? map acl inherit = yes > ??????? store dos attributes = yesRemove the three lines above, they should not be in a DC smb.conf> > [netlogon] > ??????? path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts > ??????? read only = No > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > > My smb.conf for the fileserver is: > [global] > ??????? workgroup = AD > ??????? realm = AD.MDWAINWRIGHT.CA > ??????? netbios name = FILESERVER > ??????? security = ADS > ??????? dns forwarder = 192.168.1.3No, you do not have a dns forwarder on a Unix domain member> > #?????? idmap config * : backend = tdb > #?????? idmap config *:range = 10000-50000Interesting, you have commented out something you need (with an incorrect range) but you haven't added the required replacements, are you using sssd ? If so, then stop, it isn't supported. Try adding these lines: ??? idmap config *:backend = tdb ??? idmap config *:range = 3000-7999 ??? idmap config AD : backend = ad ??? idmap config AD : schema_mode = rfc2307 ??? idmap config AD : unix_nss_info = yes ??? idmap config AD : range = 10000-999999> idmap_ldb:use rfc2307 = yesRemove the line above, it is only used on a dC> > ??????? winbind use default domain = trueOK> winbind offline logon = false > ??????? winbind nss info = rfc2307 > ??????? winbind enum users = yes > ??????? winbind enum groups = yesRemove the four lines above, they are not required.> > > ??????? template homedir = /home/%D/%U > ??????? template shell = /bin/bash > ??????? vfs objects = acl_xattr > ??????? map acl inherit = yes > ??????? store dos attributes = yes > > [shared] > ??????? path = /mnt/usershares > ??????? read only = no > > [users] > ??????? path = /home/AD > ??????? read only = no >Rowland
On 22/10/2019 16:19, Stephen Atkins via samba wrote:> On 22/10/2019 8:32 a.m., Stephen Atkins via samba wrote: >> Hello everyone.? I thought I had everything configured correctly but >> it seems not.? I've got two servers.? One is the AD DC and another >> that has been joined to the domain.? This is the output I get first >> from the AD DC when I do a getent: > > I think I got it figured out.? It does seem that I had a couple of > issued with my smb.conf files but also I had logged in to the DC > before I had set the UID/GID on my user.? I ran the net cache flush > and now it's returning the proper ID's. >If you haven't changed that '4', I very much doubt it is ;-) Rowland