Hai Rowland, Maybe i didnt understand your reply that well, but why would you change it. All (linux) users have minimum_uid=1000 and start at 1000. All (windows) users (samba) are above minimum_uid=1000 So in my optinion, you should not be needed to change this. Unless your users start below 1000. Also cat /etc/adduser.conf shows ( For Debian/Buster ) # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically # allocated user accounts/groups. FIRST_UID=1000 LAST_UID=29999 FIRST_GID=1000 LAST_GID=29999 If you can give me an example when its not working, ill have look at it.. The new member setup its progress is going as expected so far. I hope to have it so online. ( but the complete ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 9 juli 2020 10:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Users on Linux Laptop > > On 09/07/2020 09:29, L.P.H. van Belle via samba wrote: > >> - How can I cache logins infos, for offline login > >> (e.g. when only wlan is available or to start vpn after > login to get > >> access to shares) > > cat /etc/pam.d/common-auth > > Verify if you see. > > > > # here are the per-package modules (the "Primary" block) > > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > I change the '1000' to the DOMAIN low range number I set in smb.conf, > otherwise you cannot change the password for any local users. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 09/07/2020 09:50, L.P.H. van Belle via samba wrote:> Hai Rowland, > > Maybe i didnt understand your reply that well, but why would you change it. > > All (linux) users have minimum_uid=1000 and start at 1000. > All (windows) users (samba) are above minimum_uid=1000 > > So in my optinion, you should not be needed to change this. > Unless your users start below 1000. > > Also cat /etc/adduser.conf shows ( For Debian/Buster ) > > # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically > # allocated user accounts/groups. > FIRST_UID=1000 > LAST_UID=29999 > > FIRST_GID=1000 > LAST_GID=29999 > > If you can give me an example when its not working, ill have look at it..OK, if you use 1000 and try to change the password for a local Unix user (not to be confused with a domain Unix user), you get this: pi at raspberrypi:~ $ sudo passwd adminuser Current Kerberos password: But if you use the low range number instead of '1000', you get: pi at raspberrypi:~ $ sudo passwd adminuser Enter new password: Rowland
Ahha, perfect, nice. So per example. ( from my setup ) idmap config *:range = 2000-9999 idmap config SAMDOM : range = 10000-3999999 And if i understanded it right we should use 10000 Can you try this : sed -i "s/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=$(grep range /etc/samba/smb.conf|grep -v \* |cut -d"=" -f2 | cut -d"-" -f1|cut -c2-10000000000)/g" /usr/share/pam-configs/krb5 pam-auth-update Looks good to me. Or we could try to change requered to sufficient in /usr/share/pam-configs/krb5 Still reading a bit on this part. :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 9 juli 2020 11:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Users on Linux Laptop > > On 09/07/2020 09:50, L.P.H. van Belle via samba wrote: > > Hai Rowland, > > > > Maybe i didnt understand your reply that well, but why > would you change it. > > > > All (linux) users have minimum_uid=1000 and start at 1000. > > All (windows) users (samba) are above minimum_uid=1000 > > > > So in my optinion, you should not be needed to change this. > > Unless your users start below 1000. > > > > Also cat /etc/adduser.conf shows ( For Debian/Buster ) > > > > # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of > UIDs of dynamically > > # allocated user accounts/groups. > > FIRST_UID=1000 > > LAST_UID=29999 > > > > FIRST_GID=1000 > > LAST_GID=29999 > > > > If you can give me an example when its not working, ill > have look at it.. > > OK, if you use 1000 and try to change the password for a > local Unix user > (not to be confused with a domain Unix user), you get this: > > pi at raspberrypi:~ $ sudo passwd adminuser > Current Kerberos password: > > But if you use the low range number instead of '1000', you get: > > pi at raspberrypi:~ $ sudo passwd adminuser > Enter new password: > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Just in case this is relevant in a larger scope. Linux containers use 10000 as container root uid. I assume this may cause 'interplay' in some setups. \- - Joris \-------- Oorspronkelijk bericht -------- Aan 9 jul. 2020 12:05, L.P.H. van Belle via samba < samba at lists.samba.org> schreef:> > > > Ahha, perfect, nice. > > So per example. ( from my setup ) > idmap config \*:range = 2000-9999 > idmap config SAMDOM : range = 10000-3999999 > > And if i understanded it right we should use 10000 > > Can you try this : > > sed -i "s/[pam\_krb5.so][pam_krb5.so] minimum\_uid=1000/[pam\_krb5.so][pam_krb5.so] minimum\_uid=$(grep range /etc/samba/smb.conf\|grep -v \\\* \|cut -d"=" -f2 \| cut -d"-" -f1\|cut -c2-10000000000)/g" /usr/share/pam-configs/krb5 > pam-auth-update > > Looks good to me. > Or we could try to change requered to sufficient in /usr/share/pam-configs/krb5 > Still reading a bit on this part. > > :-) > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: samba \[mailto:samba-bounces at lists.samba.org\] Namens > > Rowland penny via samba > > Verzonden: donderdag 9 juli 2020 11:27 > > Aan: samba at lists.samba.org > > Onderwerp: Re: \[Samba\] AD Users on Linux Laptop > > > > On 09/07/2020 09:50, L.P.H. van Belle via samba wrote: > > > Hai Rowland, > > > > > > Maybe i didnt understand your reply that well, but why > > would you change it. > > > > > > All (linux) users have minimum\_uid=1000 and start at 1000. > > > All (windows) users (samba) are above minimum\_uid=1000 > > > > > > So in my optinion, you should not be needed to change this. > > > Unless your users start below 1000. > > > > > > Also cat /etc/adduser.conf shows ( For Debian/Buster ) > > > > > > \# FIRST\_\[GU\]ID to LAST\_\[GU\]ID inclusive is the range of > > UIDs of dynamically > > > \# allocated user accounts/groups. > > > FIRST\_UID=1000 > > > LAST\_UID=29999 > > > > > > FIRST\_GID=1000 > > > LAST\_GID=29999 > > > > > > If you can give me an example when its not working, ill > > have look at it.. > > > > OK, if you use 1000 and try to change the password for a > > local Unix user > > (not to be confused with a domain Unix user), you get this: > > > > pi at raspberrypi:~ $ sudo passwd adminuser > > Current Kerberos password: > > > > But if you use the low range number instead of '1000', you get: > > > > pi at raspberrypi:~ $ sudo passwd adminuser > > Enter new password: > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > \-- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >[pam_krb5.so]: http://pam_krb5.so -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20200709/c7c64001/signature.sig>
Thats great info i didnt know. I'll keep that in mind for the new howto. ? Thank you. ? @Rowland, this is something we need to add to the wiki. ? Greetz, ? Louis ? ? Van: commandline at protonmail.com [mailto:commandline at protonmail.com] Verzonden: donderdag 9 juli 2020 12:08 Aan: L.P.H. van Belle; samba at lists.samba.org Onderwerp: Re: [Samba] AD Users on Linux Laptop Just in case this is relevant in a larger scope. Linux containers use 10000 as container root uid. I assume this may cause 'interplay' in some setups. - - Joris -------- Oorspronkelijk bericht -------- Aan 9 jul. 2020 12:05, L.P.H. van Belle via samba < samba at lists.samba.org> schreef: Ahha, perfect, nice. So per example. ( from my setup ) idmap config *:range = 2000-9999 idmap config SAMDOM : range = 10000-3999999 And if i understanded it right we should use 10000 Can you try this : sed -i "s/pam_krb5.so minimum_uid=1000/pam_krb5.so minimum_uid=$(grep range /etc/samba/smb.conf|grep -v \* |cut -d"=" -f2 | cut -d"-" -f1|cut -c2-10000000000)/g" /usr/share/pam-configs/krb5 pam-auth-update Looks good to me. Or we could try to change requered to sufficient in /usr/share/pam-configs/krb5 Still reading a bit on this part. :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: donderdag 9 juli 2020 11:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Users on Linux Laptop > > On 09/07/2020 09:50, L.P.H. van Belle via samba wrote: > > Hai Rowland, > > > > Maybe i didnt understand your reply that well, but why > would you change it. > > > > All (linux) users have minimum_uid=1000 and start at 1000. > > All (windows) users (samba) are above minimum_uid=1000 > > > > So in my optinion, you should not be needed to change this. > > Unless your users start below 1000. > > > > Also cat /etc/adduser.conf shows ( For Debian/Buster ) > > > > # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of > UIDs of dynamically > > # allocated user accounts/groups. > > FIRST_UID=1000 > > LAST_UID=29999 > > > > FIRST_GID=1000 > > LAST_GID=29999 > > > > If you can give me an example when its not working, ill > have look at it.. > > OK, if you use 1000 and try to change the password for a > local Unix user > (not to be confused with a domain Unix user), you get this: > > pi at raspberrypi:~ $ sudo passwd adminuser > Current Kerberos password: > > But if you use the low range number instead of '1000', you get: > > pi at raspberrypi:~ $ sudo passwd adminuser > Enter new password: > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba