Luis Peromarta
2023-Apr-27 09:15 UTC
[Samba] Unix Attributes not working as expected in a member server
Hi there, I have a working SAMBA environment mainly for Windows Users. 3xDCs, 1 file server, 1 print server as member servers. File sharing / printing works perfectly. AD backend with RFC2307. I am trying to get AD users to work in the file server (login to the server). I have populated in ADUC LoginShell /bin/bash and unixHomeDirectory /data/users/otros/luis However when I try # getent passwd luis luis:*:10005:10000:Luis Peromarta:/home/MAD/luis:/bin/false None of the parameters are read correctly from AD - maybe they are not read at all?. Relevant portion of the server?s smb.conf: [global] security = ADS workgroup = MAD realm = MAD.MATER.INT netbios name = SERVER server role = member server log file = /var/log/samba/%m.log # interfaces = lo enp1s0 # bind interfaces only = yes # To enable Group Policy application in winbind, apply group policies = yes # Default ID mapping configuration for local BUILTIN accounts idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the MAD domain idmap config MAD:backend = ad idmap config MAD:schema_mode = rfc2307 idmap config MAD:range = 10000-999999 # winbind config: winbind nss info = rfc2307 winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes # renew the kerberos ticket winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/user.map # To configure shares using extended access control lists (ACL) vfs objects = acl_xattr map acl inherit = yes acl_xattr:ignore system acls = yes What am I doing wrong ? Thanks in advance, all the best,
Rowland Penny
2023-Apr-27 09:28 UTC
[Samba] Unix Attributes not working as expected in a member server
On 27/04/2023 10:15, Luis Peromarta via samba wrote:> Hi there, > > I have a working SAMBA environment mainly for Windows Users. 3xDCs, 1 file server, 1 print server as member servers. File sharing / printing works perfectly. AD backend with RFC2307. > > I am trying to get AD users to work in the file server (login to the server). > > I have populated in ADUC > > LoginShell /bin/bash > > and > > unixHomeDirectory /data/users/otros/luis > > However when I try > > # getent passwd luis > luis:*:10005:10000:Luis Peromarta:/home/MAD/luis:/bin/false > > None of the parameters are read correctly from AD - maybe they are not read at all?. > > Relevant portion of the server?s smb.conf: > > [global] > security = ADS > workgroup = MAD > realm = MAD.MATER.INT > netbios name = SERVER > server role = member server > log file = /var/log/samba/%m.log > # interfaces = lo enp1s0 > # bind interfaces only = yes > > > # To enable Group Policy application in winbind, > apply group policies = yes > > > # Default ID mapping configuration for local BUILTIN accounts > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > # idmap config for the MAD domain > > idmap config MAD:backend = ad > idmap config MAD:schema_mode = rfc2307 > idmap config MAD:range = 10000-999999 > > # winbind config: > > winbind nss info = rfc2307 > > What am I doing wrong ?Probably not reading 'man idmap_ad', where you will find: unix_nss_info = yes/no If set to yes winbind will retrieve the login shell and home directory from the LDAP attributes. If set to no or the AD LDAP entry lacks the SFU attributes the options template shell and template homedir are used. Default: no Which means, replace 'winbind nss info = rfc2307' with 'idmap config MAD : unix_nss_info = yes' Rowland