search for: unix_nss_info

Hi, In winbind, are there any plans to add the idmap_ad options "unix_primary_group" and "unix_nss_info" to the idmap_rfc2307 backend? I am using an ldap proxy to preserve the UNIX uids and gids between two domains, and it would be nice to also share the shell setting and the UNIX primary group as well.

On Thu, Dec 19, 2019 at 10:19:28PM +0000, Rowland penny via samba wrote: > On 19/12/2019 21:46, Sebastian Lisic wrote: > >Thanks for the quick reply, Rowland! > > > >The problem I have is that the clients of each domain do not have access to the other domain's DC. Only the DCs of each domain can talk to one another. With Microsoft no longer allowing POSIX attributes to be

...er i can't see id for usernames and groups. This is my smb.conf on dc [global]         netbios name = DC1         realm = LXCERRUTI.COM         server role = active directory domain controller         workgroup = LXCERRUTI         idmap_ldb:use rfc2307 = yes         idmap config DOMAIN : unix_nss_info = yes         ntlm auth = yes         winbind use default domain = yes [netlogon]         path = /usr/local/samba/var/locks/sysvol/lxcerruti.com/scripts         read only = No and this is same file on member: [global]        security = ADS        workgroup = LXCERRUTI        realm = LXCE...

...he member server. Then on the member server add something >> like the following to the smb.conf: idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:unix_nss_info = yes >> idmap config SAMDOM:range = 10000-999999 >> >> This will also necessitate adding unix attributes to the user >> accounts. > > Not exactly, if the Samba AD DC is only going to be used for > authentication, then you could use the winbind 'rid' backend...

...ow the user, even if the smb.conf appears to be correct. >>> >>> You originally posted this: >>> >>> idmap config FOO:backend = ad >>> idmap config FOO:schema_mode = rfc2307 >>> idmap config FOO:range = 10000-999999 >>> idmap config FOO:unix_nss_info = yes >>> idmap config FOO:unix_primary_group = yes >>> >>> So, does 'vincent' have a uidNumber attribute containing a number >>> inside the range '10000-99999999' AND either a gidnumber attribute >>> containing the gidNumber of an AD gro...

On Thu, 28 Mar 2024 17:00:48 +0100 (CET) Arnaud Bougeard via samba <samba at lists.samba.org> wrote: > Thanks Rowland for you answer. > > I passed the idmap config UR parameter: unix_nss_info to yes and it > works > > I work in university with a large number of users. > The RIDs which I understand like the last digits of the SID are from > 1000 to 300000 and uid from the LDAP are from 500 to 29009894. > > So I don't really know what to do with it ? > &gt...

...rkgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 # added because 4.6+ no longer understands winbind nss info = rfc2307 idmap config MIND:unix_nss_info = yes # left because 4.5- don’t understand idmap config MIND:unix_nss_info = yes winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restri...

...onfig * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> # added because 4.6+ no longer understands >> # winbind nss info = rfc2307 >> idmap config MIND:unix_nss_info = yes >> # left because 4.5- don’t understand >> # idmap config MIND:unix_nss_info = yes >> winbind nss info = rfc2307 > > OK, what version Samba are using on the Unix domain member ? > If you are using 4.6 (or later), remove the 'winbind nss info' line....

...gt; Just because 'wbinfo' shows a user, doesn't mean that a Unix OS will know the user, even if the smb.conf appears to be correct. You originally posted this: idmap config FOO:backend = ad idmap config FOO:schema_mode = rfc2307 idmap config FOO:range = 10000-999999 idmap config FOO:unix_nss_info = yes idmap config FOO:unix_primary_group = yes So, does 'vincent' have a uidNumber attribute containing a number inside the range '10000-99999999' AND either a gidnumber attribute containing the gidNumber of an AD group, or does Domain Users have gidNumber attribute ? The gidNumbe...

...ult domain = yes > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > > idmap config REPO : backend = ad > idmap config REPO : schema_mode = rfc2307 > idmap config REPO : range = 10000-999999 > idmap config REPO : unix_nss_info = yes You need to use the workgroup name, not the netbios name. There will be three domains on your Unix domain member: BUILTIN : Mostly used for the Well Known SIDs SAMDOM : Your AD domain REPO : a local domain and not really relevant > vfs objects = acl_xattr > map acl inher...

Thanks Rowland for you answer. I passed the idmap config UR parameter: unix_nss_info to yes and it works I work in university with a large number of users. The RIDs which I understand like the last digits of the SID are from 1000 to 300000 and uid from the LDAP are from 500 to 29009894. So I don't really know what to do with it ? I modify idmap to: idmap config * : bac...

...config MIND:backend = ad >> >> idmap config MIND:schema_mode = rfc2307 >> >> idmap config MIND:range = 8000-9999999 >> >> # added because 4.6+ no longer understands >> >> # winbind nss info = rfc2307 >> >> idmap config MIND:unix_nss_info = yes >> >> # left because 4.5- don’t understand >> >> # idmap config MIND:unix_nss_info = yes >> >> winbind nss info = rfc2307 >> > >> > OK, what version Samba are using on the Unix domain member ? >> > If you are using 4.6 (o...

...d, this is because from 4.8.0 you must run winbind if using > 'security = ADS' and the two interfere with one another. > > Just remove sssd and everything should work after you replace 'backend = > sss' with 'backend = ad' and add 'idmap config <domain>:unix_nss_info = > yes' > > Rowland > -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.

...???? idmap config * : backend = tdb >> ??????? idmap config * : range = 1000-2000 >> >> ??????? idmap config SAMDOM:backend = ad >> ??????? idmap config SAMDOM:schema_mode = rfc2307 >> ??????? idmap config SAMDOM:range = 2001-999999 >> ??????? idmap config SAMDOM:unix_nss_info = yes >> >> ??????? template homedir = /home/%U >> ??????? template shell = /bin/bash >> >> ??????? client use spnego = yes >> ??????? client ntlmv2 auth = yes >> ??????? encrypt passwords = yes >> ??????? winbind use default domain = yes >> ???...

...ows a user, doesn't mean that a Unix OS will > know the user, even if the smb.conf appears to be correct. > > You originally posted this: > > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 10000-999999 > idmap config FOO:unix_nss_info = yes > idmap config FOO:unix_primary_group = yes > > So, does 'vincent' have a uidNumber attribute containing a number > inside the range '10000-99999999' AND either a gidnumber attribute > containing the gidNumber of an AD group, or does Domain > Users have gidNu...

...>>>>> >>>>> You originally posted this: >>>>> >>>>> idmap config FOO:backend = ad >>>>> idmap config FOO:schema_mode = rfc2307 >>>>> idmap config FOO:range = 10000-999999 >>>>> idmap config FOO:unix_nss_info = yes >>>>> idmap config FOO:unix_primary_group = yes >>>>> >>>>> So, does 'vincent' have a uidNumber attribute containing a number >>>>> inside the range '10000-99999999' AND either a gidnumber attribute >>>>&g...

...gt;> idmap config MIND:schema_mode = rfc2307 >> >> >> idmap config MIND:range = 8000-9999999 >> >> >> # added because 4.6+ no longer understands >> >> >> # winbind nss info = rfc2307 >> >> >> idmap config MIND:unix_nss_info = yes >> >> >> # left because 4.5- don’t understand >> >> >> # idmap config MIND:unix_nss_info = yes >> >> >> winbind nss info = rfc2307 >> >> > >> >> > OK, what version Samba are using on the Unix domain m...

...oups = Yes winbind enum users = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 idmap config SAMDOM : unix_nss_info = yes idmap config SAMDOM:unix_primary_group = yes template shell = /bin/bash template homedir = /share/%U username map = /usr/local/samba/etc/user.map [netlogon] path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts read only = No [s...

...default domain = yes     winbind enum users  = yes     winbind enum groups = yes     idmap config * : backend = tdb     idmap config * : range = 500-599     idmap config A1 :backend = ad     idmap config A1 :schema_mode = rfc2307     idmap config A1 :range = 601-65300     idmap config A1 :unix_nss_info = yes     idmap config A1 :unix_primary_group = yes [netlogon]     path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts     read only = No [sysvol]     path = /var/lib/samba/sysvol     read only = No I dont want to set a winbind template, I do have rfc2307 information for our users and would...

...uch as tdb. idmap config * : backend = tdb idmap config * : range = 1000-2000 # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 2001-999999 idmap config SAMDOM:unix_nss_info = yes template homedir = /home/users/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 # fix dfs error's in log ? host m...