similar to: Reported group membership is different between domain member and Samba ADC

On Fri, 14 Feb 2025 10:03:33 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > On my Linux domain members, group membership for my domain login is > reported as: > > ??? terra #? id SAMDOM\\jgraham > ??? uid=11105(SAMDOM\jgraham) gid=10513(SAMDOM\domain users) > groups=10513(SAMDOM\domain >

On 2/14/25 11:22, Rowland Penny via samba wrote: > Well yes, you can do it that way, but there is an easier way. > There is a group in AD called 'Domain Admins' > Add any AD users that you want to be domain administrators to that > group, then, using visudo add this line to the sudo config: > > %SAMDOM\\domain\ admins ALL=(ALL:ALL) ALL > > Where 'SAMDOM' is

I was experimenting with centralized administration of Linux administrative privileges, so I created the group. (I have to assume that there's nothing fundamentally wrong with creating a domain group for some special purpose.) I then added to /etc/sudoers: ??? %SAMDOM\\wheel ALL=(ALL:ALL) ALL and to /etc/pam.d/su ??? auth??????? required??? pam_wheel.so use_uid group=SAMDOM\wheel With

On Fri, 14 Feb 2025 12:14:18 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > On 2/14/25 11:22, Rowland Penny via samba wrote: > > Well yes, you can do it that way, but there is an easier way. > > There is a group in AD called 'Domain Admins' > > Add any AD users that you want to be domain administrators to that > > group,

On Fri, 14 Feb 2025 10:51:57 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > I was experimenting with centralized administration of Linux > administrative privileges, so I created the group. (I have to assume > that there's nothing fundamentally wrong with creating a domain group > for some special purpose.) I then added to /etc/sudoers:

On 2/14/25 15:01, Rowland Penny via samba wrote: > On Fri, 14 Feb 2025 12:14:18 -0500 > "John R. Graham via samba"<samba at lists.samba.org> wrote: > On 2/14/25 11:22, Rowland Penny via samba wrote: >> So, for an undiagnosed reason, the effective domain membership does >> not include "domain admins" either. >> >> - John > OK, I will

When I put winbindd in offline mode, ??? terra ~ # smbcontrol winbindd offline ??? terra ~ # smbcontrol winbindd onlinestatus ??? PID 20664: global:Offline BUILTIN:Online TERRA:Online HOME:Offline I can successfully log in (with the test shown in the PAM Offline Authentication Wiki article): ??? terra ~ # ssh SAMDOM\\jgraham at localhost ??? (SAMDOM\jgraham at localhost) Password: ???

On 11/25/24 11:26, Rowland Penny via samba wrote: > D, I must go to specsavers, I appear to be going blind ;-) > > you wrote 'smbcontrol winbind offline' and I missed it, the extra 'd' > that is, it should have been: > > smbcontrol winbindd offline > > Rowland Okay, thanks, but I'm going to start over as I appear to have related some incorrect

On 11/27/24 13:20, John R. Graham via samba wrote: > On 11/27/24 12:38, Rowland Penny via samba wrote: >>> Hmm, PAM on Gentoo appears to be very different to Debian. For >>> instance on Debian, to include lines from another file you use >>> '@include' and it includes the entire contents of the file, Gentoo >>> appears to just include the lines

On 11/16/24 11:59, Rowland Penny via samba wrote: > Samba doesn't start any daemons on a Unix domain member, you have to do > it yourself. I did. My Gentoo samba service scripts starts smbd and nmbd. Oh. Ugh. Sorry. Found an untweaked option in the samba service script configuration file--that I had apparently known about while setting up the AD DC--which was necessary to start

...the tests for initial online login to my newly joined Linux domain member the machine through ssh are failing. I ran: ??? terra ~ # ssh HOME\\jgraham at localhost ??? (HOME\jgraham at localhost) Password: ??? (HOME\jgraham at localhost) Password: ??? (HOME\jgraham at localhost) Password: ??? HOME\jgraham at localhost's password: ??? Permission denied, please try again. ???

On Wed, 27 Nov 2024 10:19:48 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > When I put winbindd in offline mode, > > ??? terra ~ # smbcontrol winbindd offline > ??? terra ~ # smbcontrol winbindd onlinestatus > ??? PID 20664: global:Offline BUILTIN:Online TERRA:Online > HOME:Offline > > I can successfully log in (with the test

On Sat, 16 Nov 2024 10:38:06 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > I apparently haven't created the correct formula to get Samba to > start winbindd on my workstation in the process of joining my domain. > Testing winbindd connectivity fails: Samba doesn't start any daemons on a Unix domain member, you have to do it yourself. >

On Sat, 16 Nov 2024 15:44:12 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > On 11/16/24 11:59, Rowland Penny via samba wrote: > > Samba doesn't start any daemons on a Unix domain member, you have > > to do it yourself. > > I did. My Gentoo samba service scripts starts smbd and nmbd. Oh. Ugh. It isn't really required to run nmbd

On 11/13/24 15:54, Rowland Penny via samba wrote: >> ??? log level = 1 >> >> ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool >> >> ??? # Winbindd setup for shares: >> ??? # template shell = /bin/bash >> ??? # template homedir = /home/%U >> >> ??? # idmap_nss plugin setup: >> ??? idmap config * : backend

On Thu, 14 Nov 2024 11:17:11 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > On 11/14/24 10:48, Rowland Penny via samba wrote: > > The only things that a Samba AD DC pulls from AD is the uidNumber > > and gidNumber attributes (if they are set) and only then if > > 'idmap_ldb:use rfc2307 = yes' is set in the DCs smb.conf. > >

On 11/14/24 10:48, Rowland Penny via samba wrote: > The only things that a Samba AD DC pulls from AD is the uidNumber and > gidNumber attributes (if they are set) and only then if 'idmap_ldb:use > rfc2307 = yes' is set in the DCs smb.conf. > > What are you expecting ? > > Rowland Oh. Well, I was expecting that the home directory and the shell attributes would be

On 11/27/24 12:38, Rowland Penny via samba wrote: >> Hmm, PAM on Gentoo appears to be very different to Debian. For >> instance on Debian, to include lines from another file you use >> '@include' and it includes the entire contents of the file, Gentoo >> appears to just include the lines referred to in the first column, >> which, if correct, means that your

Trying out 4.2.0 rc2 and winbindd. Below is the AD DC's smb.conf. Samba on the AD DC is updated from 4.1.3. I'm having trouble getting uid-/gidNumbers. Just xidNumbers are displayed. All domain account and groups have got it assigned. What did I miss? Is it possible that the outcome from the commands run on the AD DC is a product from the fact that the domains NetBIOS-name is EXAMPLE and

On Wed, 13 Nov 2024 15:19:22 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote: > > On 11/12/24 09:35, Rowland Penny via samba wrote: > > > If you are using Debian, just install the libpam-winbind and > > libnss-winbind packages, open /etc/nsswitch.conf in your favourite > > editor and ensure that the passwd & group lines contain