[Samba] security = ads parameter not working in samba 4.9.5
Sérgio Basto
sergio at serjux.com
Wed Nov 27 15:30:27 UTC 2019
On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:
> On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> > Sorry I meant man idmap_ad. But checking again man is equal of
> > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> > page [1]
> >
> > Examples don't mention netbios name ... I did [2] which instead use
> > workgroup I used netbios name and it is working but still don't
> > know
> > why or even if it correct .
> You do not need to set 'netbios name', it will be set for you from
> the
> hostname
> >
> >
> > [2]
> > [global]
> > netbios name = REPO
> > security = ADS
> > workgroup = SAMDOM
> > realm = SAMDOM.EXAMPLE.COM
> >
> > winbind use default domain = yes
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config REPO : backend = ad
> > idmap config REPO : schema_mode = rfc2307
> > idmap config REPO : range = 10000-999999
> > idmap config REPO : unix_nss_info = yes
>
> You need to use the workgroup name, not the netbios name. There will
> be
> three domains on your Unix domain member:
>
> BUILTIN : Mostly used for the Well Known SIDs
>
> SAMDOM : Your AD domain
>
> REPO : a local domain and not really relevant
Hi, many thanks for the reply and it started to work but I had to use
realm
security = ADS
workgroup = SAMDOM
realm = SAMDOM.LOCAL
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config SAMDOM.LOCAL : backend = ad
idmap config SAMDOM.LOCAL : schema_mode = rfc2307
idmap config SAMDOM.LOCAL : range = 10000-999999
idmap config SAMDOM.LOCAL : unix_nss_info = yes
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> >
> > template shell = /bin/false
> > template homedir = /srv/samba/users/%U
> > username map = /var/lib/samba/user.map
> >
> >
> >
> > [1]
> > EXAMPLES
> > The following example shows how to retrieve idmappings from
> > our
> > principal and trusted AD domains. If trusted domains are present id
> > conflicts must be resolved beforehand, there is no
> > guarantee on
> > the order conflicting mappings would be resolved at this point.
> > This example also shows how to leave a small non
> > conflicting
> > range for local id allocation that may be used in internal backends
> > like BUILTIN.
> >
> > [global]
> > workgroup = CORP
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config CORP : backend = ad
> > idmap config CORP : range = 1000-999999
>
> Rowland
>
>
>
--
Sérgio M. B.
More information about the samba
mailing list