[Samba] Samba4 member of an another « Samba4 » domain
François Lafont
flafdivers at free.fr
Wed Apr 10 17:14:56 MDT 2013
Le 10/04/2013 06:59, Gémes Géza a écrit :
> You should check rfc2307 on the samba AD, if your users do not have
> uidNumber gidNumber attributes they are going to be ignored by the
> winbind daemon if you specify rfc2307 schema mode on the domain member.
If I have understood, when I don't use rfc2307 in the dc server (this is
the default) and if I don't use rfc2307 in the member server with this
config:
-------------------------------------------------------------------
# No refer to "rfc2307".
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
It seems to work well, but the uid and the gid of the domain accounts
are different between the dc and the member. And if I use the rfc2307,
then it's possible to have the same uid and gid on the dc and the
member. Is it correct ?
For the moment, I don't succeed in the use "rfc2307" with a dc and a
member. Without "rfc2307", I think It works well with:
1. For the dc:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-------------------------------------------------------------------
2. And for the member:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
It works well (imho), but, for each account, the uid/gid are different
between the dc and the member, and I don't like it.
When I try to use "rfc2307", it doesn't work for me (but I should make
mistakes). For example, I have tried this:
1. On the dc server:
# samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI
--server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123'
--use-rfc2307
that creates this smb.conf:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-------------------------------------------------------------------
Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -->
names.
2. On the member, I edit this smb.conf file (found here
https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf):
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config CHEZMOI:backend = ad
idmap config CHEZMOI:schema_mode = rfc2307
idmap config CHEZMOI:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
and I join the server with "net ads join" (next I use winbind too in
nsswitch.conf).
Next, I create a account in the dc (samba-tool user add test1
--random-password) and, under a Windows station, I edit this account
with dsa.msc and I set:
- the UID attribute in the "Unix attributes" tab
- the GID attribute in the "Unix attributes" tab
But, the dc and the member seems to ignore this value and, for example,
with "getent passwd" the uid/gid are different for each user between the
dc and the member.
If you are advices or links to install dc and member so that the uid/gid
are the same between the dc and the member, It interest me very much. :-)
Thanks in advance.
PS: and very sorry for my poor english.
--
François Lafont
More information about the samba
mailing list