[Samba] New ADC configuration

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 16 09:42:48 MDT 2013 

Hi, Have you given your users & groups a uidNumber and/or gidNumber on the
server?

Rowland



On 16 July 2013 16:03, Matthew Daubenspeck <matt at oddprocess.org> wrote:

> On Mon, Jul 15, 2013 at 09:19:48PM +0200, Marc Muehlfeld wrote:
> > If you have multiple DCs, then the domain group/user/etc. stuff is
> > automatically on each DC (directory replication). Member servers are
> getting
> > the xID information from the DCs. And for that you need an Idmap
> > configuration.
> >
> > For your member servers, I recommend to use backend AD and retrieve the
> xIDs
> > from AD. Then you can edit the unix user/group information directly from
> > ADUC, with all other account data. An example is in the HowTo:
> https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf
> > Also then your user/groups have the same xIDs on all members.
>
> It looks like I am close. I followed the wiki, replacing the necessary
> items and started smbd, nmbd, and winbindd. The net ads join initially
> failed with some DNS issues, I fixed those, and the join succeeded. Here
> is what works:
>
> # wbinfo -p
> Ping to winbindd succeeded
>
> # wbinfo -u
> administrator
> testuser1
> testuser
> krbtgt
> guest
>
> Newly added users appear as well, after the winbind cache time is up.
>
> # wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ...
>
> However, I can't seem to get getent or id working.
>
> # id administrator
> id: administrator: no such user
>
> # id testuser1
> id: testuser1: no such user
>
> However, if I create a temporary local user, then it seems to work
>
> # id testuser1
> uid=1002(testuser1) gid=1002(testuser1)
> groups=1002(testuser1),4294967295,70002(BUILTIN\users)
>
> Here is nsswitch.conf
>
> # Begin /etc/nsswitch.conf
>
> passwd: files winbind
> group: files winbind
>
> What could I be missing? Here is smb.conf on the member server:
>
> [global]
>
>    workgroup = NWLTECH
>    security = ADS
>    realm = NWLTECH.ORG
>    encrypt passwords = yes
>    log level = 3
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config NWLTECH:backend = ad
>    idmap config NWLTECH:schema_mode = rfc2307
>    idmap config NWLTECH:range = 500-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>
> [share1]
>    path = /home/samba/share1
>    read only = no
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list