[Samba] The problem with setting up AD domain to Samba 4
Vladimir A Fomkin
vaf at vaf.net.ru
Wed Jun 26 05:06:51 MDT 2013
I configured my AD samba PDC and BDC for applying uid from uidNumber line
in AD LDAP.
But I have a problem - "uidNumber" is not a creating automaticaly. I must
create this for each user by hands. How to solve this problem?
root at pdc:/usr/local/samba/etc# cat smb.conf
# Global parameters
workgroup = TEST
realm = TEST.LOCAL
netbios name = PDC
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config TEST:backend = ad
idmap config TEST:schema_mode = rfc2307
idmap config TEST:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
path = /usr/local/samba/var/profiles
read only = No
root at pdc:/usr/local/samba/etc#
2013/6/19 Rowland Penny <rowlandpenny at googlemail.com>
> Hi Steve, yes I agree with you, the problem is that people still try to
> set up an S4 AD server as if it was S3, this will never work.
> What people need to realise is that an S4 AD server is for all intents and
> purposes a windows AD server clone and to set it up the same
> It might be easier for the OP to reprovision again and start with a blank
> slate and this time do some searching on 'how do I connect a linux client
> to a windows server'
> On 19 June 2013 10:54, steve <steve at steve-ss.com> wrote:
>> On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote:
>> > The problem is that you are mixing up how samba 4 works with how samba
>> > 3 works, samba 4 winbind does not work the same as the samba 3
>> > winbind.
>> > What you need to do is give your linux users a uidNumber and groups
>> > like Domain Users a gidNumber, how you do this is up to you, it can be
>> > done from windows (ADUC?) or by using an ldif on linux, try a web
>> > search.
>> > You then need to extract this information on the linux clients, you
>> > can use winbind, but do not use the rid backend. If do you use the rid
>> > backend, whilst you will get the same UID for a user on any linux
>> > client that uses the exact same winbind settings, you will never get
>> > the same UID on the server. Using the ad backend will get you the
>> > same UID where ever you ask for it, but in my opinion is not the way
>> > to go, try using sssd, it is a lot easier to set up.
>> > Rowland
>> Hi Rowland
>> From what I can work out from the posts, the OP is trying to do this on
>> a DC. What I find difficult to get across is the idea of storing stuff
>> in AD. In cases such as these I really can't see any other way to go.
>> The OP's idmap is really screwed up. I've had a go via the DC winbind
>> and the only way I could go with this was to delete the idmap entries
>> and start again. This is in the other post about an hour or so ago, if
>> you have any easier way. . .
Фомкин Владимир Андреевич
More information about the samba