[Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 1 02:11:34 MST 2014
On 01/12/14 00:08, 江志 wrote:
> Rowland Penny,您好:
> I test id Administrator as the wiki.
> I run
> chown Administrator(or other DomainUser) file I got
> invalid User :Administrator
>
> ------------------
> 江志
> 2014-12-01
>
> -------------------------------------------------------------
> 发件人:Rowland Penny
> 发送日期:2014-11-28 17:59:18
> 收件人:江志
> 抄送:samba
> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>
> On 28/11/14 01:33, 江志 wrote:
>> Rowland Penny,您好:
>> I had test to setup
>> username map = /etc/samba/smbmap
>> and I got the same error
>>
>> winbindd -V
>> Version 4.1.11-Ubuntu
>>
>>
>> ------------------
>> 江志
>> 2014-11-28
>>
>> -------------------------------------------------------------
>> 发件人:Rowland Penny
>> 发送日期:2014-11-25 17:51:13
>> 收件人:samba
>> 抄送:
>> 主题:Re: [Samba] Setup_a_Samba_AD_Member_Server can get the id of user.
>>
>> On 25/11/14 03:47, 江志 wrote:
>>> samba,您好:
>>> I follow the wiki(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server) to setup a member server,then I have some problems:
>>> net ads join -U adminsitrator is OK except the DNS update.
>>> run the command:
>>> wbinfo -u
>>> show the user list as follow:
>>> SWAP10\jz
>>> SWAP10\root
>>> TEST\administrator
>>> TEST\krbtgt
>>> TEST\guest
>>> TEST\root
>>> TEST\jz
>>>
>>> When run the command:
>>> id administrator
>>> show
>>> id: administrator: no such user
>>> When run the command:
>>> id 'TEST\administrator'
>>> show
>>> id: TEST\administrator: no such user
>>>
>>> Run chown and chgrp also get error.
>>>
>>> Here is my smb.conf
>>>
>>> [global]
>>> netbios name = swap10
>>> workgroup = TEST
>>> security = ADS
>>> realm = TEST.TESTDOMAIN.COM
>>> encrypt passwords = yes
>>>
>>> kerberos method = secrets only
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 70001-80000
>>> idmap config TEST:backend = ad
>>> idmap config TEST:schema_mode = rfc2307
>>> idmap config TEST:range = 500-40000
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = false
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind offline logon = false
>>> template shell = /sbin/nologin
>>>
>>> vfs objects = acl_xattr
>>> map acl inherit = yes
>>> store dos attributes = yes
>>> auth methods = winbind
>>> log level = 3
>>> [demo]
>>> path = /home/samba/demo
>>> read only = no
>>> [install$]
>>> path = /home/samba/install
>>> read only = no
>>> guest ok = no
>>>
>>> Any suggestions
>>> Sorry for my poor english.
>>>
>>> Regards
>>> Jiangzhi
>>> --------------
>>> 2014-11-25
>> OK, you are using the winbind 'ad' backend, this will only pull users
>> from AD that have a uidNumber that is between (in your case) 500-40000.
>> Administrator does not have a uidNumber and before you rush off to give
>> Administrator a uidNumber, don't , this is not recommended, it just
>> turns Administrator into a normal user on Unix.
>>
>> I take it that you have only one Samba4 AD DC, it is recommended that
>> you use this for authentication only and use a separate file or member
>> server, if you do this, you can then map Administrator to root by adding
>> a line to smb.conf:
>>
>> username map = /etc/samba/smbmap
>>
>> And then creating the smbmap file
>>
>> !root = EXAMPLE\Administrator Administrator administrator
>>
>> Where EXAMPLE is your netbios/workgroup name.
>>
>> I would you suggest you have a read through the samba wiki:
>>
>> https://wiki.samba.org/index.php/Main_Page
>>
>> Rowland
>>
> Why do want Administrator to login? Administrator is the **WINDOWS**
> admin user, you use 'root' on Unix.
>
> Rowland
>
OK, Administrator is a 'SPECIAL' windows user and as such, does not and
should not exist on Unix. You can map Administrator to the Unix root
user, this will allow Administrator to do the things that need doing
from windows, change ACL's etc.
It actually says 'chown DomainUser:DomainGroup file' on the wiki and if
this is not working, then there is something wrong with your setup!.
This is providing that it doesn't work with a normal user that should be able to log into either a windows machine or a Unix machine.
Lets start with the obvious, do any of your users in AD have at least a 'uidNumber' and does 'Domain Users' have a 'gidNumber' ?
Rowland
More information about the samba
mailing list