[Samba] How does one "look at AD" in Samba4.1?
Stuart Longland
stuartl at vrt.com.au
Mon Mar 17 06:11:02 MDT 2014
On 17/03/14 18:54, steve wrote:
> On Mon, 2014-03-17 at 15:42 +1000, Stuart Longland wrote:
>> On 16/03/14 11:14, steve wrote:
>>> e.g. for Domain Users:
>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
>>
>> This has been a *big* help. I knew the information I needed was in LDAP
>> somewhere, just didn't know how to get at it to edit it.
>>
>>> Now add something like RID+20000:
>>> gidNumber: 20513
>>
>> You mention "RID", where do I find this? What's the significance of the
>> 20000?
>
> Using Domain Users again as an example, you'll have seen something like:
> S-1-5-21-1085031214-1563985344-725345543 513
> This nails Domain Users in your domain. No one else has that combination
> of characters.
>
> S-1-5-21-1085031214-1563985344-725345543
> is called the SID. Security ID. It's unique for your domain.
>
> 513
> is called the RID. Relative ID
>
> We add 20000 to it simply to move it away from local Linux groups which
> are often in the same sort of 500-ish region. This avoids a clash with
> local groups. Windows ignores it anyway so it doesn't matter what you
> use. Having 513 in it somewhere makes it more readable for others.
Ahh okay. Makes sense.
>>> now:
>>> getent group Domain\ Users
>>> will return.
>>
>> Well, this half-works now: I can do a `getent group 'MYDOMAIN\Domain
>> Users', and get a result.
>>
> Can you tell us the result? Do you get 20513?
I do;
> admin at bnedevfs0:~$ getent group 'MYREALM\Domain Users'
> MYREALM\domain users:x:20513:
>
>> It doesn't know about 'Domain Users' however: it seems to go looking for
>> this in a domain called BNEDEVFS0 (the hostname of the machine).
>>
> That comes from:
> workgroup =
> in smb.conf
Interesting, I have:
> workgroup = MYREALM
> server role = MEMBER SERVER
> security = ADS
> realm = MYREALM.MYDOMAIN
> log level = 10
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config MYREALM:backend = ad
> idmap config MYREALM:schema_mode = rfc2307
> idmap config MYREALM:range = 0-40000
> template shell = /bin/bash
If I do a getent on the two domain controllers, it works without the
MYREALM\ prefix, but on the file server, it expects the MYREALM\ prefix.
> If it's working as you expect, just add:
> winbind use default domain = Yes
> to smb.conf. This will remove the BNEDEVFSO\ bit.
Adding that and restarting winbind, I now get:
> admin at bnedevfs0:~$ getent passwd 'Administrator'
> administrator:*:20500:20513::/home/MYREALM/administrator:/bin/bash
> admin at bnedevfs0:~$ getent group 'Domain Users'
> domain users:x:20513:
That looks like it nails it. Thanks.
> How many domains do you have? Is there a subomain for example?
No, just the one. It's a small organisation and so I see little benefit
in subdividing it further.
> With a lot of this stuff, if it's working and you're in production,
> leave it.
Indeed, that's how I intend to work it, once I get it running. I've
gotten this far with the test network, so now the fun is layering on
LDAP-driven email.
Your help has been much appreciated. I shall take it from here and see
where I wind up.
Regards,
--
Stuart Longland
Contractor
_ ___
\ /|_) | T: +61 7 3535 9619
\/ | \ | 38b Douglas Street F: +61 7 3535 9699
SYSTEMS Milton QLD 4064 http://www.vrt.com.au
More information about the samba
mailing list