[Samba] How does one "look at AD" in Samba4.1?
steve at steve-ss.com
Mon Mar 17 06:35:43 MDT 2014
On Mon, 2014-03-17 at 22:11 +1000, Stuart Longland wrote:
> On 17/03/14 18:54, steve wrote:
> > On Mon, 2014-03-17 at 15:42 +1000, Stuart Longland wrote:
> >> On 16/03/14 11:14, steve wrote:
> >>> e.g. for Domain Users:
> >>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
> >> This has been a *big* help. I knew the information I needed was in LDAP
> >> somewhere, just didn't know how to get at it to edit it.
> >>> Now add something like RID+20000:
> >>> gidNumber: 20513
> >> You mention "RID", where do I find this? What's the significance of the
> >> 20000?
> > Using Domain Users again as an example, you'll have seen something like:
> > S-1-5-21-1085031214-1563985344-725345543 513
> > This nails Domain Users in your domain. No one else has that combination
> > of characters.
> > S-1-5-21-1085031214-1563985344-725345543
> > is called the SID. Security ID. It's unique for your domain.
> > 513
> > is called the RID. Relative ID
> > We add 20000 to it simply to move it away from local Linux groups which
> > are often in the same sort of 500-ish region. This avoids a clash with
> > local groups. Windows ignores it anyway so it doesn't matter what you
> > use. Having 513 in it somewhere makes it more readable for others.
> Ahh okay. Makes sense.
> >>> now:
> >>> getent group Domain\ Users
> >>> will return.
> >> Well, this half-works now: I can do a `getent group 'MYDOMAIN\Domain
> >> Users', and get a result.
> > Can you tell us the result? Do you get 20513?
> I do;
> > admin at bnedevfs0:~$ getent group 'MYREALM\Domain Users'
> > MYREALM\domain users:x:20513:
> >> It doesn't know about 'Domain Users' however: it seems to go looking for
> >> this in a domain called BNEDEVFS0 (the hostname of the machine).
> > That comes from:
> > workgroup =
> > in smb.conf
> Interesting, I have:
> > workgroup = MYREALM
> > server role = MEMBER SERVER
> > security = ADS
> > winbind use default domain = Yes
> > to smb.conf. This will remove the BNEDEVFSO\ bit.
> Adding that and restarting winbind, I now get:
> > admin at bnedevfs0:~$ getent passwd 'Administrator'
> > administrator:*:20500:20513::/home/MYREALM/administrator:/bin/bash
> > admin at bnedevfs0:~$ getent group 'Domain Users'
> > domain users:x:20513:
> That looks like it nails it. Thanks.
That's one of the holy grails in these parts;)
> > With a lot of this stuff, if it's working and you're in production,
> > leave it.
> Indeed, that's how I intend to work it, once I get it running. I've
> gotten this far with the test network, so now the fun is layering on
> LDAP-driven email.
Ah, well in that case and you're still in the lab the I'd recommend you
get the DOMAIN\ bit sorted. I'm sure someone here will be able to give
you a simple solution as to how to do that if my suggestion didn't work.
> Your help has been much appreciated. I shall take it from here and see
> where I wind up.
No problem and good luck.
More information about the samba