[Samba] idmap weirdness - wildcard values being used instead of rfc2307 AD values
Doug Meredith
doug.meredith at skyridge.com
Thu Oct 30 06:36:30 MDT 2014
Hi Peter,
Thanks for the quick reply.
On Thu, Oct 30, 2014 at 8:54 AM, Peter Serbe <peter at serbe.ch> wrote:
> Doug Meredith schrieb am 30.10.2014 12:29:
>
> > "getent passwd doug" returns:
> >
> > doug:*:70003:70005:Doug Meredith:/home/DSTRC/doug:/bin/false
>
> I presume this is "getent passwd" on the member server...
> Does "getent passwd" on the DC work in the right manner?
>
>
Yes, the "getent" output was from the member server. No, "getent passwd"
doesn't work on the DC, but I've never bothered to do the nsswitch config
there. My understanding is that the winbind implementation on a DC is
completely different code than the winbindd implementation that runs on a
member server, so I figured there wasn't much point in experimenting on the
DC. Is my thinking flawed?
> > Platform is FreeBSD 10 and I'm using Samba 4.1.13. Full smb.conf is
> > bellow.
>
> This configuration looks OK.
> Is the nsswitch.conf also OK?
>
nsswitch.conf on the member server:
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
> Does wbinfo -p/u/g work?
>
wbinfo -p/u/g all work fine on the member server.
> Kerberos kinit/klist OK?
>
I am not able to authenticate using kinit on the memberserver, probably
because I've never done any Kerberos configuration on the host. Given that
the file server is able to look up data in AD, and is able to authenticate
users over SMB, I had assumed that I didn't need to do any explicit
Kerberos setup.
> Furthermore the smb.conf on the DC: ist rfc2307 working?
>
The DCs are Debian running Sernet Samba 4.1.12. Here is the DC smb.conf:
[global]
workgroup = DSTRC
realm = dstrc.org
netbios name = DC1
server role = active directory domain controller
#dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
server services = -dns
[netlogon]
path = /var/lib/samba/sysvol/dstrc.org/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[admin]
path = /admin
read only = No
Do You see the rfc2307 fake yp_server in ldb (as described in the wiki)?
>
>
The only thing I could find on the wiki about this was in the "AD DC HOWTO"
and it was in the output from provisioning.
Doug
More information about the samba
mailing list