[Samba] Samba as AD member can not validate domain user
jd at ionica.lv
jd at ionica.lv
Tue Apr 7 00:14:17 MDT 2015
Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>> after assigning UNIX attributes to users and domain groups all of them have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>> If you use the 'ad' backend, then giving your users a 'uidNumber'
>>> is not enough, you must give their primarygroup (Domain Users) a
>>> 'gidNumber' attribute.
>> all of the AD users are members of the Domain Users group now.
> what do you mean 'all of the AD users are members of the Domain
> Users group now.' ??
> I hope you haven't changed the users primaryGroupID attribute.
I assigned primary group to each domain user through UNIX
attributes(?) in Windows (8.1) domain management tool, choosing
INTERNAL as NIS realm.
> This is what I get when I run getent on one of my DCs:
> root at dc01:~# getent passwd rowland
> EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash
yes, I am getting similar:
Some questions related to this -
- can I have domain user's home directory kind of \\FS\home\username?
As far as I understand, home directory /home/INTERNAL/username is not
created automatically. I tried to create it by hand (and chown to
10000.10000) in order to see what's changing, but is remained empty.
- does the shell parameter play any role if all domain users are pure
- if the shell is set to /bin/bash, for example, is the domain user
able to login to any Linux server's, which is domain member, shell?
> Hmm, if I run (on a member server):
> getent passwd EXAMPLE\\rowland
> I get:
Yes, finally, I am getting similar now. I'll check later what effect
it has overall.
More information about the samba