[Samba] Samba as AD member can not validate domain user

[jd at ionica.lv]

Citēju Rowland Penny <rowlandpenny at googlemail.com>:

>> after assigning UNIX attributes to users and domain groups all of them have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a 'uidNumber'  
>>> is not enough, you must give their primarygroup (Domain Users) a  
>>> 'gidNumber' attribute.
>
>> all of the AD users are members of the Domain Users group now.
>
> what do you mean 'all of the AD users are members of the Domain  
> Users group now.' ??
>
> I hope you haven't changed the users primaryGroupID attribute.

I assigned primary group to each domain user through UNIX  
attributes(?) in Windows (8.1) domain management tool, choosing  
INTERNAL as NIS realm.

> This is what I get when I run getent on one of my DCs:
>
> root at dc01:~# getent passwd rowland
> EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash

yes, I am getting similar:
username:*:10000:10000::/home/INTERNAL/username:/bin/false

Some questions related to this -

- can I have domain user's home directory kind of \\FS\home\username?  
As far as I understand, home directory /home/INTERNAL/username is not  
created automatically. I tried to create it by hand (and chown to  
10000.10000) in order to see what's changing, but is remained empty.

- does the shell parameter play any role if all domain users are pure  
windows users?

- if the shell is set to /bin/bash, for example, is the domain user  
able to login to any Linux server's, which is domain member, shell?

> Hmm, if I run (on a member server):
>
> getent passwd EXAMPLE\\rowland
>
> I get:
>
> rowland:*:10000:10000::/home/rowland:/bin/bash

Yes, finally, I am getting similar now. I'll check later what effect  
it has overall.

Janis