[Samba] Samba as AD member can not validate domain user
rowlandpenny at googlemail.com
Tue Apr 7 02:10:40 MDT 2015
On 07/04/15 07:14, jd at ionica.lv wrote:
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>>> after assigning UNIX attributes to users and domain groups all of
>>> them have
>>> uidNUmbers and gidNumbers starting from 10000,
>>> ldbsearch gives:
>>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>>> gidNumber: 10000
>>>> If you use the 'ad' backend, then giving your users a 'uidNumber'
>>>> is not enough, you must give their primarygroup (Domain Users) a
>>>> 'gidNumber' attribute.
>>> all of the AD users are members of the Domain Users group now.
>> what do you mean 'all of the AD users are members of the Domain Users
>> group now.' ??
>> I hope you haven't changed the users primaryGroupID attribute.
> I assigned primary group to each domain user through UNIX
> attributes(?) in Windows (8.1) domain management tool, choosing
> INTERNAL as NIS realm.
>> This is what I get when I run getent on one of my DCs:
>> root at dc01:~# getent passwd rowland
> yes, I am getting similar:
> Some questions related to this -
> - can I have domain user's home directory kind of \\FS\home\username?
> As far as I understand, home directory /home/INTERNAL/username is not
> created automatically. I tried to create it by hand (and chown to
> 10000.10000) in order to see what's changing, but is remained empty.
> - does the shell parameter play any role if all domain users are pure
> windows users?
> - if the shell is set to /bin/bash, for example, is the domain user
> able to login to any Linux server's, which is domain member, shell?
You only need the 'template' line if you intend to log into the DC
>> Hmm, if I run (on a member server):
>> getent passwd EXAMPLE\\rowland
>> I get:
> Yes, finally, I am getting similar now. I'll check later what effect
> it has overall.
More information about the samba