[Samba] Samba as AD member can not validate domain user
Rowland Penny
rowlandpenny at googlemail.com
Tue Apr 7 02:10:40 MDT 2015
On 07/04/15 07:14, jd at ionica.lv wrote:
>
> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>
>>> after assigning UNIX attributes to users and domain groups all of
>>> them have
>>> uidNUmbers and gidNumbers starting from 10000,
>>> ldbsearch gives:
>>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>>> gidNumber: 10000
>>>
>>>> If you use the 'ad' backend, then giving your users a 'uidNumber'
>>>> is not enough, you must give their primarygroup (Domain Users) a
>>>> 'gidNumber' attribute.
>>
>>> all of the AD users are members of the Domain Users group now.
>>
>> what do you mean 'all of the AD users are members of the Domain Users
>> group now.' ??
>>
>> I hope you haven't changed the users primaryGroupID attribute.
>
> I assigned primary group to each domain user through UNIX
> attributes(?) in Windows (8.1) domain management tool, choosing
> INTERNAL as NIS realm.
>
>> This is what I get when I run getent on one of my DCs:
>>
>> root at dc01:~# getent passwd rowland
>> EXAMPLE\rowland:*:10000:10000:Rowland
>> Penny:/home/EXAMPLE/rowland:/bin/bash
>
> yes, I am getting similar:
> username:*:10000:10000::/home/INTERNAL/username:/bin/false
>
> Some questions related to this -
>
> - can I have domain user's home directory kind of \\FS\home\username?
> As far as I understand, home directory /home/INTERNAL/username is not
> created automatically. I tried to create it by hand (and chown to
> 10000.10000) in order to see what's changing, but is remained empty.
>
> - does the shell parameter play any role if all domain users are pure
> windows users?
>
> - if the shell is set to /bin/bash, for example, is the domain user
> able to login to any Linux server's, which is domain member, shell?
You only need the 'template' line if you intend to log into the DC
Rowland
>
>> Hmm, if I run (on a member server):
>>
>> getent passwd EXAMPLE\\rowland
>>
>> I get:
>>
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>
> Yes, finally, I am getting similar now. I'll check later what effect
> it has overall.
>
> Janis
>
More information about the samba
mailing list