[Samba] Samba4 ad dc with Centos7

L.P.H. van Belle belle at bazuin.nl
Tue Dec 8 13:37:26 UTC 2015


On the DC, when i run 

getent passwd                         i only see my linux users. 

getent passwd username          shows the ad user. 

 

Same for the groups

 

Greetz, 

 

Louis

 

 


Van: Marcio Costa [mailto:marciofoz at gmail.com] 
Verzonden: dinsdag 8 december 2015 14:35
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Samba4 ad dc with Centos7


 

Hi!
If you run 'getent passwd', do you see all the users (ad+local) or only local users ?


 

2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:

Wel, thats wrong, when i to the following.  

 

wbinfo –u  i get all my users.

wbinfo –g i get all my groups

getent passwd username   i get my user:UID:GID:NAME:homedir:shel

id username  gives also the correct info.. (uid= .. gid= ) groups =  etc.. 

 

And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy )

 

 

Greetz,

 

Louis

 

 

 

 


Van: mathias dufresne [mailto:infractory at gmail.com]
Verzonden: dinsdag 8 december 2015 14:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba4 ad dc with Centos7



 

I believe there is no enumeration allowed by default whatever you use to generate system users from AD (winbind, sssd or nslcd).

 


Cheers,


 


mathias



 

2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:

Hai,

Few things.

> idmap gid = 1000-9999999
did you also change the start GID in the AD?
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use

> "getent group" and "getent passwd"
On a DC, use  : getent group "domain users"
shows only the group name + GID.

You setup looks almost good, im only missing something like :

      ## map id's outside to domain to tdb files.
        ## map ids from the domain and (*) the range may not overlap !
      idmap config * : backend = tdb
      idmap config * : range = 2000-9999


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> Verzonden: dinsdag 8 december 2015 13:28
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba4 ad dc with Centos7

>
> Hello, I may have a problem with winbind setup.
>
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd "remote_user" I can
> see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
>
> -I believe that using "getent group" and "getent passwd" I must see all
> users, right ?
>
>
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
>
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
>
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> -smb.conf
> [global]
>         workgroup = INTRANET
>         realm = INTRANET.UNV
>         netbios name = ITU
>         server role = active directory domain controller
>         dns forwarder = 10.2.3.4
>         idmap_ldb:use rfc2307 = yes
>
>         idmap config INTRANET:backend = ad
>         idmap config INTRANET:schema_mode = rfc2307
>         idmap config INTRANET:range = 10000-9999999
>
>         idmap uid = 10000-9999999
>         idmap gid = 1000-9999999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>
>         winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>
> I appreciate any help about this issue.
> Thank you.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 





More information about the samba mailing list