[Samba] Samba4 ad dc with Centos7

mathias dufresne infractory at gmail.com
Tue Dec 8 13:55:31 UTC 2015


That's what I thought, and why I told there is no enumeration for system
users.
wbinfo can get a whole list of all Samba users (I believe it can do that
with AD or NT4 or standalone). But wbinfo does not show system users, it
shows Samba users which can become system users once they are transformed
(with pam tools as winbind, sssd or nslcd).

I insist because after months spent here and years with Samba I feel
confusion (for me and for some users of that mailing list) between Samba's
system users (users from Samba usable on system side, here the system it
the one hosting Samba, the server system), Samba users (Samba internal
users) and client system users (system users which access to the share).
With domains there is also system users built from the domain (Windows
system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind or
sssd or nslcd).

Just my 2 cents, best regards,

mathias


2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:

> On the DC, when i run
>
> getent passwd                         i only see my linux users.
>
> getent passwd username          shows the ad user.
>
>
>
> Same for the groups
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
> Van: Marcio Costa [mailto:marciofoz at gmail.com]
> Verzonden: dinsdag 8 december 2015 14:35
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
>
>
>
>
> Hi!
> If you run 'getent passwd', do you see all the users (ad+local) or only
> local users ?
>
>
>
>
> 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
> Wel, thats wrong, when i to the following.
>
>
>
> wbinfo –u  i get all my users.
>
> wbinfo –g i get all my groups
>
> getent passwd username   i get my user:UID:GID:NAME:homedir:shel
>
> id username  gives also the correct info.. (uid= .. gid= ) groups =  etc..
>
>
>
> And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy )
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
>
> Van: mathias dufresne [mailto:infractory at gmail.com]
> Verzonden: dinsdag 8 december 2015 14:11
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
>
>
>
>
>
> I believe there is no enumeration allowed by default whatever you use to
> generate system users from AD (winbind, sssd or nslcd).
>
>
>
>
> Cheers,
>
>
>
>
>
> mathias
>
>
>
>
>
> 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
>
> Hai,
>
> Few things.
>
> > idmap gid = 1000-9999999
> did you also change the start GID in the AD?
>
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use
>
> > "getent group" and "getent passwd"
> On a DC, use  : getent group "domain users"
> shows only the group name + GID.
>
> You setup looks almost good, im only missing something like :
>
>       ## map id's outside to domain to tdb files.
>         ## map ids from the domain and (*) the range may not overlap !
>       idmap config * : backend = tdb
>       idmap config * : range = 2000-9999
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> > Verzonden: dinsdag 8 december 2015 13:28
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Samba4 ad dc with Centos7
>
> >
> > Hello, I may have a problem with winbind setup.
> >
> > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> > -with getent group "Domain Users" and getent passwd "remote_user" I can
> > see
> > the info about the specific group and specific user.
> > -with getent group and getent passwd I only see my local group/users.
> >
> > -I believe that using "getent group" and "getent passwd" I must see all
> > users, right ?
> >
> >
> > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> > -ps auxf show me:
> > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> > /usr/sbin/samba -D
> > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> > /usr/sbin/samba -D
> > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> >
> > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> > /usr/sbin/samba -D
> > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > foreground
> > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > foreground
> >
> > -ls /lib64
> > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> > libnss_winbind.so.2
> > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> >
> > -/etc/nsswitch.conf
> > passwd:     files winbind
> > shadow:     files winbind
> > group:      files winbind
> >
> > -smb.conf
> > [global]
> >         workgroup = INTRANET
> >         realm = INTRANET.UNV
> >         netbios name = ITU
> >         server role = active directory domain controller
> >         dns forwarder = 10.2.3.4
> >         idmap_ldb:use rfc2307 = yes
> >
> >         idmap config INTRANET:backend = ad
> >         idmap config INTRANET:schema_mode = rfc2307
> >         idmap config INTRANET:range = 10000-9999999
> >
> >         idmap uid = 10000-9999999
> >         idmap gid = 1000-9999999
> >
> >         # Use settings from AD for login shell and home directory
> >         winbind nss info = rfc2307
> >
> >         winbind use default domain = yes
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >
> > I appreciate any help about this issue.
> > Thank you.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list