[Samba] Samba4 ad dc with Centos7
L.P.H. van Belle
belle at bazuin.nl
Tue Dec 8 14:54:14 UTC 2015
I dont see the difference, i think its all how you interper it.
( sorry about the spelling errors.. )
For example
> wbinfo can get a whole list of all Samba users (I believe it can do that
> with AD or NT4 or standalone
Which is exact what i want.
> wbinfo does not show system users..
which is also exact what i want.
> wbinfo does not show system users, it
> shows Samba users which can become system users once they are transformed
> (with pam tools as winbind, sssd or nslcd).
Again exact what i want.
> I feel
> confusion (for me and for some users of that mailing list) between Samba's
> system users (users from Samba usable on system side, here the system it
> the one hosting Samba, the server system), Samba users (Samba internal
> users) and client system users (system users which access to the share).
> With domains there is also system users built from the domain (Windows
> system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind
Yeah, that sucks.. wel, dont think in samba system users.
> Samba's system users (users from Samba usable on system side,
>here the system it
>the one hosting Samba, the server system),
>Samba users (Samba internal users) and
>client system users (system users which access to the share).
You have "local" users/groups, per server/client (adduser username)
You have "Domain" users/groups, per domain
You have "mapped users" i call them.
And last, you have "local system users". ( UID lower than 1000 )
Based on this example :
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config DOMAINNAME: backend = ad
idmap config DOMAINNAME: schema_mode = rfc2307
idmap config DOMAINNAME: range = 10000-3999999
A local user, any user UID lower than 2000
A domain user
idmap config DOMAINNAME : range = 10000-3999999
A mapped user, is a local user with its UID in the * range.
(idmap config * : range = 2000-9999 )
if you want any local users to be mapped to samba, change :
(idmap config * : range = 1000-9999 )
And i dont advice to map "local system users" to be mapped.
Any can access shares, but all depending on your setup.
I think you make an easy thing a hard one and probely due to the setup your having. I'm not saying you setup is bad or wrong, but maybe to complex or not well thought about. I spent about a year testing and configureing and testing for a good base setup, and here it all starts, i started at least 10 times over, because i forgot a "thing/process" running on a server and which users and/group should be able to access it.
Its pretty simple, only use "domain users" when when you have a domain.
And only use local users for local needs.
I only have 1 user on my linux server for administring the server.
And i gave also some of domain users access to a local server.
You can add an domain user to a local group if you setup is working correct.
System users are just to run processes/services on the server, and/or for Administering the server.
So sorry, but i dont see the problem your having.
I do the same in samba 4 as i did in samba 3 and more.
And this all looks to me normal.
But ...
i do agree, there should be more examples how things work with these users.
And some examples when you for example use a "mapped" user, of a local users etc.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne
> Verzonden: dinsdag 8 december 2015 14:56
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
>
> That's what I thought, and why I told there is no enumeration for system
> users.
> wbinfo can get a whole list of all Samba users (I believe it can do that
> with AD or NT4 or standalone). But wbinfo does not show system users, it
> shows Samba users which can become system users once they are transformed
> (with pam tools as winbind, sssd or nslcd).
>
> I insist because after months spent here and years with Samba I feel
> confusion (for me and for some users of that mailing list) between Samba's
> system users (users from Samba usable on system side, here the system it
> the one hosting Samba, the server system), Samba users (Samba internal
> users) and client system users (system users which access to the share).
> With domains there is also system users built from the domain (Windows
> system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind
> or
> sssd or nslcd).
>
> Just my 2 cents, best regards,
>
> mathias
>
>
> 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
>
> > On the DC, when i run
> >
> > getent passwd i only see my linux users.
> >
> > getent passwd username shows the ad user.
> >
> >
> >
> > Same for the groups
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> > Van: Marcio Costa [mailto:marciofoz at gmail.com]
> > Verzonden: dinsdag 8 december 2015 14:35
> > Aan: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> >
> >
> >
> >
> > Hi!
> > If you run 'getent passwd', do you see all the users (ad+local) or only
> > local users ?
> >
> >
> >
> >
> > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle <belle at bazuin.nl>:
> >
> > Wel, thats wrong, when i to the following.
> >
> >
> >
> > wbinfo –u i get all my users.
> >
> > wbinfo –g i get all my groups
> >
> > getent passwd username i get my user:UID:GID:NAME:homedir:shel
> >
> > id username gives also the correct info.. (uid= .. gid= ) groups =
> etc..
> >
> >
> >
> > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy )
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Van: mathias dufresne [mailto:infractory at gmail.com]
> > Verzonden: dinsdag 8 december 2015 14:11
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7
> >
> >
> >
> >
> >
> > I believe there is no enumeration allowed by default whatever you use to
> > generate system users from AD (winbind, sssd or nslcd).
> >
> >
> >
> >
> > Cheers,
> >
> >
> >
> >
> >
> > mathias
> >
> >
> >
> >
> >
> > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle <belle at bazuin.nl>:
> >
> > Hai,
> >
> > Few things.
> >
> > > idmap gid = 1000-9999999
> > did you also change the start GID in the AD?
> >
> >
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC
> #Defining_the_next_UID.2FGID_to_use
> >
> > > "getent group" and "getent passwd"
> > On a DC, use : getent group "domain users"
> > shows only the group name + GID.
> >
> > You setup looks almost good, im only missing something like :
> >
> > ## map id's outside to domain to tdb files.
> > ## map ids from the domain and (*) the range may not overlap !
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa
> > > Verzonden: dinsdag 8 december 2015 13:28
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] Samba4 ad dc with Centos7
> >
> > >
> > > Hello, I may have a problem with winbind setup.
> > >
> > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> > > -with getent group "Domain Users" and getent passwd "remote_user" I
> can
> > > see
> > > the info about the specific group and specific user.
> > > -with getent group and getent passwd I only see my local group/users.
> > >
> > > -I believe that using "getent group" and "getent passwd" I must see
> all
> > > users, right ?
> > >
> > >
> > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> > > -ps auxf show me:
> > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00
> > > /usr/sbin/samba -D
> > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_
> > > /usr/sbin/samba -D
> > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 |
> \_
> > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 |
> > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --
> foreground
> > >
> > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_
> > > /usr/sbin/samba -D
> > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 |
> \_
> > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> foreground
> > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 |
> > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > foreground
> > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 |
> > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --
> > > foreground
> > >
> > > -ls /lib64
> > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so ->
> > > libnss_winbind.so.2
> > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
> > >
> > > -/etc/nsswitch.conf
> > > passwd: files winbind
> > > shadow: files winbind
> > > group: files winbind
> > >
> > > -smb.conf
> > > [global]
> > > workgroup = INTRANET
> > > realm = INTRANET.UNV
> > > netbios name = ITU
> > > server role = active directory domain controller
> > > dns forwarder = 10.2.3.4
> > > idmap_ldb:use rfc2307 = yes
> > >
> > > idmap config INTRANET:backend = ad
> > > idmap config INTRANET:schema_mode = rfc2307
> > > idmap config INTRANET:range = 10000-9999999
> > >
> > > idmap uid = 10000-9999999
> > > idmap gid = 1000-9999999
> > >
> > > # Use settings from AD for login shell and home directory
> > > winbind nss info = rfc2307
> > >
> > > winbind use default domain = yes
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > >
> > > I appreciate any help about this issue.
> > > Thank you.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list