[Samba] samba4 as ADS member: some users visible, others not
Rowland penny
rpenny at samba.org
Tue Dec 29 17:05:53 UTC 2015
On 29/12/15 16:32, Stefan G. Weichinger wrote:
> I have to add a brand new fedora 23 server with samba 4.3.3 to an
> existing Windows ADS domain.
>
> The join is OK:
>
> # net ads testjoin
> Join is OK
>
> I use winbind as I still have to learn about sssd (and I am unsure which
> one to prefer).
>
> config (workgroup and realm edited):
>
> [global]
> workgroup = customer
> realm = my.customer
> server string =
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> map untrusted to domain = Yes
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> idmap config customer:range = 10000-999999
> idmap config customer:schema_mode = rfc2307
> idmap config customer:backend = ad
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
> force create mode = 0664
> force directory mode = 0775
> printing = bsd
> level2 oplocks = No
>
> ---
>
> issues:
>
> wbinfo -u
> wbinfo -g list all users and groups from ADS
>
> getent passwd only gives me around 20 users from ADS ...
>
> -> some users get access to shares, some not!
>
> I assume this has to do with "idmap config customer:range" ?
>
> How to determine the values of the max ids?
>
> Do I have to "reset" some mappings after changing this parameter?
>
> What else to check for?
>
> thanks for any help on this, Stefan
>
The only mappings you should have, are the ones for the 'builtin' users
& groups, all the others should have a uidNumber or gidNumber attribute
in AD, these should be between '10000-999999'
I would also recommend you remove these lines:
force create mode = 0664
force directory mode = 0775
They really only belong in a share, but you should be using Posix ACLs
anyway.
If a user isn't shown by getent, then they are unknown to the OS and
will not be able to access shares unless the share also allows guest access.
Rowland
More information about the samba
mailing list