[Samba] samba4 as ADS member: some users visible, others not

Stefan G. Weichinger lists at xunil.at
Tue Dec 29 17:30:02 UTC 2015 

Am 2015-12-29 um 18:05 schrieb Rowland penny:
> On 29/12/15 16:32, Stefan G. Weichinger wrote:
>> I have to add a brand new fedora 23 server with samba 4.3.3 to an
>> existing Windows ADS domain.
>>
>> The join is OK:
>>
>> # net ads testjoin
>> Join is OK
>>
>> I use winbind as I still have to learn about sssd (and I am unsure which
>> one to prefer).
>>
>> config (workgroup and realm edited):
>>
>> [global]
>>     workgroup = customer
>>     realm = my.customer
>>     server string =
>>     security = ADS
>>     map to guest = Bad User
>>     username map = /etc/samba/smbusers
>>     map untrusted to domain = Yes
>>     load printers = No
>>     printcap name = /dev/null
>>     disable spoolss = Yes
>>     template shell = /bin/bash
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind nss info = rfc2307
>>     idmap config customer:range = 10000-999999
>>     idmap config customer:schema_mode = rfc2307
>>     idmap config customer:backend = ad
>>     idmap config *:range = 2000-9999
>>     idmap config * : backend = tdb
>>     force create mode = 0664
>>     force directory mode = 0775
>>     printing = bsd
>>     level2 oplocks = No
>>
>> ---
>>
>> issues:
>>
>> wbinfo -u
>> wbinfo -g list all users and groups from ADS
>>
>> getent passwd only gives me around 20 users from ADS ...
>>
>> -> some users get access to shares, some not!
>>
>> I assume this has to do with "idmap config customer:range" ?
>>
>> How to determine the values of the max ids?
>>
>> Do I have to "reset" some mappings after changing this parameter?
>>
>> What else to check for?
>>
>> thanks for any help on this, Stefan
>>
> 
> The only mappings you should have, are the ones for the 'builtin' users
> & groups, all the others should have a uidNumber or gidNumber attribute
> in AD, these should be between '10000-999999'
> I would also recommend you remove these lines:
> 
> force create mode = 0664
> force directory mode = 0775

I agree, sure.

> They really only belong in a share, but you should be using Posix ACLs
> anyway.
> 
> If a user isn't shown by getent, then they are unknown to the OS and
> will not be able to access shares unless the share also allows guest
> access.

So I understand you suggest to use this instead ?

->

[global]
	workgroup = CUSTOMER
	realm = MY.CUSTOMER
	server string =
	security = ADS
	map to guest = Bad User
	username map = /etc/samba/smbusers
	map untrusted to domain = Yes
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind nss info = rfc2307
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	printing = bsd
	level2 oplocks = No

I will test later as there are some users working (early evening here) ...

thanks! Stefan

More information about the samba mailing list