[Samba] Member Server SeDiskOperatorPrivilege
Tim
rintimtim at gmx.net
Fri Jan 9 10:19:15 MST 2015
It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem.
Bug?
Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 09/01/15 16:48, Tim wrote:
>> Definitely.
>>
>> With backend=ad only two user can be seen by getent passwd. Then
>> changing backend=rid, all users are resolved by getent passwd
>>
>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>
>> On 09/01/15 15:45, Tim wrote:
>>
>> That's what I tried to say. I set the gid/uid attribs in Unix
>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote:
>>
>> When I switch back to backend ad, getent passwd returns
>> nothing - getent group only returns by adding a dedicated
>> group name. There is at least one user and one group with
>> Id set in ad.
>>
>> Yes, but do *any* of your AD users have a uidNumber
>attribute.
>> Rowland
>>
>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim
>> wrote: I switched to rid module of idmapping and now
>> winbind offers all groups and I can set
>> SeDiskOperatorPrivilege. getent group and getent passwd
>> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb
>> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15
>> 13:47, Tim wrote: Hello all, I have a AD DC based on
>> CentOS7 with sernet samba 4.1.14 with rfc2307 and
>function
>> level 2008_R2. This one works so far and I can manage the
>> AD from a windows client. Now I setup a member server
>> based on CentOS7 with sernet samba 4.1.14 just like the
>> wiki advises with the same smb.conf (realm etc is
>> configured to my needs. I joined the AD and configured
>> nsswitch. wbinfo works so far but getent passwd or getent
>> group doesn't list domain objects. getent group
>testgroup1
>> works, but getent passwd testuser1 does not. I created a
>> share in smb.conf. Now I want to set the
>> SeDiskOperatorPrivilege like the wiki advises. But it
>> doesn't work. It says that it can't connect to server
>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1>
>> <http://127.0.0.1>. I tried it with net rpc rights grant
>> 'DOM\Domain Admins' SeDiskOperatorPrivilege
>> -U'DOM\administrator' Now I can not access the server
>from
>> windows to set share permissions. What to do? The wiki
>> told nothing about kerberos so I did not do anything to
>> it. Thanks in advance Hi, you appear to be the second
>> person in two days having a similar, if not the same
>> problem with the sernet packages. I don't think it is a
>> kerberos problem, can you check if you have
>> 'libnss_winbind.so <http://winbind.so>
><http://winbind.so>
>> <http://winbind.so>.2' anywhere. Rowland I take it from
>> this, that you do not have any uidNumber or gidNumber
>> attributes in AD. Rowland
>>
>>
>> OK, then where they inside the range set in smb.conf i.e. idmap
>config
>> DOMAIN : range = 10000-999999
>>
>> Rowland
>>
>
>That is strange, if you use the winbind 'ad' backend and have AD users
>with a uidNumber, then all the users with uidNumbers should be shown by
>
>getent passwd, but any users without a uidNumber will not be shown.
>
>The 'rid' backend works differently, it allocates id numbers to each
>and
>every user.
>
>Rowland
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list