[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
"Andreas Braml (BürgerEnergie Berlin)"
a.braml at buerger-energie-berlin.de
Wed Jan 28 12:56:22 MST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
After a night of sleeping it over, I just started from scratch today.
So I re-did all the client setups, starting with Ubuntu, this time
14.04, not 12.04 as when I first tried. Again I did what it says in
the Wiki and - bingo! It works as advertised, Unix uid/gid, home
directory and login shell information come from the directory now.
Even PAM login works, although I don't need that for now.
I wonder where I screwed up the first time. The steps aren't that
complicated after all. Well...
So the problem is not in the AD setup.
But when I take the "known good" smb.conf to a fresh FreeBSD client
installed from scratch, adjusting the netbios name and then doing the
join, the behavior stays the same: backend rid works, ad does not.
There seems to be a problem with FreeBSD as a member server after all.
And I will check with Ubuntu 12.04 again.
On 27.01.2015 16:48, Rowland Penny wrote:
> OK, you posted 'I followed the instructions for RFC 2307 and
> decided to use RID+100000 for the default users/groups and 102XXX
> for my additional groups/users' What do you mean by 'default
> users/groups'
The ones you get after the provisioning step is done.
> and 'additional groups/users' ?
The ones that I add later.
> You really only need to give Domain Users and Domain Admins a
> 'gidNumber' attribute, you then give your users a 'uidNumber'
> attribute.
At one point I thought that this might be the problem - so long as
there's only even one single group/user that doesn't have a [gu]idNumber
set, it wouldn't work. That assumption was wrong, obviously. But it
didn't hurt either with the hunt for the problem at hand.
I won't do that in the production environment. So only groups/users that
are relevant for what's shared on the member server (ACLs) will get the
[gu]idNumber.
> Why did you choose the numbers that you have ? you can start both
> 'uidNumber' & 'gidNumber' from 10000, this is what windows
> expects, there doesn't need to be any link between RID and
> uidNumber/gidNumber.
The highest uid in use on the BSD is for the 'nobody' user (65534). It
might be a while before the AD user/group count gets to that, but I
wanted to play it safe here and started beyond that. msSFU30MaxUidNumber
and msSFU30MaxGidNumber are set accordingly.
> I think your problem is that you have given your users/groups
> numbers that are outside the ranges you have set in AD.
No, it's not. (Since it works on Ubuntu now.)
Sorry for the interruption - move along!
Cheers,
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U
yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO
zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m
mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD
Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ
T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc=
=371f
-----END PGP SIGNATURE-----
More information about the samba
mailing list