[Samba] Cannot chown file to active directory user/group on member server
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Nov 18 11:00:36 UTC 2015
On 18/11/15 10:27, Jeff Dickens wrote:
>
>
> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>> wrote:
> >
> > On 17/11/15 23:09, Jeff Dickens wrote:
> >>
> >> So I am still stuck. For reference here is the smb.conf on the
> member server:
> >>
> >> root at florence:~# more /etc/samba/smb.conf
> >> [global]
> >>
> >> netbios name = FLORENCE
> >> security = ADS
> >> workgroup = IOL
> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM>
> <http://IOL.SEAMANPAPER.COM>
> >>
> >>
> >> log file = /var/log/samba/%m.log
> >> log level = 1
> >>
> >> dedicated keytab file = /etc/krb5.keytab
> >> kerberos method = secrets and keytab
> >> winbind refresh tickets = yes
> >>
> >> winbind trusted domains only = no
> >> winbind use default domain = yes
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >>
> >> # idmap config used for your domain.
> >> # Choose one of the following backends fitting to your
> >> # requirements and add the corresponding configuration.
> >> # idmap config ad
> >> # - idmap config rid
> >> # - idmap config autorid
> >> idmap config *:backend = tdb
> >> idmap config *:range = 2000-9999
> >> idmap config IOL:backend = ad
> >> idmap config IOL:schema_mode = rfc2307
> >> idmap config IOL:range = 1000000-9999999
> >>
> >> winbind nss info = rfc2307
> >>
> >>
> >> [home]
> >> path=/home/
> >> read only = No
> >>
> >>
> >> I increased the range because it seems like the DC is using IDs
> above 1,000,000. This is on the DC:
> >
> >
> > Ah, I think I see your problem, you think that because a user on the
> DC gets a uid, it should get one on a domain member without any
> intervention on your part.
> >
> > Did you miss this:
> >
> >
> > Prerequisites
> >
> > * NIS extensions
> >
> <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory>
> > installed in AD and RFC2307 enabled
> >
> <https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers>
> > in each DCs smb.conf
> > * Users and groups have RFC2307 attributes set in AD
> >
> >
> > on this wiki page:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> >
> > This means that any users that must be known to a Unix domain member
> *must* have a unique uidNumber, also Domain Users (at least) *must*
> have a unique gidNumber. These numbers must be inside the range you
> set in smb.conf, in your case '1000000-9999999'
> >
> > The numbers used on the DC are 'xidNumbers' and are only used on a
> DC and they could be different on other DCs
> >
> > If you do not want to add rfc2307 attributes, you could use the
> winbind 'rid' backend instead, see the wiki.
> >
> > Rowland
>
> I did use the --use-rfc2307 option when I originally provisioned the
> domain.
>
All '--use-rfc2307' does, is to make it possible to use rfc2307
attributes, it does not add any rfc2307 attributes.
You need to add these attributes to your users & groups, either by using
the UNIX Attributes tab in ADUC after creating a user, or by creating a
user/group with samba-tool, where you can add the rfc2307 attributes at
the same time.
> I do want to use that because eventually I will want to have some
> Linux client machines.
>
>
Then you need to either add uid/gidNumbers and use the winbind 'ad'
backend, or use the winbind 'rid' backend, all the info is on the wiki,
if you are struggling to understand the wiki, just say and we will try
to make it clearer.
Rowland
More information about the samba
mailing list