[Samba] Cannot chown file to active directory user/group on member server
Krutskikh Ivan
stein.hak at gmail.com
Wed Nov 18 16:37:50 UTC 2015
BTW, my issue was resolved by correct configuration of smb.conf
2015-11-18 14:00 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 18/11/15 10:27, Jeff Dickens wrote:
>
>>
>>
>> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> >
>> > On 17/11/15 23:09, Jeff Dickens wrote:
>> >>
>> >> So I am still stuck. For reference here is the smb.conf on the member
>> server:
>> >>
>> >> root at florence:~# more /etc/samba/smb.conf
>> >> [global]
>> >>
>> >> netbios name = FLORENCE
>> >> security = ADS
>> >> workgroup = IOL
>> >> realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> <
>> http://IOL.SEAMANPAPER.COM>
>>
>> >>
>> >>
>> >> log file = /var/log/samba/%m.log
>> >> log level = 1
>> >>
>> >> dedicated keytab file = /etc/krb5.keytab
>> >> kerberos method = secrets and keytab
>> >> winbind refresh tickets = yes
>> >>
>> >> winbind trusted domains only = no
>> >> winbind use default domain = yes
>> >> winbind enum users = yes
>> >> winbind enum groups = yes
>> >>
>> >> # idmap config used for your domain.
>> >> # Choose one of the following backends fitting to your
>> >> # requirements and add the corresponding configuration.
>> >> # idmap config ad
>> >> # - idmap config rid
>> >> # - idmap config autorid
>> >> idmap config *:backend = tdb
>> >> idmap config *:range = 2000-9999
>> >> idmap config IOL:backend = ad
>> >> idmap config IOL:schema_mode = rfc2307
>> >> idmap config IOL:range = 1000000-9999999
>> >>
>> >> winbind nss info = rfc2307
>> >>
>> >>
>> >> [home]
>> >> path=/home/
>> >> read only = No
>> >>
>> >>
>> >> I increased the range because it seems like the DC is using IDs above
>> 1,000,000. This is on the DC:
>> >
>> >
>> > Ah, I think I see your problem, you think that because a user on the DC
>> gets a uid, it should get one on a domain member without any intervention
>> on your part.
>> >
>> > Did you miss this:
>> >
>> >
>> > Prerequisites
>> >
>> > * NIS extensions
>> > <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory
>> >
>> > installed in AD and RFC2307 enabled
>> > <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers
>> >
>> > in each DCs smb.conf
>> > * Users and groups have RFC2307 attributes set in AD
>> >
>> >
>> > on this wiki page:
>> >
>> > https://wiki.samba.org/index.php/Idmap_config_ad
>> >
>> > This means that any users that must be known to a Unix domain member
>> *must* have a unique uidNumber, also Domain Users (at least) *must* have a
>> unique gidNumber. These numbers must be inside the range you set in
>> smb.conf, in your case '1000000-9999999'
>> >
>> > The numbers used on the DC are 'xidNumbers' and are only used on a DC
>> and they could be different on other DCs
>> >
>> > If you do not want to add rfc2307 attributes, you could use the winbind
>> 'rid' backend instead, see the wiki.
>> >
>> > Rowland
>>
>> I did use the --use-rfc2307 option when I originally provisioned the
>> domain.
>>
>>
> All '--use-rfc2307' does, is to make it possible to use rfc2307
> attributes, it does not add any rfc2307 attributes.
> You need to add these attributes to your users & groups, either by using
> the UNIX Attributes tab in ADUC after creating a user, or by creating a
> user/group with samba-tool, where you can add the rfc2307 attributes at the
> same time.
>
>
> I do want to use that because eventually I will want to have some Linux
>> client machines.
>>
>>
>>
> Then you need to either add uid/gidNumbers and use the winbind 'ad'
> backend, or use the winbind 'rid' backend, all the info is on the wiki, if
> you are struggling to understand the wiki, just say and we will try to make
> it clearer.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list