[Samba] Cannot chown file to active directory user/group on member server

Jeff Dickens jeff at seamanpaper.com
Wed Nov 18 18:18:05 UTC 2015 

On Wed, Nov 18, 2015 at 6:00 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 18/11/15 10:27, Jeff Dickens wrote:
>
>>
>>
>> On Nov 18, 2015 4:35 AM, "Rowland Penny" <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>> wrote:
>> >
>> > On 17/11/15 23:09, Jeff Dickens wrote:
>> >>
>> >> So I am still stuck.  For reference here is the smb.conf on the member
>> server:
>> >>
>> >> root at florence:~# more /etc/samba/smb.conf
>> >> [global]
>> >>
>> >>        netbios name = FLORENCE
>> >>        security = ADS
>> >>        workgroup = IOL
>> >>        realm = IOL.SEAMANPAPER.COM <http://IOL.SEAMANPAPER.COM> <
>> http://IOL.SEAMANPAPER.COM>
>>
>> >>
>> >>
>> >>        log file = /var/log/samba/%m.log
>> >>        log level = 1
>> >>
>> >>        dedicated keytab file = /etc/krb5.keytab
>> >>        kerberos method = secrets and keytab
>> >>        winbind refresh tickets = yes
>> >>
>> >>        winbind trusted domains only = no
>> >>        winbind use default domain = yes
>> >>        winbind enum users  = yes
>> >>        winbind enum groups = yes
>> >>
>> >>        # idmap config used for your domain.
>> >>        # Choose one of the following backends fitting to your
>> >>        # requirements and add the corresponding configuration.
>> >>        # idmap config ad
>> >>        #  - idmap config rid
>> >>        #  - idmap config autorid
>> >>         idmap config *:backend = tdb
>> >>         idmap config *:range = 2000-9999
>> >>         idmap config IOL:backend = ad
>> >>         idmap config IOL:schema_mode = rfc2307
>> >>         idmap config IOL:range = 1000000-9999999
>> >>
>> >>         winbind nss info = rfc2307
>> >>
>> >>
>> >> [home]
>> >>         path=/home/
>> >>         read only = No
>> >>
>> >>
>> >> I increased the range because it seems like the DC is using IDs above
>> 1,000,000.  This is on the DC:
>> >
>> >
>> > Ah, I think I see your problem, you think that because a user on the DC
>> gets a uid, it should get one on a domain member without any intervention
>> on your part.
>> >
>> > Did you miss this:
>> >
>> >
>> >    Prerequisites
>> >
>> >  * NIS extensions
>> >    <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory
>> >
>> >    installed in AD and RFC2307 enabled
>> >    <
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers
>> >
>> >    in each DCs smb.conf
>> >  * Users and groups have RFC2307 attributes set in AD
>> >
>> >
>> > on this wiki page:
>> >
>> > https://wiki.samba.org/index.php/Idmap_config_ad
>> >
>> > This means that any users that must be known to a Unix domain member
>> *must* have a unique uidNumber, also Domain Users (at least) *must* have a
>> unique gidNumber. These numbers must be inside the range you set in
>> smb.conf, in your case '1000000-9999999'
>> >
>> > The numbers used on the DC are 'xidNumbers' and are only used on a DC
>> and they could be different on other DCs
>> >
>> > If you do not want to add rfc2307 attributes, you could use the winbind
>> 'rid' backend instead, see the wiki.
>> >
>> > Rowland
>>
>> I did use the --use-rfc2307 option when I originally provisioned the
>> domain.
>>
>>
> All '--use-rfc2307' does, is to make it possible to use rfc2307
> attributes, it does not add any rfc2307 attributes.
> You need to add these attributes to your users & groups, either by using
> the UNIX Attributes tab in ADUC after creating a user, or by creating a
> user/group with samba-tool, where you can add the rfc2307 attributes at the
> same time.
>
> ​ok...​


>
> I do want to use that because eventually I will want to have some Linux
>> client machines.
>>
>>
>>
> Then you need to either add uid/gidNumbers and use the winbind 'ad'
> backend, or use the winbind 'rid' backend, all the info is on the wiki, if
> you are struggling to understand the wiki, just say and we will try to make
> it clearer.
>
> Rowland
>
>
> ​I will make a concerted effort to distill what I've learned and return it
to the community.  If the talk pages in the wiki were enabled it would be
easier for me to point out things I find less than clear, but I assume
that's because you want to keep discussions in one place (here).

At
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands
the 2nd condition (the accounts and groups have rfc2307 attributes)  it
would be good to have a way to check this with a command on the DC.

Thanks for all your patient help.. I think I should be able to get it going
when next I can spend a chunk of time​

​on it.​

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
*     Jeff Dickens*
     IT Manager      978-632-1513

More information about the samba mailing list