[Samba] Samba 4 + Squidguardian

L.P.H. van Belle belle at bazuin.nl
Tue Oct 20 09:32:50 UTC 2015 

> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver

Wbinfo -u returns only  username  on my DC's. 

Just add this to the DC and it works fine, yes yes, its for a member server, but it works fine for me on my DC's also, and as result, getent, id, wbinfo 
Do return on all my servers the same info. 

I believe its safe to use it like this.
sidenote, IF you assign all users/groups UID/GID. 
If not all assigned, the groups on DC give a 3xxxxxx GID or no users shown. 


       # Use home directory and shell information from AD
        winbind nss info = rfc2307
        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/users/%U

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 20 oktober 2015 11:10
> Aan: samba
> Onderwerp: Re: [Samba] Samba 4 + Squidguardian
> 
> On 20/10/15 09:05, mathias dufresne wrote:
> >
> > 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com
> > <mailto:rowlandpenny241155 at gmail.com>>:
> >
> >     On 19/10/15 16:46, mathias dufresne wrote:
> >
> >         AD from Samba or Microsoft is mainly a database for storing
> >         users (and
> >         associated stuffs). It comes also with stuffs (protocols) to
> >         connect and
> >         retrieve information.
> >
> >         How the client uses these information is, as always, a choice
> >         from that
> >         specific client.
> >
> >         Your AD client is your Squid/Squidguard(ian) server. Its job
> >         as AD client
> >         is to get some users information from AD to build system
> >         users. I insist on
> >         the fact system users are forged. Purely.
> >
> >         What is responsible of that forging process? What you declared
> in
> >         /etc/nsswitch.conf.
> >         Generally it is winbind, sssd or nlscd.
> >
> >         Each one of these tools comes with its own set of option,
> >         tweak and
> >         configuration files to define how to forge users from local
> >         system point of
> >         view.
> >
> >         Each one except for Winbind which forge users as it decide to,
> >         no matter
> >         the desires of local system admin. At least this is how I
> >         understood
> >         winbind behaviour (which has no configuration file for what I
> >         know).
> >
> >
> >     Well, apart from idmap.ldb on a DC and the idmap_config lines in
> >     smb.conf on a domain member, there are no configuration files. :-D
> >
> >
> > idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
> > idmap_config lines in smb.conf -> how would you set them to configure
> > Winbind to not add domain to user?
> 
> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver
> 
> > To use gidNumber rather than 100 which seems to reflect
> > "primaryGroupID: 513",
> 
> Give the users unique uidNumbers and Domain Users a gidNumber
> 
> > to set up home directory to unixHomeDirectory or to homeDirectory
> > rather than /home/<short domain name>/ sAMAccountName?
> 
> template homedir = /home/%U
> 
> > Is it possible to use CN or userPrincipalName rather SAMAccountName
> > when building the system user?
> 
> No, you have lost me again, what do you mean by 'building the system user'
> 
> >
> > So it is not configurable.
> 
> Yes it is, fully on a domain member, partially on a DC
> 
> >
> >
> >
> >         Perhaps you are using winbind, in that case winbind is
> >         responsible to add
> >         domain and backslashes when forging your users.
> >
> >         I don't know at all nlscd but some are using it on that
> >         mailing list. So I
> >         expect it does its job too.
> >
> >         I tried SSSD for the company I'm working these days and it
> >         comes with lot
> >         of configuration options. I expect it can force addition of AD
> >         domain to
> >         username but it is not the default behaviour.
> >
> >         On some DC where it uses winbind to forge users:
> >
> >
> >     No, sorry, I cannot understand what you mean by forge, in English
> >     this word is used for creating your own banknotes or a thing used
> >     by a blacksmith.
> >
> >
> > In fact a blacksmith forges items using blacksmith tools. He creates
> > these items. These items can be something else than his own tools. In
> > fact if a blacksmith was only able to craft its own tools and nothing
> > else for other peoples, this kind of job would have quickly
> disappeared...
> 
> So what you meant was 'create a user', please don't try to get creative
> with the English language, just say what you mean.
> As for forge and a blacksmith, the word can mean the place a blacksmith
> works, the 'action' of the blacksmith doing something i.e. a blacksmith
> forges horseshoes (technical note: no, this actually done by a farrier)
> (further note: blacksmiths have virtually disappeared)
> Have we played enough with *my* language yet?
> 
> >
> > Anyway you get the point, forging, crafting, building, assembling
> > elements to obtain something else, they are same concept.
> 
> Same basic concept, but they all mean totally different things.
> 
> >
> >
> >
> >     If you add a Uidnumber to user a user in AD, then it should show
> >     on a DC, even if you are not using winbind.
> >
> >
> > Here you should have meant "if you are using winbind" which is true
> > for UID and wrong for GID which is not reflecting gidNumber configured
> > into AD.
> 
> Ah, that is because you think that giving a user a gidNumber, this
> becomes the users main GID, it doesn't. The users primary gid number is
> obtained from what is set in the aptly named 'PrimaryGidNumber'
> attribute, AD obtains this and then uses whatever gidNumber that groups
> object contains.
> 
> 
> Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...
> 
> No, because I have already dealt with that.
> 
> >
> > SSSD grant sys admin possibility to chose all that, forging users as
> > sysadmin wants to (which is most generally what his bosses asked to
> > him). Winbind can't.
> > And here the question is "how can the user have username using
> > <username> syntax rather than <domainname>\<username>. Is it possible
> > to remove domain part from username when using winbind? With the
> > idmap_config lines perhaps ? :p
> 
> Anything that sssd can do, winbind can do, but, as I have admitted, only
> fully on a domain member.
> 
> >
> > And more: how system is configured to retrieve users from AD! AD seems
> > well configured: it works. The question is about how to obtain system
> > users according to what this user needs and not according to what
> > winbind thinks it is the right way.
> 
> As I said, winbind will do what sssd does, in fact winbind is that good,
> the later versions of sssd implements a lot of the winbind code.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list