[Samba] Samba AD: gidNumber?

Viktor Trojanovic viktor at troja.ch
Mon Oct 26 22:35:18 UTC 2015 


On 26.10.2015 23:03, Rowland Penny wrote:
> On 26/10/15 21:38, Viktor Trojanovic wrote:
>> I joined a Samba AD member server (file server) to a Samba AD DC. 
>> This seems to have worked. However, if I try to access the file 
>> server from the domain administrator account on a Windows client, I 
>> am asked to provide authorization details. Since I have no other 
>> privileged users, I am using the domain admin credentials but they're 
>> not accepted.
>>
>> I'm not sure exactly where to look but I think the problem could be 
>> connected to the following: On my member server, the getent command 
>> does not yield any results. As per the recommendations on the "Samba 
>> Member Server Troubleshooting" page, I checked on the DC if the group 
>> Domain Users has a gidNumber. Well, it doesn't. Neither do my users 
>> have uidNumbers though this, allegedly, is not such an issue.
>
> Yes it is, there is no point in adding a gidNumber to  Domain Users if 
> you are not going to give your Users a uidNumber.
>
> As far as how to add uidNumbers and gidNumbers, well firstly, do you 
> need to? if your users are never going to actually log into the member 
> server and this is your only Unix machine, you could use the winbind 
> 'rid' backend, this will create the ID numbers on the fly.
> If you have more than one member server, or Unix clients or want your 
> users to log into the member server, you will probably be better off 
> using the winbind 'ad' backend. To do this you will need to give your 
> users a unique uidNumber and Domain Users (at least) a gidNumber. You 
> can do this by using the ADUC UNIX Attributes tab, by writing your own 
> script using an ldif, or by using something like the LDAP Account 
> Manager (LAM).
>
> Rowland
Thanks again for helping, Rowland.

As I mentioned before, both the DC and the member server are Unix 
running Samba 4.3. The purpose of the member server is to act as file 
server, nothing more.

The clients are all windows machines and users, they will never log in 
to one of the unix systems directly. If they are able to access shares 
on the file server without having to log in, then I guess this 'rid' 
backend seems to be what I need. Correct? Can you give me some pointers 
on how to do that, or direct me to the documentation?

Though one has to wonder: There is a wiki how to implement a Samba AD, 
and how to add a Samba Member Server. I followed the instructions step 
by step, for both, and now it turns out that the instructions for the 
member server are not made to fit the configuration of the DC? That's a 
bit discouraging.

Viktor

More information about the samba mailing list