[Samba] Samba AD: gidNumber?
Viktor Trojanovic
viktor at troja.ch
Thu Oct 29 16:21:36 UTC 2015
On 27.10.2015 16:16, Rowland Penny wrote:
> On 27/10/15 14:58, Viktor Trojanovic wrote:
>>
>>
>> On 27.10.2015 13:54, Rowland Penny wrote:
>>> [...]
>>>> Yes, I meant the administrator. I did your suggested change on my
>>>> member server and restarted it. 'getent passwd administrator' is
>>>> still not returning anything, though. Or is that the wrong way to
>>>> check if it worked?
>>>>
>>>
>>> If you ran the same command on the DC, it will return something, but
>>> on a member server it won't, because the range you set in smb.conf
>>> is (if you followed the wiki, 10000-99999) above '0' and anything
>>> that is outside the range is ignored. This is not a problem,
>>> remember that Administrator is mapped to root on the member server,
>>> so if you want to log into the member server, you would so as root.
>>> From windows, Administrator becomes root and carries out any changes
>>> etc as root.
>>>
>>> Rowland
>>>
>>>
>>
>> Ok, all understood, thank you. But how can I check if it worked with
>> the users? I manually changed the Nisdomain and uidNumber for two
>> users using ADUC (to 10001 and 10002, respectively), I restarted
>> Samba (was this even necessary?), and getent passwd <username> will
>> still not return anything.
>>
>> In other words, what is the quickest way to check if my member server
>> setup worked out alright?
>
> OK, if you compiled samba yourself and you want to test getent on the
> member server, see this that I posted earlier:
>
> https://lists.samba.org/archive/samba/2015-October/195319.html
>
> If you are using distro packages, the wiki pages should give you a
> good idea of what you need.
>
> Rowland
>
>
So, I spent quite some time researching it all a bit more in depth but I
get stuck at the same point, although I at least seem to have a better
understanding of how things should be now.
So, my smb.conf on the member server looks exactly like the one in the
wiki, except that I also added ACL support as suggested on the wiki page
"Shares with Windows ACLs". My filesystem is XFS and has ACL built-in.
I do get proper results for wbinfo -u and wbinfo -g, but the id and
getent commands just won't work. I'm trying it on users and groups that
have a uidNumber or gidNumber defined, respectively.
This is how my nsswitch.conf looks like:
passwd: compat winbind
group: compat winbind
hosts:compat dns
networks: compat dns
My Samba came from a package but I verified that libnss_winbind.so.2 is
properly linked.
smbd, nmbd and winbindd are properly started with no errors in the logs,
I'm joined to the AD, I can browse the member server from my windows
machine being logged in as Administrator. But I still can't seem to
change ACLs on any objects in the share from within Windows, I'm getting
error messages "Error when applying security" (I'm translating freely
from German).
Do you have any idea what's going wrong here?
Viktor
More information about the samba
mailing list