[Samba] Samba AD: gidNumber?

Viktor Trojanovic viktor at troja.ch
Thu Oct 29 16:21:36 UTC 2015 


On 27.10.2015 16:16, Rowland Penny wrote:
> On 27/10/15 14:58, Viktor Trojanovic wrote:
>>
>>
>> On 27.10.2015 13:54, Rowland Penny wrote:
>>> [...]
>>>> Yes, I meant the administrator. I did your suggested change on my 
>>>> member server and restarted it. 'getent passwd administrator' is 
>>>> still not returning anything, though. Or is that the wrong way to 
>>>> check if it worked?
>>>>
>>>
>>> If you ran the same command on the DC, it will return something, but 
>>> on a member server it won't, because the range you set in smb.conf 
>>> is (if you followed the wiki, 10000-99999) above '0' and anything 
>>> that is outside the range is ignored. This is not a problem, 
>>> remember that Administrator is mapped to root on the member server, 
>>> so if you want to log into the member server, you would so as root. 
>>> From windows, Administrator becomes root and carries out any changes 
>>> etc as root.
>>>
>>> Rowland
>>>
>>>
>>
>> Ok, all understood, thank you. But how can I check if it worked with 
>> the users? I manually changed the Nisdomain and uidNumber for two 
>> users using ADUC (to 10001 and 10002, respectively), I restarted 
>> Samba (was this even necessary?), and getent passwd <username> will 
>> still not return anything.
>>
>> In other words, what is the quickest way to check if my member server 
>> setup worked out alright?
>
> OK, if you compiled samba yourself and you want to test getent on the 
> member server, see this that I posted earlier:
>
> https://lists.samba.org/archive/samba/2015-October/195319.html
>
> If you are using distro packages, the wiki pages should give you a 
> good idea of what you need.
>
> Rowland
>
>
So, I spent quite some time researching it all a bit more in depth but I 
get stuck at the same point, although I at least seem to have a better 
understanding of how things should be now.

So, my smb.conf on the member server looks exactly like the one in the 
wiki, except that I also added ACL support as suggested on the wiki page 
"Shares with Windows ACLs". My filesystem is XFS and has ACL built-in.

I do get proper results for wbinfo -u and wbinfo -g, but the id and 
getent commands just won't work. I'm trying it on users and groups that 
have a uidNumber or gidNumber defined, respectively.

This is how my nsswitch.conf looks like:

passwd: compat winbind
group: compat winbind
hosts:compat dns
networks: compat dns

My Samba came from a package but I verified that libnss_winbind.so.2 is 
properly linked.

smbd, nmbd and winbindd are properly started with no errors in the logs, 
I'm joined to the AD, I can browse the member server from my windows 
machine being logged in as Administrator. But I still can't seem to 
change ACLs on any objects in the share from within Windows, I'm getting 
error messages "Error when applying security" (I'm translating freely 
from German).

Do you have any idea what's going wrong here?

Viktor

More information about the samba mailing list