[Samba] setup-sysvol-bidirectional.sh unable to id administrator

mathias dufresne infractory at gmail.com
Mon Apr 4 09:07:07 UTC 2016 

I expect Winbind on DC do NOT retrieve home dir, by design.

DC are not meant to be used by AD users, no session from standard users on
DC, never.
DC are meant to discuss with Windows clients and with tools as SSSD,
Winbind or nslcd which use AD as a users database. This tools are
configurable enough to use the database to make what we want on member
servers.

Winbind generates users from AD using "primaryGroupID" for GID and
something else for UID (I still don't know exactly how is chosen that UID)
because of ACL on SysVol. SysVol is accessed by Windows clients and that's
the only moment there is an interaction between user-from-AD and
system-hosting-Samba-AD. To match Windows user information during ACL check
on SysVol Winbind uses Windows information from AD to generate users.

I hope I was clear but that's not sure at all :D

Anyway, I tried ;)

Cheers,

mathias


2016-04-01 2:16 GMT+02:00 niya levi <niyalevi at gmail.com>:

> hi Louis
>
> thank for the suggestion.
>
> first i tried switching back to winbind in nsswitch.conf
> then getent an id worked as they should
> so i've cornered the problem down to sssd
> but i had another problem with the winbind solution
> the home dir was not being pulled from AD,
> with a bit of net searching i found this from the samba mail archives
>
> Sébastien Le Ray says
> in smb.conf idmap_ldb:use rfc2307 = yes is used to pull down UNIX
> information from active directory
> (namely uid, gid, homedir, shell).
> Support is partial on domain controller since shell & homedir can only
> be set through * template parameters in
> smb.conf despite rfc2307 being used.
> Shell & homedir are correctly fetched on member servers.
>
> does this still apply to winbindd as i run arch linux with the latest
> samba,
> if there is a way to use winbind on th dc's and be able to retrieve home
> dirs from the AD
> then i would permently use winbindd
> if not i'll have to start hitting sssd with a hammer and getting on
> their mailing list until it works.
>
> as for your replication script it works perfecly,
> the cronjob keeps my mailbox busy but will do something about that once
> i've sorted out my current issues
>
> shadrock
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list