[Samba] File Server member DC ACL permissions
Rowland Penny
rpenny at samba.org
Thu Aug 11 20:46:56 UTC 2016
On Thu, 11 Aug 2016 20:22:32 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:
>
>
> > Hmm, the numbers seem extremely large, did you set this number in
> > the users 'uidnumber' attribute in AD ?
>
> How do I do this uidNumber configuration?
> I'm running all services: smbd, nmbd and winbind
>
> It's hard to run the file server as a domain member. When was a file
> server with DC was much more easy.
>
No, it is easy, once you understand it.
I take it you have windows clients, what version ?
Hopefully win7, if so, see here on how to install RSAT:
https://wiki.samba.org/index.php/Installing_RSAT
You can then use the 'UNIX Attributes' tab in ADUC to add the required
attributes.
Basically, if you join a Unix computer to an AD domain, it becomes a
Unix domain member. If you then set up libnss_winbind and PAM it can
connect to AD and obtain the RFC2307 attributes for a user or group.
However, you have to add these, they are not created for you.
You can do this another way, which is similar to the way a Samba DC
works. This the winbind 'rid' backend and does not entail adding
anything to AD. To use this backend, replace 'idmap config DOMAIN:
backend = ad' with 'idmap config DOMAIN: backend = 'rid' and remove
this line 'idmap config DOMAIN: schema_mode = RFC2307'
Clear out the cache with 'net flush cache' and then restart the Samba
binaries.
Rowland
More information about the samba
mailing list