[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member

[rawi]

I bump this only to say SOLVED and many thanks to Rowland.

Lessons learned:

1.
Indeed, my problems where related to not having a gidNumber for "Domain
Users".
After adding it I got real wbinfo --user-info on the domain member (file
server).
My test user could log in in his old home from the NT domain preserving the
old UID and GID.

2. (question = why?)
And login.bat was called at login time _only_ after moving the [netlogon]
share from the domain member to the ad-dc.
Why on earth it could not be called from the file server remains a mystery
to me.
The LDAP field scriptPath was configured:
\\member_server\netlogon\login.bat.

3.
To bind the homeDrive I had to put a colon (:) after the drive letter.

4. (question = how changing/correct surname, givenName?)
wbinfo output is slightly different on ad-dc and domain member with regard
to the Geckos

On the ad-dc:
HUMGEN\test:*:9439:5000: WT. Test --given-name=Want
To:/home/HUMGEN/test:/bin/false

The Geckos on ad-dc are composed from initials + surname + givenName.

On the domain member (real Geckos field or may be description) :
test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash

The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1
computer.

The fields (I gave them to samba-tool by creating the test user) surname and
givenName are not visible in the output of ldbsearch.
So, how would one modify the surname after a women married and changed it?

5. (bug?)
Adding "hosts allow =" on the ad-dc breaks everything.
wbinfo will give no output on the ad-dc and an error on the domain member.

6.
After spying what dnsupdate does (rndc dumpdb -zones) I could take out the
server service dnsupdate from smb.conf and insert the records statically in
bind9. So I have all my subnet uniformly in one place (dhcp+bind,
forward+reverse) regardless if the computer or printer is in the domain or
not.

7.
The share [homes] (on the domain member) will generate after a generic
path=/path/to/homes a share like \\file-server\test and inside this is again
a directory test.
So to have the home directory content directly inside the homeDrive one has
to declare the path=/path/to/homes/%S.

8.
With a combination of chmod g+s on a directory and "inherit permissions" in
the smb.conf I can avoid a lot of the acl default hassle and administer the
file system like in the old linux times, acl remaining a possibility.

9.
Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to the
last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10
years - for fear to break something.

All the above is for all of you common knowledge.
This were now discoveries for me after sleeping the last 12 years behind an
old samba NT domain :)

Thanks to all samba team and forum helpers for making it happen again and
again.

rawi




--
View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706722.html
Sent from the Samba - General mailing list archive at Nabble.com.