[Samba] AD accounts not available to OS
Philippe LeCavalier
support at plecavalier.com
Sat Dec 10 19:37:40 UTC 2016
On Sat, Dec 10, 2016 at 9:37 AM Philippe LeCavalier <support at plecavalier.com>
wrote:
On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
On Sat, 10 Dec 2016 13:56:38 +0000
Philippe LeCavalier <support at plecavalier.com> wrote:
> The main docs page, really? That's not helpful at all.
>
> On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> > On Sat, 10 Dec 2016 02:00:53 +0000
> > Philippe LeCavalier via samba <samba at lists.samba.org> wrote:
> >
> > > Hey guys,
> > >
> > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list
> > > below).
> > >
> > > Things are working relatively well except that I'm concerned that
> > > the domain accounts are not available to the OS. ie getent group
> > > "Domain Admins" returns nothing.
> > >
> > > I've implemented roaming profiles which is working very well but
> > > redirected folders are not and I'm thinking it's a permissions
> > > issue relating back to the OS not seeing the domain users/groups.
> > >
> > > I'm a long time Samba NT domain admin but this is my first brush
> > > with Samba as a true AD DC. I do also have extensive knowledge of
> > > Windows AD DC's from back in the day.
> > >
> > > samba 2:4.2.10+dfsg-0+deb8u
> > > winbind 2:4.2.10+dfsg-0+deb8u
> > > Debian 3.16.36-1+deb8u2
> > > Whatever other pkg info is required just ask.
> > >
> > > Thanks in advance!
> >
> > Go and read this:
> >
> > https://wiki.samba.org/index.php/Main_Page
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
It is a darn sight more helpful than the info you provided to try and
get your problem fixed, but lets try going a bit deeper into the wiki,
see here:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
and
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
They should supply you with enough info to fix your problem.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I provided what I thought was relevant and stated if more info was needed
to just ask. Instead, you just refer me to the main page of the wiki. I
don't know why you assume I didn't comb through the entire wiki looking for
the answer to my problem. Naturally, that's the first thing I did. Also, I
went through all the config related to NIS and Winbind and cannot find
anything that would lead me to think the OS shouldn't see the domain groups
and users. I checked the logs, still no errors related to that.
Can we get past this? I don't know what you expect from me? I'm asking for
help. What is it that you're missing from me to actually help me?
--
Regards,
Phil
FWIW in the "SeDiskOperatorPrivilege" section of the wiki it suggests that
if the output of "getent group "Domain Admins" does not return the expected
result, to refer to the NSS Configuration -which is blank. So I'm not clear
at all on how to troubleshoot that side.
For the idmap, in the Prerequisite section, there is no detail on how to
set: "Users must have at least the uidNumber and groups the gidNumber
attribute set. When using the rfc2307 winbind NSS info mode, user accounts
must also have the loginShell, unixHomeDirectory and primaryGroupID set."
I have RSAT / ADUC install on a workstation and can connect to the DC and
open the UNIX Attributes tab.
--
Regards,
Phil
More information about the samba
mailing list