[Samba] AD accounts not available to OS
Rowland Penny
rpenny at samba.org
Sat Dec 10 20:17:02 UTC 2016
On Sat, 10 Dec 2016 19:37:40 +0000
Philippe LeCavalier via samba <samba at lists.samba.org> wrote:
> On Sat, Dec 10, 2016 at 9:37 AM Philippe LeCavalier
> <support at plecavalier.com> wrote:
>
> On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
> On Sat, 10 Dec 2016 13:56:38 +0000
> Philippe LeCavalier <support at plecavalier.com> wrote:
>
> > The main docs page, really? That's not helpful at all.
> >
> > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Sat, 10 Dec 2016 02:00:53 +0000
> > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hey guys,
> > > >
> > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list
> > > > below).
> > > >
> > > > Things are working relatively well except that I'm concerned
> > > > that the domain accounts are not available to the OS. ie
> > > > getent group "Domain Admins" returns nothing.
> > > >
> > > > I've implemented roaming profiles which is working very well but
> > > > redirected folders are not and I'm thinking it's a permissions
> > > > issue relating back to the OS not seeing the domain
> > > > users/groups.
> > > >
> > > > I'm a long time Samba NT domain admin but this is my first brush
> > > > with Samba as a true AD DC. I do also have extensive knowledge
> > > > of Windows AD DC's from back in the day.
> > > >
> > > > samba 2:4.2.10+dfsg-0+deb8u
> > > > winbind 2:4.2.10+dfsg-0+deb8u
> > > > Debian 3.16.36-1+deb8u2
> > > > Whatever other pkg info is required just ask.
> > > >
> > > > Thanks in advance!
> > >
> > > Go and read this:
> > >
> > > https://wiki.samba.org/index.php/Main_Page
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> It is a darn sight more helpful than the info you provided to try and
> get your problem fixed, but lets try going a bit deeper into the wiki,
> see here:
>
>
>
> FWIW in the "SeDiskOperatorPrivilege" section of the wiki it suggests
> that
> if the output of "getent group "Domain Admins" does not return the
> expected result, to refer to the NSS Configuration -which is blank. So
> I'm not clear at all on how to troubleshoot that side.
I will look into this.
> For the idmap, in the Prerequisite section, there is no detail on how
> to
> set: "Users must have at least the uidNumber and groups the gidNumber
> attribute set. When using the rfc2307 winbind NSS info mode, user
> accounts must also have the loginShell, unixHomeDirectory and
> primaryGroupID set."
You can add them with samba-tool when creating new users, but you need
to use either ADUC or script around ldbmodify to add them to existing
users.
> I have RSAT / ADUC install on a workstation and can connect to the DC
> and
> open the UNIX Attributes tab.
Are you doing this as the Administrator ?
If you have no other option but must add a gidNumber to Domain Admins,
try this:
logon to the Samba AD DC as root
run this command:
ldbedit -e nano -H /usr/local/samba/private/sam.ldb
replace nano with your favourite editor
and /usr/localsamba/private/sam.ldb with the path to sam.ldb on your DC
Once the editor opens, search for the Domain Admins object, when you
find it, add 'gidNumber: 10001', then close and save.
You can replace '10001' with whatever number you like.
Rowland
More information about the samba
mailing list