[Samba] AD Controller + File Server + Unix Logins one 1 machine
max at warped.org
Tue Feb 23 16:14:39 UTC 2016
Thanks for the quick response. My response is inline below...
On 02/19/2016 06:32 PM, Rowland penny wrote:
> What are you feelings on using the command line ?
> You could always open a terminal on the Samba 4 DC, enter:
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
> press enter
> press Ctrl+w
> type 'dn: cn=domain users'
> then add 'gidNumber: <whatever number you want to use>'
> I suggest 10000
> Press Ctrl+x
> Press 'y'
> Press 'enter'
> That's it, Domain Users now has a gidNumber.
I like the command line, thanks for the option. For this particular
install I used 'ldbedit -e vim -H /var/lib/samba/private/sam.ldb'. As
it turns out, the GID was in place just fine, but for some reason the
Windows tool is throwing that error.
> Ah, but setting up libnss_winbind is the same as on a domain member,
> go here and read the info:
> remember to follow the links.
> You may need another file, if getent doesn't work after setting up the
> links, just say and I will post the possibly missing file.
Excellent, I think I'm in business now.
passwd: compat winbind
group: compat winbind
smb.conf additions to make the ADC also an AD-Client:
# sercurity=ads # Mutually exclusive with server role = a.d.d.c!
idmap config MY_DOMAIN : backend = ad
idmap config MY_DOMAIN : range = 10000 - 99999
template shell = /bin/bash
template homedir = /home/%U
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
Look good? Any suggestions?
Unrelated : A couple of un-intuitive things in order to get a logon
script to work with an ADC:
1. Use ADUC to add logon script name like normal. This however has to
be a relative path (logon.cmd not \\DC\netlogon\logon.cmd)
2. Set the +x bit in unix on the script
Thanks again for your help and of course for Samba.
More information about the samba