[Samba] AD Controller + File Server + Unix Logins one 1 machine

Max Baker max at warped.org
Tue Feb 23 16:14:39 UTC 2016 

Hi Rowland,

Thanks for the quick response.   My response is inline below...


On 02/19/2016 06:32 PM, Rowland penny wrote:
> What are you feelings on using the command line ?
> You could always open a terminal on the Samba 4 DC, enter:
>
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
>
> press enter
>
> press Ctrl+w
> type 'dn: cn=domain users'
> then add 'gidNumber: <whatever number you want to use>'
> I suggest 10000
> Press Ctrl+x
> Press 'y'
> Press 'enter'
>
> That's it, Domain Users now has a gidNumber.
>

I like the command line, thanks for the option.   For this particular 
install I used 'ldbedit -e vim -H /var/lib/samba/private/sam.ldb'.    As 
it turns out, the GID was in place just fine, but for some reason the 
Windows tool is throwing that error.

>
> Ah, but setting up libnss_winbind is the same as on a domain member, 
> go here and read the info:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind 
>
>
> remember to follow the links.
>
> You may need another file, if getent doesn't work after setting up the 
> links, just say and I will post the possibly missing file.

Excellent,  I think I'm in business now.

nsswitch.conf:
----
passwd: compat winbind
group:  compat winbind
...

----
smb.conf additions to make the ADC also an AD-Client:
----
# sercurity=ads  # Mutually exclusive with server role = a.d.d.c!
idmap config MY_DOMAIN : backend = ad
idmap config MY_DOMAIN : range = 10000 - 99999
template shell = /bin/bash
template homedir = /home/%U
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
----
Look good? Any suggestions?

Unrelated : A couple of un-intuitive things in order to get a logon 
script to work with an ADC:
1. Use ADUC to add logon script name like normal.  This however has to 
be a relative path (logon.cmd not \\DC\netlogon\logon.cmd)
2. Set the +x bit in unix on the script


Thanks again for your help and of course for Samba.
-m

More information about the samba mailing list