[Samba] AD Controller + File Server + Unix Logins one 1 machine

Rowland penny rpenny at samba.org
Tue Feb 23 16:27:16 UTC 2016 

Hi, see my inline comments


  On 23/02/16 16:14, Max Baker wrote:
> Hi Rowland,
>
> Thanks for the quick response.   My response is inline below...
>
>
> On 02/19/2016 06:32 PM, Rowland penny wrote:
>> What are you feelings on using the command line ?
>> You could always open a terminal on the Samba 4 DC, enter:
>>
>> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
>>
>> press enter
>>
>> press Ctrl+w
>> type 'dn: cn=domain users'
>> then add 'gidNumber: <whatever number you want to use>'
>> I suggest 10000
>> Press Ctrl+x
>> Press 'y'
>> Press 'enter'
>>
>> That's it, Domain Users now has a gidNumber.
>>
>
> I like the command line, thanks for the option.   For this particular 
> install I used 'ldbedit -e vim -H /var/lib/samba/private/sam.ldb'.    
> As it turns out, the GID was in place just fine, but for some reason 
> the Windows tool is throwing that error.
>
>>
>> Ah, but setting up libnss_winbind is the same as on a domain member, 
>> go here and read the info:
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind 
>>
>>
>> remember to follow the links.
>>
>> You may need another file, if getent doesn't work after setting up 
>> the links, just say and I will post the possibly missing file.
>
> Excellent,  I think I'm in business now.
>
> nsswitch.conf:
> ----
> passwd: compat winbind
> group:  compat winbind
> ...
>

Do you now get UIDs & GIDs if you run 'getent passwd <ausername>' and 
'getent group Domain\ Users' ?

> ----
> smb.conf additions to make the ADC also an AD-Client:
> ----
> # sercurity=ads  # Mutually exclusive with server role = a.d.d.c!
> idmap config MY_DOMAIN : backend = ad
> idmap config MY_DOMAIN : range = 10000 - 99999
> template shell = /bin/bash
> template homedir = /home/%U
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nss info = rfc2307
> ----
> Look good? Any suggestions?
>

Yes, remove all of them apart from the template lines and, if you are 
using Samba 4.2.x, 'winbind use default domain'
They don't do anything on a DC :-)

Rowland

> Unrelated : A couple of un-intuitive things in order to get a logon 
> script to work with an ADC:
> 1. Use ADUC to add logon script name like normal.  This however has to 
> be a relative path (logon.cmd not \\DC\netlogon\logon.cmd)
> 2. Set the +x bit in unix on the script
>
>
> Thanks again for your help and of course for Samba.
> -m

More information about the samba mailing list