[Samba] AD Controller + File Server + Unix Logins one 1 machine
rpenny at samba.org
Tue Feb 23 16:27:16 UTC 2016
Hi, see my inline comments
On 23/02/16 16:14, Max Baker wrote:
> Hi Rowland,
> Thanks for the quick response. My response is inline below...
> On 02/19/2016 06:32 PM, Rowland penny wrote:
>> What are you feelings on using the command line ?
>> You could always open a terminal on the Samba 4 DC, enter:
>> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
>> press enter
>> press Ctrl+w
>> type 'dn: cn=domain users'
>> then add 'gidNumber: <whatever number you want to use>'
>> I suggest 10000
>> Press Ctrl+x
>> Press 'y'
>> Press 'enter'
>> That's it, Domain Users now has a gidNumber.
> I like the command line, thanks for the option. For this particular
> install I used 'ldbedit -e vim -H /var/lib/samba/private/sam.ldb'.
> As it turns out, the GID was in place just fine, but for some reason
> the Windows tool is throwing that error.
>> Ah, but setting up libnss_winbind is the same as on a domain member,
>> go here and read the info:
>> remember to follow the links.
>> You may need another file, if getent doesn't work after setting up
>> the links, just say and I will post the possibly missing file.
> Excellent, I think I'm in business now.
> passwd: compat winbind
> group: compat winbind
Do you now get UIDs & GIDs if you run 'getent passwd <ausername>' and
'getent group Domain\ Users' ?
> smb.conf additions to make the ADC also an AD-Client:
> # sercurity=ads # Mutually exclusive with server role = a.d.d.c!
> idmap config MY_DOMAIN : backend = ad
> idmap config MY_DOMAIN : range = 10000 - 99999
> template shell = /bin/bash
> template homedir = /home/%U
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind nss info = rfc2307
> Look good? Any suggestions?
Yes, remove all of them apart from the template lines and, if you are
using Samba 4.2.x, 'winbind use default domain'
They don't do anything on a DC :-)
> Unrelated : A couple of un-intuitive things in order to get a logon
> script to work with an ADC:
> 1. Use ADUC to add logon script name like normal. This however has to
> be a relative path (logon.cmd not \\DC\netlogon\logon.cmd)
> 2. Set the +x bit in unix on the script
> Thanks again for your help and of course for Samba.
More information about the samba