[Samba] Windows pre-requisites for login with winbind?
Rowland Penny
rpenny at samba.org
Fri Aug 25 14:28:30 UTC 2017
On Fri, 25 Aug 2017 16:03:08 +0200
"Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote:
> Rowland,
>
>
> I'm following this thread because I'm trying to use Linux member
> server (Debian 9) and use Windows AD users in Linux (filesystem etc).
>
> It seems I have working Kerberos and to a degree, Winbind too,
> because both
>
> wbinfo -u
>
> wbinfo -g
>
> give me valid and complete results.
This just shows that winbind can contact and connect to AD
>
>
> However I'm stuck with NIS.
>
> First I attempted to use AD idmap with settings (smb.conf)
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : schema_mode = rfc2307
> idmap config DOMAIN : range = 10000-9999999
The above looks okay
> idmap_ldb:use rfc2307 = yes
You should only use the above line on a DC
>
> winbind nss info = rfc2307
> winbind use default domain = true
The above two lines are okay
> winbind enum users = yes
> winbind enum groups = yes
You should only add the above two lines for testing purposes.
>
>
> When I issue
>
> #getent group
>
> I get only few groups with nonempty gidnumber attribute. This I can
> understand, but
>
> #getent passwd
>
> dosen't bring me any AD user, althought they all have valid uidnumber
> attribute that is well inside the idmap range.
Does 'Domain Users' have a gidNumber inside '10000-9999999'
If it doesn't, then ALL your users will be ignored
>
>
> Now, I also try to use RID, as it seems better to go this way, however
> it dosen't work for me either, and it still displays only those groups
> as before, and they still have gidnumber from AD, not the computed one
> from RID.
>
> It seems I'm missing something.
Try running 'net cache flush'
The 'rid' backend should work without any changes to AD, as long as the
user is in AD and isn't in /etc/passwd.
Rowland
>
>
>
More information about the samba
mailing list