[Samba] Windows pre-requisites for login with winbind?

Fri Aug 25 14:28:30 UTC 2017

On Fri, 25 Aug 2017 16:03:08 +0200
"Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote:

> Rowland,
> 
> 
> I'm following this thread because I'm trying to use Linux member
> server (Debian 9) and use Windows AD users in Linux (filesystem etc).
> 
> It seems I have working Kerberos and to a degree, Winbind too,
> because both
> 
> wbinfo -u
> 
> wbinfo -g
> 
> give me valid and complete results.

This just shows that winbind can contact and connect to AD

> 
> 
> However I'm stuck with NIS.
> 
> First I attempted to use AD idmap with settings (smb.conf)
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : schema_mode = rfc2307
> idmap config DOMAIN : range = 10000-9999999

The above looks okay

> idmap_ldb:use rfc2307 = yes

You should only use the above line on a DC

> 
> winbind nss info = rfc2307
> winbind use default domain = true

The above two lines are okay

> winbind enum users = yes
> winbind enum groups = yes

You should only add the above two lines for testing purposes.

> 
> 
> When I issue
> 
> #getent group
> 
> I get only few groups with nonempty gidnumber attribute. This I can
> understand, but
> 
> #getent passwd
> 
> dosen't bring me any AD user, althought they all have valid uidnumber
> attribute that is well inside the idmap range.

Does 'Domain Users' have a gidNumber inside '10000-9999999'
If it doesn't, then ALL your users will be ignored

> 
> 
> Now, I also try to use RID, as it seems better to go this way, however
> it dosen't work for me either, and it still displays only those groups
> as before, and they still have gidnumber from AD, not the computed one
> from RID.
> 
> It seems I'm missing something.

Try running 'net cache flush' 

The 'rid' backend should work without any changes to AD, as long as the
user is in AD and isn't in /etc/passwd.

Rowland

> 
> 
> 