[Samba] Windows pre-requisites for login with winbind?
tuharsky at misbb.sk
tuharsky at misbb.sk
Fri Aug 25 16:37:37 UTC 2017
Hi, Rowland
You were right, it was the Domain Users issue. After setting the
gidnumber to a number inside range, users are there.
Thank You.
And as of change from AD to RIS, the 'net cache flush' is not enough.
For the record, I must have rebooted the server. Probably the records
have been stored in some NIS cache or so too, that I don't know how to
flush on-the-fly. After the reboot, the RIS works.
Thank You
Dňa 25.08.2017 o 16:28 Rowland Penny via samba napísal(a):
> On Fri, 25 Aug 2017 16:03:08 +0200
> "Mgr. Peter Tuharsky via samba" <samba at lists.samba.org> wrote:
>
>> Rowland,
>>
>>
>> I'm following this thread because I'm trying to use Linux member
>> server (Debian 9) and use Windows AD users in Linux (filesystem etc).
>>
>> It seems I have working Kerberos and to a degree, Winbind too,
>> because both
>>
>> wbinfo -u
>>
>> wbinfo -g
>>
>> give me valid and complete results.
> This just shows that winbind can contact and connect to AD
>
>>
>> However I'm stuck with NIS.
>>
>> First I attempted to use AD idmap with settings (smb.conf)
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-9999
>> idmap config DOMAIN : backend = ad
>> idmap config DOMAIN : schema_mode = rfc2307
>> idmap config DOMAIN : range = 10000-9999999
> The above looks okay
>
>> idmap_ldb:use rfc2307 = yes
> You should only use the above line on a DC
>
>> winbind nss info = rfc2307
>> winbind use default domain = true
> The above two lines are okay
>
>> winbind enum users = yes
>> winbind enum groups = yes
> You should only add the above two lines for testing purposes.
>
>>
>> When I issue
>>
>> #getent group
>>
>> I get only few groups with nonempty gidnumber attribute. This I can
>> understand, but
>>
>> #getent passwd
>>
>> dosen't bring me any AD user, althought they all have valid uidnumber
>> attribute that is well inside the idmap range.
> Does 'Domain Users' have a gidNumber inside '10000-9999999'
> If it doesn't, then ALL your users will be ignored
>
>>
>> Now, I also try to use RID, as it seems better to go this way, however
>> it dosen't work for me either, and it still displays only those groups
>> as before, and they still have gidnumber from AD, not the computed one
>> from RID.
>>
>> It seems I'm missing something.
> Try running 'net cache flush'
>
> The 'rid' backend should work without any changes to AD, as long as the
> user is in AD and isn't in /etc/passwd.
>
> Rowland
>
>>
>>
More information about the samba
mailing list