[Samba] Shares not accessible when using FQDN

Gaetan SLONGO gslongo at it-optics.com
Wed Aug 30 09:25:04 UTC 2017 

Rowland, 


Yes, I mean uidNumber and gidNumber. 
I'm aware I need to work with AD but at this time I need my unix IDs (on NSS) to keep services working. Not only for files ownership, but also for some other services. Yeah, that's complex... 
If I undestand well, the best way to do is to join the server using "net ads join" and use nss_winbind. This what I do but I only use the NSS LDAP backend instead of NSS (to keep correct ownership). 
This will be cleaned in the future (within next migration steps) but for now I think I have no other choice beacause it seems I cannot obtain unix IDs through Winbind on a domain member (or maybe I missed the solution??). 


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 30 Août 2017 11:00:18 
Objet : Re: [Samba] Shares not accessible when using FQDN 

On Wed, 30 Aug 2017 10:43:39 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 

> Hi Rowland, 
> 
> 
> Thank you for your answer. 
> I think I have found a solution which could solve the issue until the 
> next migration step. It tested it on another server which is not 
> critital : 
> 
> 
> 
> 
> * Joining the server as a member and setup the shares as you 
> suggest 
> * Use nss_ldap instead of nss_winbind (idmap) which will pick my 
> unix ids 

Well 'nss_ldap' is not supported by Samba and normally anything that it 
can do, can also be done by winbind. What I am wondering about is what 
you are calling 'unix ids', where are these coming from ? are they 
from 'uidNumber' & 'gidNumber' attributes stored in AD or 
from /etc/passwd & /etc/group ? 
If the later, are you aware that you cannot have a user with the same 
name in AD and /etc/passwd. 

I think you may be trying to 'bend' AD to fit in with the old way 
Samba worked as a PDC or standalone, this is doomed to ultimate 
failure in my opinion. You need to work with AD, this will make things 
easier in the long run. 

> 
> 
> In this setup it seems I can access to the shares with any DNS 
> aliases/CNAME 

You should be able do this using winbind. 

> 
> 
> I know it is not a very proper setup but it seem to work and we can 
> do it quickly 

Yes, but will it be reliable in the long run ? 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list