[Samba] Shares not accessible when using FQDN

mathias dufresne infractory at gmail.com
Wed Aug 30 12:32:40 UTC 2017 

To have users accessibles from UNIX side (ie your member server) with any
tool (winbind, sssd...) you must (ie that's mandatory) to have all needed
informations to build a UNIX user in LDAP tree. What I mean here is you
must have uidNumber, gidNumber but also something to fill login shell, home
directory and perhaps gecos too (but I expect that last one is not
mandatory).

This because a UNIX is always something like that:
username:password or hash or x:uidNumber:gidNumber:Gecos:homedir:loginShell
which gives for example:
root:x:0:0:root:/root:/bin/bash

So the tool you will use must find extractable information in LDAP tree to
fill these fields.

There are LDAP attributes in AD LDAP tree to store them, default attributes
used by SSSD or winbind or others:
loginShell for shell
unixHomeDirectory for home dir (there's also a homeDirectory attribute but
I expect that one is rather meant for Windows homeDir)
gecos should exist too.

Winbind is not configurable regarding what attribute it will use, you have
to fill the right ones in AD LDAP tree. I'm not sure but I think it uses
displayName for filling Gecos field.

So configure for one user all that:
uidNumber
gidNumber
loginShell
unixHomeDirectory
displayName should already be set

Plus that to avoid issue you can set up in member's smb.conf fallback
using, as shown Rowland in his last mail:
template shell = /bin/bash
template homedir = /home/%U

With these two lines, an user without loginShell will get value of
"template shell" for his shell. Same for homeDir.

That's for concepts and LDAP attributes, now you will have to configure NSS
and PAM too, in addition of smb.conf (again, I don't read carefully what
gave Rowland but he's a good source of information, so you should try his
smb.conf ;)


2017-08-30 12:26 GMT+02:00 Gaetan SLONGO <gslongo at it-optics.com>:

>
> Thank you for your answer Mathias.
>
> Unix attributes are OK in the Samba 4 DB ("Unix Attributes" tab also OK in
> ADUC). What I cannot do is to ask to winbind to use uidNumber and gidNumber
> on a member server setup (in DC mode it is OK) instead of "mapped ids"
> (idmap range)
>
> Regards,
>
>
2017-08-30 12:47 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 30 Aug 2017 12:20:04 +0200 (CEST)
> Gaetan SLONGO <gslongo at it-optics.com> wrote:
>
> >
> > Hi Rowland My test SMB have several test lines and is dirty, for sure
> > not correct :-) Could you share your setup to achieve this ?
> >
>
> This is my working smb.conf (note: I use Samba 4.6.x)
>
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.EXAMPLE.COM
>
>     # Uncomment the next two lines if you require a keytab for dovecot etc
>     #dedicated keytab file = /etc/krb5.keytab
>     #kerberos method = secrets and keytab
>     server string = Samba 4 Client %h
>
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>
>     ## map ids outside of domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : unix_nss_info = yes
>     idmap config SAMDOM : range = 10000-999999
>     # uncomment next two lines if not storing shell & unixhomedir in AD
>     #template shell = /bin/bash
>     #template homedir = /home/%U
>
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
>     host msdfs = no
>
>     # user Administrator workaround, without it you are unable to set
> privileges
>     username map = /etc/samba/user.map
>
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     # Share Setting Globally
>     unix extensions = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
>
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
>     # logging
>     log level = 0
>
> If you using a version of Samba before 4.6.0, you should remove:
>
>     idmap config SAMDOM : unix_nss_info = yes
>
> and replace it with:
>
>     winbind nss info = rfc2307
>
> For this to work, all my users have a uidNumber attribute containing a
> unique number inside the 'SAMDOM' range set in smb.conf (10000-999999)
> and 'Domain Users' has a gidNumber inside the same range (note: you can
> start the uidNumbers & gidNumbers at the same number, there is no need
> to use different start numbers)
>
> I also have a user.map, which contains this:
>
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> administrator
>
> NOTE 'SAMDOM' is my workgroup name and 'SAMDOM.EXAMPLE.COM' is my realm
> name, you should replace them with yours.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list