[Samba] ADS domain member: winbind fails [SOLVED]

Stefan G. Weichinger lists at xunil.at
Sun Jan 1 11:46:54 UTC 2017


Am 2017-01-01 um 12:25 schrieb Rowland Penny via samba:
>> main ~ # getent passwd ads1
>> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
> 
> Are these the numbers you want to use ?
> I ask this because you are using the 'rid' backend, but will probably
> also have uidNumber & gidNumber attributes in AD.

As mentioned before:

"rid" is only chosen because I switched to that while trying to make
things work. No decision made here.

And the numbers: same. Just copy and paste from the wiki, no choice made.

>> As mentioned old users are in /etc/passwd on the member server from
>> the time when it was the NT4-PDC. I might/should remove them from
>> that file now?
> 
> Oh definitely 'should' ;-)
> 
> if you look in /etc/nsswitch.conf, the passwd line will be something
> like this:
> 
> passwd:         compat winbind
> 
> This means that /etc/passwd will be checked first and any users found
> there will be used instead of from AD, also you should not be able to
> create new users in AD if they already exist in /etc/passwd. You only
> need users and groups stored in one place and that is AD.

So that scares me again. rm-ing users from /etc/passwd will now change
their UIDs because it gets them from winbindd/AD then?

In passwd I have UIDs up from 1000 as usual.

I don't *have* to maintain the old UIDs, the admin there is perfectly
happy if we start over with new ones and just do the initial "chown" and
"chmod" if needed .... they just share one fat share within one group
basically (sounds like overkill, right? ;-) )

> You will probably need to give Domain Admins the disk operator
> privilege:
> 
> net rpc rights grant DOMAIN\\"Domain Admins"
> SeDiskOperatorPrivilege -UAdministrator 

gives me:

 Failed to grant privileges for ARBEITSGRUPPE\Domain Admins
(NT_STATUS_ACCESS_DENIED)

is "rpc" correct here?

> May I echo that sentiment, may the new year bring you everything you
> wish for .

thanks a lot!





More information about the samba mailing list