[Samba] ADS domain member: winbind fails [SOLVED]

Rowland Penny rpenny at samba.org
Sun Jan 1 16:32:57 UTC 2017 

On Sun, 1 Jan 2017 17:05:44 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> 
> ok, edited etc
> 
> all uidNumber now > 10000
> 
> except that "root", I was unsure now (?)

If you have a user called 'root', then it is easy, remove it, 'root'
shouldn't exist in AD, it is a Unix only user and you need to map
Administrator to 'root' in the user.map

> 
> gidNumber:
> 
> # ldbsearch -H /var/lib/samba/private/sam.ldb cn=Domain\ Users | grep
> 'gidNumber'
> gidNumber: 10001
> 
> -
> 
> smb.conf on member:
> 
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-2999
> 
>         idmap config ARBEITSGRUPPE:backend = ad
>         idmap config ARBEITSGRUPPE:range = 10000-99999
>         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> 
>         username map = /etc/samba/user.map
> 
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind refresh tickets = Yes
> 
> -
> 
> restarted all samba daemons on DC and member server, flushed cache
> 
> On DC:
> 
> # wbinfo -i sgw
> sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
> 
> # getent passwd sgw
> sgw:*:10000:10001::/home/ARBEITSGRUPPE/sgw:/bin/false
> 
> (good, afaik)
> 
> On member server:# wbinfo -i sgw
> sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
> 
> main samba # getent passwd sgw
> sgw:*:10000:10001:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
> 
> - nice, correct??

Looking good

> 
> I even did an additional change and set the gidNumber to 10513 to
> match the former gid (in the shared directory the group-id was 10513,
> now it is displayed as "domain users" as well).
> 
> so now I have:
> 
> # getent passwd sgw
> sgw:*:10000:10513:sgw:/home/ARBEITSGRUPPE/sgw:/bin/false
> 
> *phew*
> 
> Any idea what else might be missing? ;-)
> 
> thanks!
> 
> 

The only thing is, do any of your users need to actually login into the
domain member ?
If so, this is where using the 'ad' backend comes into its own, you
just need to add 'loginshell' and 'unixHomeDirectory' attributes
to the required users i.e.

loginshell: /bin/bash
unixHomeDirectory: /home/sgw

Rowland

More information about the samba mailing list