[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Rowland Penny
rpenny at samba.org
Tue Jul 11 10:51:48 UTC 2017
On Tue, 11 Jul 2017 12:22:36 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 12:16 schrieb Rowland Penny:
>
> > Try running this:
> >
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=user)(uidnumber=11029))"
> >
> > This will check if it is a user.
>
> Did so, no entry returned.
>
> --
>
> plus: please note that yesterday all users could work normally ....
>
> > Can you post the smb.conf from the DM (and the DC)
>
> DC:
>
> root at pre01svdeb02:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = DC
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> load printers = No
> printcap name = /dev/null
> log level = 2
> dns forwarder = 192.168.16.111
>
> # lph
> template shell = /bin/bash
> sdb:schema update allowed = no
> time server = yes
> usershare path =
>
> [netlogon]
> path = /var/lib/samba/sysvol/secret.at/scripts
> read only = No
> acl_xattr:ignore system acls = Yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acls = Yes
>
>
> ----
>
>
> DM:
>
>
> root at pre01svdeb01:~# cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
>
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = SERVER
>
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
>
> winbind nss info = template
> template shell = /usr/sbin/nologin
>
> map untrusted to domain = Yes
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> idmap config BUERO:schema_mode = rfc2307
Well, that explains where '11029' is coming from, you are using the
'rid' backend. The users (or group) ID will be calculated using this
formula:
ID = RID - BASE_RID + LOW_RANGE_ID
BASE_RID is by default '0', so it becomes:
ID = RID + LOW_RANGE_ID
So, in your case it becomes
11029 = 1029 + 10000
Of course, using the 'rid' backend means that you do not need to add
anything to AD and you do not need this line in smb.conf:
idmap config BUERO:schema_mode = rfc2307
Or you could just change 'idmap config BUERO:backend = rid' to 'idmap
config BUERO:backend = ad' and use the rfc2307 attributes in AD.
Rowland
More information about the samba
mailing list