[Samba] member domain idmap config ad/rid

Elias Pereira empbilly at gmail.com
Tue May 30 15:33:26 UTC 2017 

>
> Yes, you have got it wrong ;-)


:(

 If you do not want to add anything to AD, then you use the 'rid'
> backend and 'ID' numbers will be calculated for you. You will also have
> to place 'template' shell & homedir lines in smb.conf
> If you want/need some of your users to have different login shells or
> home directories, you will need to use the 'ad' backend. This will use
> the contents of attributes in AD.
> Either will work equally well on windows & Unix


Thanks for clarification Rowland!! :D

Yes, you need to add the RFC2307 attributes manually, there is nothing
> that adds them automatically.


Ok, thanks again!! :D

Our AD is now works and I am now setting up a domain member as fileserver.
I created a shared folder on the fileserver and applied permissions as
shown on the wiki.

Through the pc that I use the ADUC, I accessed the fileserver with the
computer management. When I open the storage properties in the security
tab, the message "You do not have permission to view or edit this object's
permission settings" appears.

Access this fileserver via ALT+R > \\fileserver is required login and
password and I use the admin account and always give access denied.

What can I be forgetting?

-------
*confs AD*

*smb.conf *

# Global parameters
[global]
netbios name = DC1
realm = ADDC.TEST.MYDOMAIN.EDU
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
workgroup = ADDC
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = vlan350 lo
[netlogon]
path = /var/lib/samba/sysvol/addc.test.mydomain.edu/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

krb5.conf

[libdefaults]
default_realm = ADDC.TEST.MYDOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true

*confs fileserver*

*smb.conf*

[global]
netbios name = FILESERVER
workgroup = ADDC
security = ADS
realm = ADDC.TEST.MYDOMAIN.EDU
interfaces = vlan350 lo
# default config
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for ADDC domain
idmap config ADDC:backend = ad
idmap config ADDC:schema_mode = rfc2307
idmap config ADDC:range = 10000-999999

winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config ADDC:unix_nss_info = yes
idmap config ADDC:unix_primary_group = yes

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
username map = /etc/samba/user.map

log file = /var/log/samba/%m.log
log level = 3 passdb:5 auth:5

[storage]
path = /mnt/dados
read only = no
admin users = "ADDC\Domain Admins" ADDC\administrator


*user.map*

!root = ADDC\Administrator ADDC\administrator

*krb5.conf*

[libdefaults]
default_realm = ADDC.TEST.MYDOMAIN.EDU
dns_lookup_realm = false
dns_lookup_kdc = true

*nsswitch.conf*

passwd:         compat  winbind
group:          compat  winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

If you need more confs, please advise! :D


On Tue, May 30, 2017 at 4:20 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 29 May 2017 19:37:44 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > If my AD will only provide service for machines with windows operating
> > system I can use the *idmap config ADDC: backend = ad*, correct or
> > did I get it all wrong?
> >
> > For both unix and windows machines I need *idmap config ADDC: backend
> > = rid* ?
>
> Yes, you have got it wrong ;-)
>
> If you do not want to add anything to AD, then you use the 'rid'
> backend and 'ID' numbers will be calculated for you. You will also have
> to place 'template' shell & homedir lines in smb.conf
>
> If you want/need some of your users to have different login shells or
> home directories, you will need to use the 'ad' backend. This will use
> the contents of attributes in AD.
>
> Either will work equally well on windows & Unix
>
>
> >
> > Other question.
> >
> > *Wiki Prerequisites says:*
> > "Users must have at least the uidNumber and groups the gidNumber
> > attribute set. When using the rfc2307 winbind NSS info mode, user
> > accounts must also have the loginShell, unixHomeDirectory and
> > primaryGroupID set."
> >
> > I need to set manually for each user the inputs informed above?
> >
>
> Yes, you need to add the RFC2307 attributes manually, there is nothing
> that adds them automatically.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Elias Pereira

More information about the samba mailing list