[Samba] Member Server Configuration

Roy Eastwood spindles7 at gmail.com
Thu Nov 9 16:11:49 UTC 2017 

Hi,
I have a Debian Stretch machine with Louis' samba 4.7.1 package installed.  I have configured it as a member server and joined it to
my test domain.   I tried the idmap rid back end and all worked ok, but am now trying the idmap ad back end.   I have users' home
folders saved to a users share on the member server, configured to allow auto-creation of home folders when the windows user logs in
for the first time.    That's working OK after some adjustments to the ntfs and share permissions which vary from the samba WiKi
page (https://wiki.samba.org/index.php/User_Home_Folders ) after reading this https://support.microsoft.com/en-gb/help/555046.
Also if users are allowed to log in locally as a unix user to the member server, I found that the unix permissions had to include
rwx for the domain users group otherwise they are unable to access their home folder.        Does the WiKi need updating?

Am I right in assuming from the WiKI that all users in the domain have to have at least the UID and GID set in AD (when using the
idmap ad back end)?   

My problem is that if I want to log on as administrator, I either allocate a UID/GID in AD - in which case I can log in OK.
However, if I use the username map parameter in smb.conf along with the appropriate file user.map to map administrator to root, the
WiKi says do not allocate a UID and GID in AD.   So I took these off  but I cannot log in now to the member server as administrator.
Neither does administrator show up in the output of getent passwd.   

However, wbinfo -u produces:
root at debian-m1:/home/linuxadmin# wbinfo -u
test1
test2
test3
administrator
roy
krbtgt
guest

But wbinfo -i administrator produces:
root at debian-m1:/home/linuxadmin# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator

I have tried also with wbinfo -i MICROLYNX\administrator but the same result as above. 

My smb.conf from the member server:
=============================
[global]
	netbios name = debian-m1
	security = ADS
	workgroup = MICROLYNX
	realm = MICROLYNX.CO.UK

	log file = /var/log/samba/%m.log
	log level = 1

	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	winbind refresh tickets = yes

	winbind trusted domains only = no
	winbind use default domain = yes

	# Default idmap config used for BUILTIN and local accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain MICROLYNX
	idmap config MICROLYNX:backend = ad
	idmap config MICROLYNX:schema_mode = rfc2307
	idmap config MICROLYNX:range = 10000-99999

	# Use settings from AD for login shell and home directory and primary group
	idmap config MICROLYNX:unix_nss_info=yes
	idmap config MICROLYNX:unix_primary_group=yes
	
	# enable getent passwd & getent group to display domain users & groups
	winbind enum users = yes
	winbind enum groups = yes
	
	# use default settings for users w/o home dir & shell in AD Unix Attributes
	template homedir = /srv/users/%U
	template shell = /bin/bash

	# Map domain users to unix users - eg administrator to root
	username map = /etc/samba/user.map
	
	# enable Extended ACL support
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

[users]
	path = /srv/users
	read only = No

=======================================
/etc/samba/user.map:
!root = MICROLYNX\Administrator MICROLYNX\administrator Administrator administrator

What am I doing wrong?   Any help or pointers appreciated.

TIA,

Roy

More information about the samba mailing list