[Samba] Member Server Configuration
Roy Eastwood
spindles7 at gmail.com
Thu Nov 9 16:11:49 UTC 2017
Hi,
I have a Debian Stretch machine with Louis' samba 4.7.1 package installed. I have configured it as a member server and joined it to
my test domain. I tried the idmap rid back end and all worked ok, but am now trying the idmap ad back end. I have users' home
folders saved to a users share on the member server, configured to allow auto-creation of home folders when the windows user logs in
for the first time. That's working OK after some adjustments to the ntfs and share permissions which vary from the samba WiKi
page (https://wiki.samba.org/index.php/User_Home_Folders ) after reading this https://support.microsoft.com/en-gb/help/555046.
Also if users are allowed to log in locally as a unix user to the member server, I found that the unix permissions had to include
rwx for the domain users group otherwise they are unable to access their home folder. Does the WiKi need updating?
Am I right in assuming from the WiKI that all users in the domain have to have at least the UID and GID set in AD (when using the
idmap ad back end)?
My problem is that if I want to log on as administrator, I either allocate a UID/GID in AD - in which case I can log in OK.
However, if I use the username map parameter in smb.conf along with the appropriate file user.map to map administrator to root, the
WiKi says do not allocate a UID and GID in AD. So I took these off but I cannot log in now to the member server as administrator.
Neither does administrator show up in the output of getent passwd.
However, wbinfo -u produces:
root at debian-m1:/home/linuxadmin# wbinfo -u
test1
test2
test3
administrator
roy
krbtgt
guest
But wbinfo -i administrator produces:
root at debian-m1:/home/linuxadmin# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
I have tried also with wbinfo -i MICROLYNX\administrator but the same result as above.
My smb.conf from the member server:
=============================
[global]
netbios name = debian-m1
security = ADS
workgroup = MICROLYNX
realm = MICROLYNX.CO.UK
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain MICROLYNX
idmap config MICROLYNX:backend = ad
idmap config MICROLYNX:schema_mode = rfc2307
idmap config MICROLYNX:range = 10000-99999
# Use settings from AD for login shell and home directory and primary group
idmap config MICROLYNX:unix_nss_info=yes
idmap config MICROLYNX:unix_primary_group=yes
# enable getent passwd & getent group to display domain users & groups
winbind enum users = yes
winbind enum groups = yes
# use default settings for users w/o home dir & shell in AD Unix Attributes
template homedir = /srv/users/%U
template shell = /bin/bash
# Map domain users to unix users - eg administrator to root
username map = /etc/samba/user.map
# enable Extended ACL support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[users]
path = /srv/users
read only = No
=======================================
/etc/samba/user.map:
!root = MICROLYNX\Administrator MICROLYNX\administrator Administrator administrator
What am I doing wrong? Any help or pointers appreciated.
TIA,
Roy
More information about the samba
mailing list