[Samba] Member Server Configuration

Roy Eastwood spindles7 at gmail.com
Thu Nov 9 21:47:11 UTC 2017


Thanks Rowland.
See inline comments.

>On Thu, 9 Nov 2017 17:08:52 -0000
>Rowland Penny via samba<samba at lists.samba.org> wrote:
> See inline Comments:
> 
> On Thu, 9 Nov 2017 16:11:49 -0000
> Roy Eastwood via samba <samba at lists.samba.org> wrote:
> 
> > Hi,
> > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > installed.  I have configured it as a member server and joined it to
> > my test domain.   I tried the idmap rid back end and all worked ok,
> > but am now trying the idmap ad back end.   I have users' home folders
> > saved to a users share on the member server, configured to allow
> > auto-creation of home folders when the windows user logs in for the
> > first time.    That's working OK after some adjustments to the ntfs
> > and share permissions which vary from the samba WiKi page
> > (https://wiki.samba.org/index.php/User_Home_Folders ) after reading
> > this https://support.microsoft.com/en-gb/help/555046. Also if users
> > are allowed to log in locally as a unix user to the member server, I
> > found that the unix permissions had to include rwx for the domain
> > users group otherwise they are unable to access their home
> > folder.        Does the WiKi need updating?
> 
> Probably not.

OK, fine, but I couldn't get auto-creation of home folders to work with just the settings in the WiKi.

> 
> >
> > Am I right in assuming from the WiKI that all users in the domain
> > have to have at least the UID and GID set in AD (when using the idmap
> > ad back end)?
> 
> It depends on what version of Samba you are using and how you set up
> smb.conf, more on this later ;-)
> 
> >
> > My problem is that if I want to log on as administrator,
> 
> Log on where ?
> If you mean to a Unix machine, then no you don't, you might think you
> do, but really you don't.

Yes, I did mean the unix machine; but you are right don't need to.   I was just following the wiki to see if it works!   And I can
see it doesn't now from what you say below.

> 
> > I either
> > allocate a UID/GID in AD - in which case I can log in OK. However, if
> > I use the username map parameter in smb.conf along with the
> > appropriate file user.map to map administrator to root, the WiKi says
> > do not allocate a UID and GID in AD.   So I took these off  but I
> > cannot log in now to the member server as administrator. Neither does
> > administrator show up in the output of getent passwd.
> 
> Ah, but you are using a user.map, which maps 'Administrator' to
> 'root', so guess who you should log onto the Unix machine as ?

Yes, indeed.  Actually I use another user and then sudo, but winds up as the same thing.

> 
> >
> > However, wbinfo -u produces:
> > root at debian-m1:/home/linuxadmin# wbinfo -u
> > test1
> > test2
> > test3
> > administrator
> > roy
> > krbtgt
> > guest
> >
> > But wbinfo -i administrator produces:
> > root at debian-m1:/home/linuxadmin# wbinfo -i administrator
> > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for user administrator
> 
> Yes, that is correct for a Unix Domain member. All that wbinfo shows
> is that winbind can connect to AD, you need to have 'getent passwd
> username' produce output to prove that the OS knows your AD users as
> Unix users (note that 'getent passwd Administrator' wont work either)
> 
> >
> > I have tried also with wbinfo -i MICROLYNX\administrator but the same
> > result as above.
> >
> > My smb.conf from the member server:
> > =============================
> > [global]
> > 	netbios name = debian-m1
> > 	security = ADS
> > 	workgroup = MICROLYNX
> > 	realm = MICROLYNX.CO.UK
> >
> > 	log file = /var/log/samba/%m.log
> > 	log level = 1
> >
> > 	dedicated keytab file = /etc/krb5.keytab
> > 	kerberos method = secrets and keytab
> > 	winbind refresh tickets = yes
> >
> > 	winbind trusted domains only = no
> > 	winbind use default domain = yes
> >
> > 	# Default idmap config used for BUILTIN and local
> > accounts/groups idmap config *:backend = tdb
> > 	idmap config *:range = 2000-9999
> >
> > 	# idmap config for domain MICROLYNX
> > 	idmap config MICROLYNX:backend = ad
> > 	idmap config MICROLYNX:schema_mode = rfc2307
> > 	idmap config MICROLYNX:range = 10000-99999
> >
> > 	# Use settings from AD for login shell and home directory and
> > primary group idmap config MICROLYNX:unix_nss_info=yes
> > 	idmap config MICROLYNX:unix_primary_group=yes
> 
> Remember when I said 'more on this later', well it is later ;-)
> 
> With the above 'idmap config' lines, your users will need a uidNumber
> attribute containing a unique number from the '10000-99999' range, they
> will also need a gidNumber attribute that contains the gidNumber of a
> group, this means that the group MUST have a gidNumber attribute
> containing the same number, this must also be in the '10000-99999'
> range.
> If you do not want this, give Domain Users a gidNumber and remove the
> 'unix_primary_group' line and restart Samba.

OK, yes have removed this line as I have already given Domain Users a gid number.

> 
> >
> > 	# enable getent passwd & getent group to display domain users
> > & groups winbind enum users = yes
> > 	winbind enum groups = yes
> 
> You should remove the two 'winbind enum' lines, you do not need them
> and they only slow things down.
> 

Yes, noted, these were inserted for testing.

> Rowland

So the section on the WiKi page for "Mapping the Domain Administrator Account to the local root user" is never going to work for
logging onto the member server itself?   I assume therefore this will only apply if the administrator on another member client
machine saves files etc, they will be owned by root rather than the Domain Administrator account?   If so I misunderstood the
purpose of that section!

Thanks for your clarifications!

Roy




More information about the samba mailing list