[Samba] Samba AD and NIS integration

[Stephen Parry]

>> idmapping does not work for AD Domain Controllers. 
>
>It does ;-)
>
Does that mean that the warning in the docs is out of date? Does it work on the version of Samba in the Stretch repository (Samba 4.5.12), or do I need to find a repo with a more recent build? 

>>Other pages
>> suggest many of the winbind parameters are simply ignored and I can
>> confirm this is the case.
>
>This is the main problem with using a Samba AD DC as a fileserver, you
>can only use the uidNumber & gidNumber attributes.

I am already using the uidNumber and gidNumber, as set up using samba-tool user add --uid-number and visible with ldbsearch, both on the DC. I provisioned it with rfc2307 flags.
If I specify --uid-numbers in the range 30,000,000+ they map and work. If I use 3000, which is what I am used to from LDAP, they don't. If I try to set the ranges in the smb.conf they still only work in the 30,000,000+ range.
When I get home later I will post some sample commands and config to clarify.



>
>If you have given a user a uidNumber attribute this should be used
>instead of the xidNumber.
>
>On a DC:
>getent passwd rowland
>SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
>On a Unix domain member:
>
>getent passwd rowland
>rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
>> 
>> > If you mean make the Unix OS know who the AD users and groups are,
>> > then yes.
>> Specifically, what I need is my Linux clients to be able to both log
>> in locally and also connect to NFS shares on the server,
>> authenticating using either LDAP or NIS, but in both cases using the
>> same logins and passwords as the Windows clients who will be
>> connecting to SMB shares using SMB protocols.
>
>Forget ldap, forget nis, use winbind. I am typing this on a Unix domain
>member, so I can assure you that it works.
>
By unix domain member do you mean Unix member of NIS domain or Unix member of Samba AD domain? I do not want to make my Linux boxes members of the samba domain period. I am trying to use as little Microsoft related tech on the Linux clients as possible; I just want to share credentials with the Microsoft side of the network.
>> So far I have the auth working just locally on the server. 
>
>If you have the auth working, but cannot log in, it sounds like you do
>not have libnss_winbind and/or nsswitch set up correctly.
>
No by auth, I meant including local login, which works.

>>If I join my win clients to the domain, I believe that will also
>> work, though I will try that last to avoid any catastrophes should
>> I need to change the domain setup. However, linux client logins
>client
>> to server NIS/LDAP/NFS connections are in the wind currently.
>> 
>> I will trawl through the wiki again later, but what I am missing is
>> full context. What is often not clear from the docs is whether or not
>> what is documented there applies to / work with my specific set up,
>> e.g. whether it works when you are using AD and a Samba PDC; whether
>> it applies to clients local linux log on, etc.
>
>If you can point to something in the wiki that is ambiguous, I will
>try to explain it to you and if required, rewrite that part of the
>wiki.
> 
>Rowland

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.