[Samba] Samba AD and NIS integration

Rowland Penny rpenny at samba.org
Thu Nov 16 13:35:15 UTC 2017 

On Thu, 16 Nov 2017 12:55:52 +0000
Stephen Parry <sgparry at mainscreen.com> wrote:

> 
> >> idmapping does not work for AD Domain Controllers. 
> >
> >It does ;-)
> >
> Does that mean that the warning in the docs is out of date? Does it
> work on the version of Samba in the Stretch repository (Samba
> 4.5.12), or do I need to find a repo with a more recent build? 

It has always worked, you do not need a specific version of Samba, but
newer is always better ;-)

> 
> >>Other pages
> >> suggest many of the winbind parameters are simply ignored and I can
> >> confirm this is the case.
> >
> >This is the main problem with using a Samba AD DC as a fileserver,
> >you can only use the uidNumber & gidNumber attributes.
> 
> I am already using the uidNumber and gidNumber, as set up using
> samba-tool user add --uid-number and visible with ldbsearch, both on
> the DC. I provisioned it with rfc2307 flags. If I specify
> --uid-numbers in the range 30,000,000+ they map and work. If I use
> 3000, which is what I am used to from LDAP, they don't. If I try to
> set the ranges in the smb.conf they still only work in the
> 30,000,000+ range. When I get home later I will post some sample
> commands and config to clarify.

There is something going wrong here, the two 'getent' commands I posted
prove that it works.

> 
> 
> 
> >
> >If you have given a user a uidNumber attribute this should be used
> >instead of the xidNumber.
> >
> >On a DC:
> >getent passwd rowland
> >SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> >On a Unix domain member:
> >
> >getent passwd rowland
> >rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> >> 
> >> > If you mean make the Unix OS know who the AD users and groups
> >> > are, then yes.
> >> Specifically, what I need is my Linux clients to be able to both
> >> log in locally and also connect to NFS shares on the server,
> >> authenticating using either LDAP or NIS, but in both cases using
> >> the same logins and passwords as the Windows clients who will be
> >> connecting to SMB shares using SMB protocols.
> >
> >Forget ldap, forget nis, use winbind. I am typing this on a Unix
> >domain member, so I can assure you that it works.
> >
> By unix domain member do you mean Unix member of NIS domain or Unix
> member of Samba AD domain? I do not want to make my Linux boxes
> members of the samba domain period. I am trying to use as little
> Microsoft related tech on the Linux clients as possible; I just want
> to share credentials with the Microsoft side of the network.

You will have to make your Linux machines domain members or it will not
work. You do not have NIS users or Windows users, you have AD users.
Just as you do not have local users on a Windows domain PC, you do not
have local Unix users on a Unix domain member. This means you do not
have users in /etc/passwd and AD. 

> >> So far I have the auth working just locally on the server. 
> >
> >If you have the auth working, but cannot log in, it sounds like you
> >do not have libnss_winbind and/or nsswitch set up correctly.
> >
> No by auth, I meant including local login, which works.

Which sort of points to you having users in /etc/passwd with IDs in the
3000000 range.

Rowland

More information about the samba mailing list