[Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails
Sina Owolabi
notify.sina at gmail.com
Wed Nov 22 05:57:41 UTC 2017
:-o :-D
Thanks. Nothing was in AD.
Changed back to idmap config SAMDOM : backend = rid and getent worked again.
As an aside, does anyone know where I can find windows kvm images?
Where the servers are hosted is remote and no gui access.
On Sun, Nov 19, 2017 at 11:00 AM, Rowland Penny <rpenny at samba.org> wrote:
> On Sun, 19 Nov 2017 10:16:53 +0100
> Sina Owolabi via samba <samba at lists.samba.org> wrote:
>
>> Hi List
>>
>> Absolute confused newb here. Again.
>>
>> I noticed that the user gid and uids on my DCs were different from the
>> uids and gids I would find on the domain member file server. ( I
>> created users with samba-tool). User UIDs on the DCs would start in
>> the 30000XX range, while on the file server, the uid would start in
>> the 1000XX range.
>> In an attempt to rectify this, I changed the smb.conf from
>>
>> [global]
>> workgroup = SAMDOM
>> security = ADS
>> realm = SAMDOM.TESTING.COM
>>
>> server string = Samba Server Version %v
>>
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind refresh tickets = Yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 3000-9999
>> idmap config SAMDOM : backend = rid
>> idmap config SAMDOM : range = 10000-999999
>> template shell = /bin/bash
>> template homedir = /share/%U
>>
>> to (after reading the wiki):
>>
>> workgroup = SAMDOM
>> security = ADS
>> realm = SAMDOM.TESTING.COM
>>
>> server string = Samba Server Version %v
>>
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind refresh tickets = Yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 3000-9999
>> idmap config SAMDOM : backend = ad
>> idmap config SAMDOM : unix_nss_info = yes
>> idmap config SAMDOM: schema_mode = rfc2307
>> idmap config SAMDOM : range = 3000000-9999999
>> template shell = /bin/bash
>> template homedir = /share/%U
>>
>> Now getent is no longer retrieving domain users and groups.
>> I know I have messed up, please how can I fix it?
>>
>
> Fairly obvious, put the smb.conf back to what it was ;-)
>
> The IDs you are getting on the DC are 'xidNumbers' and are only used on
> the DC (and unless you sync idmap.ldb to other DCs, used only on that
> DC)
> You have moved from the winbind 'ad' backend on the Unix domain member
> to the 'ad' backend and I am willing to wager a large amount that you
> have not added anything to AD.
> The only way to get the same IDs everywhere is to add uidNumber
> attributes to your user objects in AD and a gidNumber to Domain Users
> (at least). These uidNumber and gidNumber attributes must contain
> numbers inside the range you set in smb.conf and shouldn't be in the
> '3000000' range.
>
> Rowland
More information about the samba
mailing list