[Samba] Domain member server: user access
rpenny at samba.org
Tue Oct 10 14:25:08 UTC 2017
On Tue, 10 Oct 2017 15:54:45 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:
> > On Tue, 10 Oct 2017 09:19:11 +0200
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >> The admin there created a group via RSAT.
> >> And that group was not visible/usable on the DM server.
> > It wouldn't be if the group was created as just a windows group.
> How to create the group as unix group via RSAT?
> By adding the gidNumber, right?
> As asked before: do I have to keep track of the next free gidNumber
> myself? I assume there is some cool grep to read the highest used xid
> from LDAP or so ... ?
If you are using RSAT with the Unix Attributes tab it should create a
couple of extra attributes here:
Where 'samdom' will be your workgroup and 'DC=samdom,DC=example,DC=com'
is your suffix.
The attributes are:
and they contain the next Uid & Gid to use.
These attributes are only used by the Unix Attributes tab on RSAT, but
there is nothing stopping you writing a script to use them (hint, hint)
> >> Until here there was no decision for a uidNumber or gidNumber.
> >> He did not set one via RSAT. Does he have to do that?
> > On a DC, group will be given an xidNumber and if the libnss_winbind
> > links are set up, this will be used, but only on that DC
> > On a Unix domain member, it is different, the xidNumber will not be
> > used, because it isn't available.
> > You have two main options, use the winbind 'rid' backend, with this,
> > provided you use the same smb.conf on all Unix domain members, you
> > will get the required UIDs & GIDs without adding anything to AD.
> > There is a 'gotcha' though, you will have to use the template lines
> > in smb.conf for user shell & home dirs. Your users and groups would
> > also have different IDs on the DC.
> > If you want to have the same IDs everywhere, you will have to use
> > the winbind 'ad' backend and give your users & groups uidNumber and
> > gidNumber attributes, you will also be able to use the other RFC2307
> > attributes.
> > Whichever winbind backend you use on the Unix domain members, you
> > will also have to set up the libnss_winbind links.
> OK, I think I understand.
> We use backend "ad" on the DM and the DM has
> /usr/lib64/libnss_winbind.so* and
> # grep winbind /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> This is what you point me at, right?
Yes, but you also need PAM
More information about the samba