[Samba] Domain member server: user access

L.P.H. van Belle belle at bazuin.nl
Tue Oct 10 14:43:00 UTC 2017


Here, a script you can use as start point.  ;-) 

Run it and it shows the command to "edit" the sam.ldb. 
Just replace ldbedit with ldbsearch and script agains it. 


cat addc-change-nix-rfc2307.sh
#!/bin/bash

# Per default Active Directory starts assigning UIDs/GIDs both at 10000.
# Defining the next UID/GID to use is not done with samba-tool (yet)
#
# Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC) 
# stores the next unused UID/GID inside the Active Directory.
# You can change the next UID/GID that will be assigned. E. g. if you require 
# to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:
#
# Example:
# ldbedit -H /usr/local/samba/private/sam.ldb \
# -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
# 
# Adapt the following two attributes to your needs and save the changes.
# msSFU30MaxUidNumber: 20000
# msSFU30MaxGidNumber: 50000

PRIVATEDIR="$(sudo samba -b | grep PRIVATE_DIR |awk '{ print $NF }')"
NETBIOSNAME="$(samba-tool domain info `hostname -f` | grep Netbios |  awk '{ print $NF }')"
FOREST_DC="$(samba-tool domain info `hostname -f` | grep Forest | awk '{ print $NF }')"

FOREST_SUB1="$(echo $FOREST_DC | cut -d"." -f1)"
FOREST_SUB2="$(echo $FOREST_DC | cut -d"." -f2)"
FOREST_SUB3="$(echo $FOREST_DC | cut -d"." -f3)"

echo "The command to run is : sudo ldbedit -H "$PRIVATEDIR"/sam.ldb -s base -b CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB1},DC=${FOREST_SUB2},DC=${FOREST_SUB3}"



Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 10 oktober 2017 16:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> On Tue, 10 Oct 2017 15:54:45 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
> > Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:
> > > On Tue, 10 Oct 2017 09:19:11 +0200
> > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > >>
> > >> The admin there created a group via RSAT.
> > >> And that group was not visible/usable on the DM server.
> > > 
> > > It wouldn't be if the group was created as just a windows group.
> > 
> > How to create the group as unix group via RSAT?
> > By adding the gidNumber, right?
> 
> Yes.
> 
> > 
> > As asked before: do I have to keep track of the next free gidNumber 
> > myself? I assume there is some cool grep to read the 
> highest used xid 
> > from LDAP or so ... ?
> 
> If you are using RSAT with the Unix Attributes tab it should 
> create a couple of extra attributes here:
> 
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC
> =samdom,DC=example,DC=com
> 
> Where 'samdom' will be your workgroup and 
> 'DC=samdom,DC=example,DC=com'
> is your suffix.
> 
> The attributes are:
> 
> msSFU30MaxUidNumber
> msSFU30MaxGidNumber
> 
> and they contain the next Uid & Gid to use.
> 
> These attributes are only used by the Unix Attributes tab on 
> RSAT, but there is nothing stopping you writing a script to 
> use them (hint, hint)
> 
> > 
> > 
> > >> Until here there was no decision for a uidNumber or gidNumber.
> > >> He did not set one via RSAT. Does he have to do that?
> > > 
> > > On a DC, group will be given an xidNumber and if the 
> libnss_winbind 
> > > links are set up, this will be used, but only on that DC
> > > 
> > > On a Unix domain member, it is different, the xidNumber 
> will not be 
> > > used, because it isn't available.
> > > You have two main options, use the winbind 'rid' backend, 
> with this, 
> > > provided you use the same smb.conf on all Unix domain 
> members, you 
> > > will get the required UIDs & GIDs without adding anything to AD.
> > > There is a 'gotcha' though, you will have to use the 
> template lines 
> > > in smb.conf for user shell & home dirs. Your users and 
> groups would 
> > > also have different IDs on the DC.
> > > If you want to have the same IDs everywhere, you will have to use 
> > > the winbind 'ad' backend and give your users & groups 
> uidNumber and 
> > > gidNumber attributes, you will also be able to use the 
> other RFC2307 
> > > attributes.
> > > 
> > > Whichever winbind backend you use on the Unix domain members, you 
> > > will also have to set up the libnss_winbind links.
> > 
> > OK, I think I understand.
> > 
> > We use backend "ad" on the DM and the DM has
> > /usr/lib64/libnss_winbind.so* and
> > 
> > # grep winbind /etc/nsswitch.conf
> > passwd:      compat winbind
> > group:       compat winbind
> > 
> > This is what you point me at, right?
> 
> Yes, but you also need PAM
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list