[Samba] Domain member server: user access
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 10 14:43:00 UTC 2017
Here, a script you can use as start point. ;-)
Run it and it shows the command to "edit" the sam.ldb.
Just replace ldbedit with ldbsearch and script agains it.
cat addc-change-nix-rfc2307.sh
#!/bin/bash
# Per default Active Directory starts assigning UIDs/GIDs both at 10000.
# Defining the next UID/GID to use is not done with samba-tool (yet)
#
# Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC)
# stores the next unused UID/GID inside the Active Directory.
# You can change the next UID/GID that will be assigned. E. g. if you require
# to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:
#
# Example:
# ldbedit -H /usr/local/samba/private/sam.ldb \
# -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
#
# Adapt the following two attributes to your needs and save the changes.
# msSFU30MaxUidNumber: 20000
# msSFU30MaxGidNumber: 50000
PRIVATEDIR="$(sudo samba -b | grep PRIVATE_DIR |awk '{ print $NF }')"
NETBIOSNAME="$(samba-tool domain info `hostname -f` | grep Netbios | awk '{ print $NF }')"
FOREST_DC="$(samba-tool domain info `hostname -f` | grep Forest | awk '{ print $NF }')"
FOREST_SUB1="$(echo $FOREST_DC | cut -d"." -f1)"
FOREST_SUB2="$(echo $FOREST_DC | cut -d"." -f2)"
FOREST_SUB3="$(echo $FOREST_DC | cut -d"." -f3)"
echo "The command to run is : sudo ldbedit -H "$PRIVATEDIR"/sam.ldb -s base -b CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB1},DC=${FOREST_SUB2},DC=${FOREST_SUB3}"
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 10 oktober 2017 16:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
>
> On Tue, 10 Oct 2017 15:54:45 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
> > Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:
> > > On Tue, 10 Oct 2017 09:19:11 +0200
> > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> > >>
> > >> The admin there created a group via RSAT.
> > >> And that group was not visible/usable on the DM server.
> > >
> > > It wouldn't be if the group was created as just a windows group.
> >
> > How to create the group as unix group via RSAT?
> > By adding the gidNumber, right?
>
> Yes.
>
> >
> > As asked before: do I have to keep track of the next free gidNumber
> > myself? I assume there is some cool grep to read the
> highest used xid
> > from LDAP or so ... ?
>
> If you are using RSAT with the Unix Attributes tab it should
> create a couple of extra attributes here:
>
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC
> =samdom,DC=example,DC=com
>
> Where 'samdom' will be your workgroup and
> 'DC=samdom,DC=example,DC=com'
> is your suffix.
>
> The attributes are:
>
> msSFU30MaxUidNumber
> msSFU30MaxGidNumber
>
> and they contain the next Uid & Gid to use.
>
> These attributes are only used by the Unix Attributes tab on
> RSAT, but there is nothing stopping you writing a script to
> use them (hint, hint)
>
> >
> >
> > >> Until here there was no decision for a uidNumber or gidNumber.
> > >> He did not set one via RSAT. Does he have to do that?
> > >
> > > On a DC, group will be given an xidNumber and if the
> libnss_winbind
> > > links are set up, this will be used, but only on that DC
> > >
> > > On a Unix domain member, it is different, the xidNumber
> will not be
> > > used, because it isn't available.
> > > You have two main options, use the winbind 'rid' backend,
> with this,
> > > provided you use the same smb.conf on all Unix domain
> members, you
> > > will get the required UIDs & GIDs without adding anything to AD.
> > > There is a 'gotcha' though, you will have to use the
> template lines
> > > in smb.conf for user shell & home dirs. Your users and
> groups would
> > > also have different IDs on the DC.
> > > If you want to have the same IDs everywhere, you will have to use
> > > the winbind 'ad' backend and give your users & groups
> uidNumber and
> > > gidNumber attributes, you will also be able to use the
> other RFC2307
> > > attributes.
> > >
> > > Whichever winbind backend you use on the Unix domain members, you
> > > will also have to set up the libnss_winbind links.
> >
> > OK, I think I understand.
> >
> > We use backend "ad" on the DM and the DM has
> > /usr/lib64/libnss_winbind.so* and
> >
> > # grep winbind /etc/nsswitch.conf
> > passwd: compat winbind
> > group: compat winbind
> >
> > This is what you point me at, right?
>
> Yes, but you also need PAM
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list