[Samba] Opensolaris-ish joins but does not seem to be valid
Rowland Penny
rpenny at samba.org
Tue Oct 10 20:41:12 UTC 2017
On Tue, 10 Oct 2017 15:19:06 -0500 (CDT)
Andrew Martin <amartin at xes-inc.com> wrote:
> ----- Original Message -----
> > From: "samba" <samba at lists.samba.org>
> > To: "samba" <samba at lists.samba.org>
> > Sent: Tuesday, October 10, 2017 12:02:11 PM
> > Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be
> > valid
>
> > On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> > Andrew Martin <amartin at xes-inc.com> wrote:
> >
> >
> >> >
> >> > Is this from the Opensolaris-ish machine ?
> >> >
> >> > I expected to see a smb.conf file from a Unix domain member.
> >> >
> >> > If it is from the machine where you are getting '[NT
> >> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
> >> > username'. By default winbind doesn't enumerate users and groups.
> >>
> >> Running "getent passwd username" does not return anything on the
> >> client machine.
> >
> > Then you have a problem, your users and groups seem to be unknown to
> > the underlying OS.
> >
> >> The Solaris CIFS service, aka smb/server, is joined to the domain
> >> with "smbadm join -u Administrator example.com" and once joined you
> >> can query AD users using "idmap show -cV user at example.com". By
> >> default, idmapd uses "Ephemeral mapping", so AD users are
> >> represented locally by a randomly-chosen, high-numbered uid rather
> >> than their actual uid as stored in uidNumber or elsewhere in AD.
> >> This is undesirable, so we have reconfigured idmap to use
> >> "directory-based mapping" instead:
> >> http://docs.oracle.com/cd/E22471_01/html/820-4167/configuration__services__identity_mapping.html
> >> https://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredirbasedmapping/index.html
> >>
> >
> > If you provisioned the Samba AD DC with --use-rfc2307, then I think
> > you should have gone with the IDMU mapping, what we call around here
> > 'RFC2307'. By using this, you will doing something very similar to
> > using the winbind 'ad' backend and will be able to use RSAT on a
> > WIN 7 or 8.1 to admin it.
> >
>
> It has been awhile, but the last time I looked into IDMU mode I
> thought Samba didn't support it. I thought Windows AD required a
> separate installer to be run to add IDMU mode and then some extra
> fields in AD needed to be created and proactively synced on a regular
> basis (e.g. syncing from the normal userPassword field to
> unixUserPassword). Are there any guides or information on how to
> setup IDMU mode on a Samba DC?
When you provision a Samba AD DC, there is an option '--use-rfc2307'
This adds the same schema extension that IDMU on windows adds, if you
didn't provision with this, you can easily add it, see here:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> At least on Solaris, it sounds like IDMU is not 100% identical to
> RFC2307:
Cannot argue with that, it isn't fully 100% identical on Linux either,
but it works ;-)
Rowland
More information about the samba
mailing list