[Samba] winbind rfc2307 not being obeyed
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Oct 30 16:54:48 UTC 2017
My smb.conf file now looks like so
[global]
#--authconfig--start-line--
# Generated by authconfig on 2017/10/30 10:47:34
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MIND
password server = MIND.UNM.EDU
realm = MIND.UNM.EDU
security = ads
idmap config * : range = 2000-7999
template homedir = /na/homes/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
#--authconfig--end-line--
; security = ads
; realm = MIND.UNM.EDU
; workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
; winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
; template homedir=/na/homes/%U
; template shell=/bin/bash
On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> fedora's authconfig must edit a bunch of files
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> I found what I needed to do
>> DOMAIN=MIND.UNM.EDU
>> SHORT=MIND
>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>
>> this worked
>>
>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>
>>>> OS:fedora-26
>>>> SAMBA:4.6.8
>>>> [root at squints ~]# cat /etc/samba/smb.conf
>>>> [global]
>>>> security = ads
>>>> realm = MIND.UNM.EDU
>>>> workgroup = MIND
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-7999
>>>> idmap config MIND:backend = ad
>>>> idmap config MIND:schema_mode = rfc2307
>>>> idmap config MIND:range = 8000-9999999
>>>> winbind nss info = rfc2307
>>>> winbind use default domain = yes
>>>> # so that the users show up in getent
>>>> winbind enum users = yes
>>>> # so that the groups show up in getent
>>>> winbind enum groups = yes
>>>> restrict anonymous = 2
>>>> #added the following 2 for the Badlock updates that change the
>>>> defaults #to no longer work with my domain controllers
>>>> ldap server require strong auth = no
>>>> client ldap sasl wrapping = plain
>>>>
>>>> [root at squints ~]# getent passwd jsadowski
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>
>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>> OS:ubuntu-16.04
>>>> SAMBA:4.3.11
>>>> root at daddles:~# getent passwd jsadowski
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> which is how AD shows it as well.
>>>>
>>>> Did something change in newer versions of samba that I need to add
>>>> more config options?
>>>>
>>>
>>> Yes, there have been changes and no, you don't have to use them and
>>> they wouldn't cause your problem.
>>>
>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>> using the same smb.conf on both machines.
>>>
>>> So, why are there these different:
>>>
>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>
>>> Which RFC2307 attributes have you added to AD ?
>>> The above user seems to have the same uidNumber, but Domain Users
>>> seems to have two different gidNumbers (8513 and 8000), the
>>> unixHomeDirectory also has two identities, as does loginShell
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list