[Samba] winbind rfc2307 not being obeyed
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Oct 30 16:58:01 UTC 2017
nope that just brute forced homedir and shell. It'll work for what I
want this machine for but I'd like to get the homedir and shell from
AD
On Mon, Oct 30, 2017 at 10:54 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> My smb.conf file now looks like so
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2017/10/30 10:47:34
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = MIND
> password server = MIND.UNM.EDU
> realm = MIND.UNM.EDU
> security = ads
> idmap config * : range = 2000-7999
> template homedir = /na/homes/%U
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = false
>
> #--authconfig--end-line--
> ; security = ads
> ; realm = MIND.UNM.EDU
> ; workgroup = MIND
> idmap config * : backend = tdb
> idmap config * : range = 2000-7999
> idmap config MIND:backend = ad
> idmap config MIND:schema_mode = rfc2307
> idmap config MIND:range = 8000-9999999
> winbind nss info = rfc2307
> ; winbind use default domain = yes
> # so that the users show up in getent
> winbind enum users = yes
> # so that the groups show up in getent
> winbind enum groups = yes
> restrict anonymous = 2
> #added the following 2 for the Badlock updates that change the defaults
> #to no longer work with my domain controllers
> ldap server require strong auth = no
> client ldap sasl wrapping = plain
> ; template homedir=/na/homes/%U
> ; template shell=/bin/bash
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> fedora's authconfig must edit a bunch of files
>>
>> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>> I found what I needed to do
>>> DOMAIN=MIND.UNM.EDU
>>> SHORT=MIND
>>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>>
>>> this worked
>>>
>>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> OS:fedora-26
>>>>> SAMBA:4.6.8
>>>>> [root at squints ~]# cat /etc/samba/smb.conf
>>>>> [global]
>>>>> security = ads
>>>>> realm = MIND.UNM.EDU
>>>>> workgroup = MIND
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-7999
>>>>> idmap config MIND:backend = ad
>>>>> idmap config MIND:schema_mode = rfc2307
>>>>> idmap config MIND:range = 8000-9999999
>>>>> winbind nss info = rfc2307
>>>>> winbind use default domain = yes
>>>>> # so that the users show up in getent
>>>>> winbind enum users = yes
>>>>> # so that the groups show up in getent
>>>>> winbind enum groups = yes
>>>>> restrict anonymous = 2
>>>>> #added the following 2 for the Badlock updates that change the
>>>>> defaults #to no longer work with my domain controllers
>>>>> ldap server require strong auth = no
>>>>> client ldap sasl wrapping = plain
>>>>>
>>>>> [root at squints ~]# getent passwd jsadowski
>>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>>
>>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>>> OS:ubuntu-16.04
>>>>> SAMBA:4.3.11
>>>>> root at daddles:~# getent passwd jsadowski
>>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>>
>>>>> which is how AD shows it as well.
>>>>>
>>>>> Did something change in newer versions of samba that I need to add
>>>>> more config options?
>>>>>
>>>>
>>>> Yes, there have been changes and no, you don't have to use them and
>>>> they wouldn't cause your problem.
>>>>
>>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>>> using the same smb.conf on both machines.
>>>>
>>>> So, why are there these different:
>>>>
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> Which RFC2307 attributes have you added to AD ?
>>>> The above user seems to have the same uidNumber, but Domain Users
>>>> seems to have two different gidNumbers (8513 and 8000), the
>>>> unixHomeDirectory also has two identities, as does loginShell
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list