[Samba] samba 4 ad member - idmap = ad for machine accounts
Kacper Wirski
k.wirski at babkamedica.pl
Mon Sep 18 11:57:29 UTC 2017
I posted already, but here it is again (it's everythign except it has
not 1 but ~10 SOMESHARE, all with exact same config)
Full entry from smb.conf:
[global]
netbios name = VS-FILES
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
log file = /var/log/samba/%m.log
log level = 1
idmap config *:backend = tdb
idmap config *:range = 100-2000
# idmap config for domain MYDOMAIN
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 4000-99999
#I'm gonna remove enum users/groups as recommended
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 5
#i'm gonna remove this one too to avoid confusion
winbind use default domain = yes
winbind nss info = rfc2307
vfs objects = acl_xattr
map acl inherit = yes
admin users = "@MYDOMAIN\Domain Admins","@MYDOMAIN\Enterprise
Admins"
store dos attributes = yes
[SOMESHARE1]
path = /home/shares/SOMESHARE1/
read only = no
[SOMESHARE2]
path = /home/shares/SOMESHARE2/
read only = no
......
[SOMESHARE10]
path = /home/shares/SOMESHARE10/
read only = no
.............
Correct me please if I'm wrong, but:
idmap = AD
means that winbind on the samba 4 domain member, when idmapping domain
users looks at:
gidNumber
uidNumber
attributes set in AD for this users when mapping windows - to - unix
users? At least these values i'm getting from samba 4 domain member when
using getent for domain users and these values can be viewed when
looking at files from unix perspective.
At first I thought, that setting those values for machine accounts, as
long as they're in range of the MYDOMAIN:range should be enough, but I
was unable to make it work, I'm getting access denied.
Since changing from idmap = ad to idmap = rid fixes everything it leads
me to believe some other attribute is checked by winbindd when doing
domain-to-local user mappings.
More information about the samba
mailing list