[Samba] Domain member server: user access

Rowland Penny rpenny at samba.org
Mon Sep 25 14:58:26 UTC 2017 

On Mon, 25 Sep 2017 16:39:50 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba:
> 
> >> DC # samba-tool user create kamleitnerl Le26xxx
> >> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl
> >> --uid-number=10070 --login-shell=/bin/false --gid-number=100
> >>
> > 
> > Where did you get the GID '100' from ?
> > Is this the gidNumber for Domain Users ?
> 
> I think so:
> 
> # wbinfo --gid-info=100
> ARBEITSGRUPPE\domain users:x:100:

This is on the DC ?

> 
> ?
> 
> > Can you please post the smb.conf from the DC and DM.
> 
> Sure. We had both in an earlier thread, btw, but here again:
> 
> DC:
> 
> # samba-tool testparm
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
> 	netbios name = BACKUP
> 	realm = ARBEITSGRUPPE.MY.TLD
> 	workgroup = ARBEITSGRUPPE
> 	dns forwarder = 10.0.0.254
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> DM:
> 
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[Daten]"
> Processing section "[Scans_Plotter]"
> Loaded services file OK.
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
> 	realm = ARBEITSGRUPPE.MY.TLD
> 	workgroup = ARBEITSGRUPPE
> 	log file = /var/log/samba/%m.log
> 	load printers = No
> 	printcap name = /dev/null
> 	security = ADS
> 	username map = /etc/samba/user.map
> 	winbind nss info = rfc2307
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	idmap config arbeitsgruppe:schema_mode = rfc2307
> 	idmap config arbeitsgruppe:range = 10000-9999999
> 	idmap config arbeitsgruppe:backend = ad
> 	idmap config * : range = 2000-2999
> 	idmap config * : backend = tdb
> 

Yes, it is the DC and Domain Users does not have a gidNumber attribute,
otherwise it wouldn't be showing '100'. Unless, for some very strange
reason, Domain Users does have the gidNumber '100'. In which case, no
Unix users will be found, because '100' isn't inside the range
'10000-9999999'.

Rowland

More information about the samba mailing list