[Samba] Domain member server: user access
Rowland Penny
rpenny at samba.org
Tue Sep 26 11:05:57 UTC 2017
On Tue, 26 Sep 2017 12:49:26 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
>
> > Im pretty sure this is a bug in the DC part.
>
> Ahem, sorry, but i'm lost in following this therad. I've hust setup my
> test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package,
> lous) on a debian jessie.
>
> Very minimal configuration:
>
> root at vdcsv1:~# samba-tool testparm
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> netbios name = VDCSV1
> realm = AD.FVG.LNF.IT
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG
> server role = active directory domain controller
> template homedir = /home/%U
> template shell = /bin/bash
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.fvg.lnf.it/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> and i've created a user:
>
> samba-tool user add gaio --use-username-as-cn --surname=Gaiarin
> --given-name=Marco --unix-home=/home/gaio --uid=gaio
> --uid-number=10000 --gecos="Marco Gaiarin" --login-shell=/bin/bash
>
> and now:
>
> root at vdcsv1:~# id gaio
> uid=10000(LNFFVG\gaio) gid=100(users)
> gruppi=100(users),10000(LNFFVG\unixadm),3000008(LNFFVG\domain
> admins),3000005(LNFFVG\denied rodc password replication
> group),3000005(LNFFVG\denied rodc password replication
> group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)
>
> root at vdcsv1:~# getent group "Domain Users"
> LNFFVG\domain users:x:100:
Try running 'net cache flush' then run the above command again.
> root at vdcsv1:~# wbinfo -G 100
> S-1-5-21-160080369-3601385002-3131615632-513
>
> I've done something wrong, or is the domain provisioning in samba-tool
> that associate 'Domain Users' to gid 100?
No, you haven't done anything wrong and yes the provision does set
Domain Users to '100' in idmap.ldb.
>
>
> Another question: there's no way to modify users and group with
> samba-tool? I need to dron 'domain users' and recreate it? ;-)
Do not remove Domain Users, but you are correct, there is no way to
modify a user or group with samba-tool (you can do this for a user with
4.7.0), but you can use ldbedit.
Rowland
More information about the samba
mailing list