[Samba] Using samba AD in mixed OS environment

Zdravko Zdravkov nirayah at gmail.com
Sun Apr 29 11:49:29 UTC 2018


Hi Rowland. I'll keep in mind that this is wrong place for SSSD. The only
reason I'm using it is because its easier to automate joining the clients
to the domain in kickstart install. I'm willing to drop it and go back to
winbind, if that's the problem. For me, everything sorta works. getent
passwd and id commands provide output as users and groups I've assigned to
them from the windows AD users & groups tool, but then the troubles with
permissions being.
I'll check the link you provided, although I'm pretty sure I've read it
already,

Thanks!

On Sun, Apr 29, 2018 at 12:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Sun, 29 Apr 2018 11:35:08 +0100
> Zdravko Zdravkov <nirayah at gmail.com> wrote:
>
> > So, so..
> >
> > Server and clients are CentOS7.
> > Server was configured using samba-tool domain provision.
> >
> > *smb.conf* from server
> >
> > [global]
> >
> > >         netbios name = AD
> > >         realm = XXXXXX
>
> I do hope that is actually 'realm = XXXXXX.XXX'
>
> > >         server role = active directory domain controller
> > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >         workgroup = XXXX
> > >         idmap config XXXX:unix_nss_info = yes
>
> Wrong line, it should be 'idmap_ldb:use rfc2307  = yes'
>
> > >         log file = /var/log/samba/samba.log
> > >         log level = 3
> > > [netlogon]
> > >         path = /usr/local/samba/var/locks/sysvol/XXXXXX/scripts
> > >         read only = No
> > > [sysvol]
> > >         path = /usr/local/samba/var/locks/sysvol
> > >         read only = No
> >
> >
> >
> > *sssd.conf* from client
>
> As I said, wrong place for sssd, but from what I can see(it has been
> quite some time since I used sssd), you are not doing anything really
> out of the ordinary and as such, you do not need sssd, There is very
> little that sssd can do that winbind cannot AND you only need to
> configure one conf file instead of two.
>
> >
> > *nsswitch.conf* on client (part of it)
> >
> > passwd:     files sss
> > > shadow:     files sss
> > > group:      files sss
>
>
> Even allowing for 'sssd' this is wrong, 'sss' shouldn't be on the
> shadow line.
>
> >
> >
> >
> > getent passwd pj (for example) provides this:
> >
> > pj:*:1115001179:1115000513:xxxxxx:/home/pj:/bin/bash
> >
>
> Looks to me that you should be using the winbind 'rid' backend instead
>
> try reading this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list