[Samba] ADS Domain Member - getent problem
Rowland Penny
rpenny at samba.org
Wed Jan 10 18:31:34 UTC 2018
On Wed, 10 Jan 2018 18:43:37 +0100
Franz Gansberger via samba <samba at lists.samba.org> wrote:
> Hello List,
> I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
> Right now I'll try to add a Domain member - also running Samba
> version 4.5.12-Debian. Thanks to Loius and Rowland, this howto guided
> me a lot in the right direction:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> But right now I'll get stuck. It seems that the configuration is ok -
> AD-members are successfully joined, I can ping via "wbinfo
> --ping-dc", all the tests regarding name resolution are working, and
> of course I'll get the complete list of users and groups via wbinfo
> -u or wbinfo -g on the member servers. :-)
>
> The users are maintained via ADUC on the DC, and every user and group
> has its UID assignd.
>
> Surprisingly only "getent group" generates the list of groups with
> the correct ID's on the domain members. I tried this at two different
> members. "getent passwd demo1" (or "getent passwd "H950\demo1"")
> generates nothing.
From your smb.conf below, 'getent passwd demo1' should work.
>
>
> This is the config file from the domain member - smb.conf
>
> [global]
> security = ADS
> workgroup = H950
> realm = H950.SOME.DOMAIN
> log file = /var/log/samba/%m.log
> log level = 5
>
> #map untrusted to domain = Yes
>
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 20000-20999
>
> idmap config H950:default = true
> idmap config H950:schema mode = rfc2307
> idmap config H950:backend = ad
> idmap config H950:range = 500-9999
> idmap config H950:unix_nss_info = yes
> idmap config H950:unix_primary_group = yes
> winbind nss info = rfc2307
You are using Samba 4.5.12, the above setup is for 4.6.x
Change the 'idmap config H950' block to this:
idmap config H950:backend = ad
idmap config H950:schema mode = rfc2307
idmap config H950:range = 500-9999
winbind nss info = rfc2307
Ensure that Domain Users has a gidNumber attribute contain a number
inside the '500-9999' range (I may have already said this, but
'500-9999' isn't a good range to use)
>
> username map = /etc/samba/user.map
> acl allow execute always = True
> unix charset = UTF8
>
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
You do not need the 'winbind enum' lines, the only thing they really do
is slow Samba down.
> winbind refresh tickets = yes
You should also add:
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Rowland
More information about the samba
mailing list