[Samba] winbind, nsswitch, AD and group membership caching?
rpenny at samba.org
Fri Jun 1 12:13:46 UTC 2018
On Fri, 01 Jun 2018 13:13:21 +0200
Kristian via samba <samba at lists.samba.org> wrote:
> Hi Rowland;
> Am Freitag, den 01.06.2018, 11:42 +0100 schrieb Rowland Penny via
> > OK, how are you running the Unix domain members ?
> > Are you using the 'ad' or the 'rid' winbind backend ?
> > If you are using the 'ad' backend, have you given the groups a
> > gidNumber ?
> Hmm, I only have these statements relating to winbind and idmap in my
> smb.conf; this hasn't changed in ages on our samba systems but so far
> we never tried to use this config for ssh login and really working
> with multiple groups, just for user/group name mapping:
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
Sorry, but that is not enough, you need lines for the DOMAIN
> winbind separator = +
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> Should I change that first statement (* backend) to ad then?
No, those lines are perfectly correct for the '*' domain (which is
basically the Well known SIDs and anything outside the DOMAIN)
If you do not have any uidNumber & gidNumber attributes in AD (and you
wont have, unless somebody added them, they do not 'magically' appear),
you will need lines like these:
idmap config YOUR_DOMAIN : backend = rid
idmap config YOUR_DOMAIN : range = 10000-999999
> It does assign uids and gids as far as I can tell, but these seem in
> some way "mixed up" too; while logging in via ssh or doing "groups",
> the system complains that one or two group gids can't be resolved to
> > Try running 'net cache flush' on the Unix domain member.
> Already tried that before, no result.
See this wikipage for more info:
More information about the samba