[Samba] Having problem with RID backend - must be missing something
Rowland Penny
rpenny at samba.org
Fri Sep 14 08:56:45 UTC 2018
On Thu, 13 Sep 2018 23:41:42 -0400 (EDT)
Rich Webb via samba <samba at lists.samba.org> wrote:
> Greetings,
>
> I currently am using Samba 4.8.5 as an AD DC on one server - working
> great! I am also using 4.8.5 on another server joined as a member
> server and I'm trying to configure the RID idmap backend and I
> believe I have the settings correct but when I try to access a share
> on the server from a joined Windows machine I am getting prompted for
> credentials.
>
What OS ?
If it is debian, do you have libpam_krb5 installed ?
Snip
> Another piece to the puzzle is that I had this configured and working
> with the AD backend but I wanted to try to set it up a little simpler
> so that I don't have to select unix attributes every time I create a
> new user. So due to this some of my users already have the unix
> attributes assigned to them in the AD. The one that I am testing
> with (that is asking for credentials) does not. In fact the behavior
> that I am seeing is identical to that of having created a new user
> and forgetting to add the unix attributes. The result is no access
> to the file server shares.
Having rfc2307 attributes in AD shouldn't affect the way the 'rid'
backend works.
>
> Some background is that There is only ever going to be one file
> server in this setup and one or two domain controllers but all
> running samba 4. No network users are ever going to log into the
> linux servers - they will all be Windows users accessing file
> shares. Samba was compiled from source - only change on the file
> server compile was that I included --without-ad-dc.
>
> I tried to follow the wiki on Setting up Samba as a domain member.
Did you find it easy to understand ?
>
> I hope I have included enough information for someone to go "Ah Ha!"
> and know exactly what is wrong with my setup here.
>
Well, No ;-)
there doesn't seem to be anything really wrong, I would use this
smb.conf:
[global]
workgroup = CUSTOMER
security = ADS
realm = CUSTOMER.LOCAL
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config CUSTOMER:backend = rid
idmap config CUSTOMER:range = 10000-999999
winbind use default domain = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
[Shared]
writeable = yes
path = /server/shared
[AdminOnly]
writeable = yes
path = /server/adminonly
You only need the kerberos lines if you are going to connect to AD with
something like squid.
What packages did you install to make Samba work ?
Rowland
More information about the samba
mailing list