[Samba] Configured AD backend but getting different uid and gid
Alfonso Conner
c1581634 at gmail.com
Tue Apr 23 03:40:43 UTC 2019
Hi Samba Team,
I hope I have sent my enquiries to the correct address list.
Need advise and support from the team. Here's the summary of my issues.
I try to provide as much details and information.
Due to the business nature of my company, I have a mixture of Windows (XP,
7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11, 6/7 in
future).
I have an existing Samba PDC VM Server (CentOS 6.10) hosting for Windows
Clients (XP, 7)
I am tasked to research ways to allow Windows 10 PC to join Samba and
followed the Classic Upgrade.
This is done following the setup guide from Samba Wedsite and I am happy
Windows 10 is able to join Samba AD with existing XP and 7 still able to
login without issues.
My next task is to join Linux workstations to Samba AD to centralize all
login accounts.
These accounts need to have the same uid and gid for access to exisitng
file servers using the correct NFS and CIFS credentials.
After study and decided using ad as backend would be the suitable choice
for me.
However, I have faced difficulties getting the same uid and gid for my
domain users after my Linux workstations join Samba AD.
Configurations as follows:
Samba PDC
Hostname: DC1
Workgroup: EXAMPLE.COM
Samba version for classic upgrade: 4.8.5
Packages installed: gcc python-devel gnutls-devel libacl-devel
openldap-devel pam-devel bind-utils krb5-workstation
Samba AD smb.configuration
Samba does not allow me to use same value for realm and workgroup
[global]
netbios name = DC1
realm = NEWEXAMPLE.COM
server role = active directory domain controller
workgroup = EXAMPLE.COM
idmap_ldb:use rfc2307 = yes
client max protocol = NT1
ldap server require strong auth = no
template shell = /bin/bash
template homedir = /home/%U
Kerberos configuration
[libdefaults]
default_realm = NEWEXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
EXAMPLE.COM\administrator
EXAMPLE.COM\krbtgt
EXAMPLE.COM\guest
EXAMPLE.COM\Users
..
..
..
I cannot change my netbios name nor change my AD Server hostname as I found
out my Linux member will have spnego invalid credentials error unabe to
join AD Domain.
Samba Domain member smb.conf using RHEL 5U11 for testing
Packages installed: samba3x-winbind-3.6.23-6.el5
system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5
member smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = EXAMPLE.COM
realm = NEWEXAMPLE.COM
server string = Samba Server Version %v
security = ADS
username map = /etc/samba/user.map
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
idmap config NEWEXAMPLE.COM : unix_primary_group = yes
idmap config NEWEXAMPLE.COM : unix_nss_info = yes
idmap config NEWEXAMPLE.COM : range = 1001-9999
idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
idmap config NEWEXAMPLE.COM : backend = ad
idmap config * : range = 10001-99999
idmap config * : backend = tdb
map acl inherit = Yes
cups options = raw
store dos attributes = Yes
vfs objects = acl_xattr
AD Member krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = NEWEXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
After joined to AD, I am able to get results from wbinfo and getent passwd
but am getting Domain Users uid and gid starting from "*" range.
Have ensured all Computers, Users and Groups have assigned uid and gid
using RSAT from Windows 7 Client and able to see Attribute editor, Unix
attributes.
Please advise and appreciate for the response.
More information about the samba
mailing list