[Samba] Configured AD backend but getting different uid and gid
Alfonso Conner
c1581634 at gmail.com
Thu Apr 25 09:53:44 UTC 2019
Hi,
Thanks for the advice, I know these are already EOL but please bear with me
on that. I also do use CentOS 7 and Windows 10 for further testing. Anyway,
I found out is due to my "idmap DOMAIN : range" value in smb.conf was not
set to the correct range.
Another thing is libnss-winbind package must make sure to be installed
properly.
After these things are resolved, I managed to see the correct uid and gid.
;-)
I have another problem and would like to know is there any configuration to
trigger logon script when Domain User login to Linux Machine?
My understanding if is for Windows, I can use RSAT, go to the User account
properties-> Profile-> Logon script and put the file name.
Appreciate for the advice.
On Tue, Apr 23, 2019 at 4:09 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 23 Apr 2019 11:40:43 +0800
> Alfonso Conner via samba <samba at lists.samba.org> wrote:
>
> > Hi Samba Team,
> >
> > I hope I have sent my enquiries to the correct address list.
> > Need advise and support from the team. Here's the summary of my
> > issues. I try to provide as much details and information.
> >
> > Due to the business nature of my company, I have a mixture of Windows
> > (XP, 7, 8/10 in future) and Linux RHEL workstations (5U6, 5U8, 5U11,
> > 6/7 in future).
> > I have an existing Samba PDC VM Server (CentOS 6.10) hosting for
> > Windows Clients (XP, 7)
> > I am tasked to research ways to allow Windows 10 PC to join Samba and
> > followed the Classic Upgrade.
> > This is done following the setup guide from Samba Wedsite and I am
> > happy Windows 10 is able to join Samba AD with existing XP and 7
> > still able to login without issues.
> >
> > My next task is to join Linux workstations to Samba AD to centralize
> > all login accounts.
> >
> > These accounts need to have the same uid and gid for access to
> > exisitng file servers using the correct NFS and CIFS credentials.
> > After study and decided using ad as backend would be the suitable
> > choice for me.
> >
> > However, I have faced difficulties getting the same uid and gid for my
> > domain users after my Linux workstations join Samba AD.
> >
> >
> > Configurations as follows:
> >
> > Samba PDC
> > Hostname: DC1
> > Workgroup: EXAMPLE.COM
> >
> > Samba version for classic upgrade: 4.8.5
> > Packages installed: gcc python-devel gnutls-devel libacl-devel
> > openldap-devel pam-devel bind-utils krb5-workstation
> >
> > Samba AD smb.configuration
> > Samba does not allow me to use same value for realm and workgroup
> > [global]
> > netbios name = DC1
> > realm = NEWEXAMPLE.COM
> > server role = active directory domain controller
> > workgroup = EXAMPLE.COM
> > idmap_ldb:use rfc2307 = yes
> > client max protocol = NT1
> > ldap server require strong auth = no
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > Kerberos configuration
> > [libdefaults]
> > default_realm = NEWEXAMPLE.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > No issues running wbinfo -u, wbinfo -g, getent passwd DOMAIN\\USER
> > EXAMPLE.COM\administrator
> > EXAMPLE.COM\krbtgt
> > EXAMPLE.COM\guest
> > EXAMPLE.COM\Users
> > ..
> > ..
> > ..
> >
> > I cannot change my netbios name nor change my AD Server hostname as I
> > found out my Linux member will have spnego invalid credentials error
> > unabe to join AD Domain.
> >
> > Samba Domain member smb.conf using RHEL 5U11 for testing
> > Packages installed: samba3x-winbind-3.6.23-6.el5
> > system-config-samba-1.2.41-5.el5 samba3x-client-3.6.23-6.el5
> > samba3x-swat-3.6.23-6.el5 samba3x-3.6.23-6.el5
> >
> > member smb.conf
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >
> > [global]
> > workgroup = EXAMPLE.COM
> > realm = NEWEXAMPLE.COM
> > server string = Samba Server Version %v
> > security = ADS
> > username map = /etc/samba/user.map
> > template homedir = /home/%U
> > template shell = /bin/bash
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind nss info = rfc2307
> > winbind refresh tickets = Yes
> > winbind offline logon = Yes
> > idmap config NEWEXAMPLE.COM : unix_primary_group = yes
> > idmap config NEWEXAMPLE.COM : unix_nss_info = yes
> > idmap config NEWEXAMPLE.COM : range = 1001-9999
> > idmap config NEWEXAMPLE.COM : schema_mode = rfc2307
> > idmap config NEWEXAMPLE.COM : backend = ad
> > idmap config * : range = 10001-99999
> > idmap config * : backend = tdb
> > map acl inherit = Yes
> > cups options = raw
> > store dos attributes = Yes
> > vfs objects = acl_xattr
> >
> > AD Member krb5.conf
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = NEWEXAMPLE.COM
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > forwardable = yes
> >
> > [appdefaults]
> > pam = {
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > forwardable = true
> > krb4_convert = false
> > }
> >
> > After joined to AD, I am able to get results from wbinfo and getent
> > passwd but am getting Domain Users uid and gid starting from "*"
> > range. Have ensured all Computers, Users and Groups have assigned uid
> > and gid using RSAT from Windows 7 Client and able to see Attribute
> > editor, Unix attributes.
> >
> > Please advise and appreciate for the response.
>
> el5 ? Samba 3.6.23 ? XP ? these are all EOL and more specifically
> your smb.conf contains idmap config unknown to your Samba version.
>
> Your 'future' needs to be now.
>
> There is nothing intrinsically wrong with your conf files, they just
> aren't for your old systems ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list