[Samba] Problems with NIS Server on Samba 4

Rowland penny rpenny at samba.org
Mon Aug 19 14:52:01 UTC 2019 

On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> Hi,
> >How are you trying to create the Unix (RFC2307) attributes ?
> I am following the article: 
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
>
> Open ADUC.
> Right-click to a user account and choose properties.
> Navigate to the "UNIX Attributes" tab.
Do you have the IDMU server installed on the Windows DC ?
>
> >Also, what do you mean by 'it doesn't bother any NIS server' ?
> Sorry, Google translated it wrong.
> Did you mean: Not appear the domain name to select in the NIS Domain 
> field.
>
> >Do you mean that the RFC2307 attributes are not being used ?
> No.
OK
> Do I need change my smb.conf from:
>
> # Global parameters
> [global]
>  workgroup = EMPRESA
>  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
>  netbios name = EMPRESA
>  server role = active directory domain controller
>  dns forwarder = 192.168.1.1
>  ldap server require strong auth = no
>
> [netlogon]
>  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts 
> <http://empresa.com.br/scripts>
>  read only = No
>
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
>
> To
>
> # Global parameters
> [global]
>  workgroup = EMPRESA
>  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
>  netbios name = EMPRESA
>  server role = active directory domain controller
>  dns forwarder = 192.168.1.1
>  idmap_ldb:use rfc2307 = yes
>  ldap server require strong auth = no
>
> [netlogon]
>  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts 
> <http://empresa.com.br/scripts>
>  read only = No
>
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
>
Ah, I think I see the problem, If I remember correctly, you joined the 
the Samba DC to a Windows DC and if you didn't have IDMU installed on 
the Windows DC, you wouldn't get the required objects in AD created on 
the Samba DC either.

All the RFC2307 attributes are in the AD schema by default, so they are 
available for use.

You have a few options:

Check if IDMU is installed and install it if not.

Install the ypServ30.ldif on the Samba DC 
(/usr/share/samba/setup/ypServ30.ldif), see here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions

Write your own script using ldbmodify or ldapmodify to add the uidNumber 
& gidNumber attributes.

You should be aware that even if you do any of the above, your users 
will still get Domain Users as their primary group on the DC.

To get your AD users to show on your Samba AD DC, you need to have 
libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the 
'passwd' & 'group' lines in /etc/nsswitch.conf look like this:

passwd:         compat winbind
group:          compat winbind

If you do the above, you should get your users & groups without doing 
any of the above, but the IDs will be in the '3000000' range.

Rowland

More information about the samba mailing list