[Samba] Problems with NIS Server on Samba 4
Marcio Demetrio Bacci
marciobacci at gmail.com
Mon Aug 19 20:45:36 UTC 2019
Hi,
>Ah, I think I see the problem, If I remember correctly, you joined the
>the Samba DC to a Windows DC and if you didn't have IDMU installed on
>the Windows DC, you wouldn't get the required objects in AD created on
>the Samba DC either.
Really, IDMU was not installed.
There is the file ypServ30.ldif
ls /usr/share/samba/setup/
...
ypServ30.ldif
But, I believe the extension is not enabled:
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn
search error - No such Base DN:
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br
This way, Do I need to install NIS (apt-get install nis) or only Replace
the variables in LDIF file with the domain distinguished name (DN), NetBIOS
name, and the NIS domain ?
Regards,
Márcio Bacci
Em seg, 19 de ago de 2019 às 11:53, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> > Hi,
> > >How are you trying to create the Unix (RFC2307) attributes ?
> > I am following the article:
> >
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
> >
> > Open ADUC.
> > Right-click to a user account and choose properties.
> > Navigate to the "UNIX Attributes" tab.
> Do you have the IDMU server installed on the Windows DC ?
> >
> > >Also, what do you mean by 'it doesn't bother any NIS server' ?
> > Sorry, Google translated it wrong.
> > Did you mean: Not appear the domain name to select in the NIS Domain
> > field.
> >
> > >Do you mean that the RFC2307 attributes are not being used ?
> > No.
> OK
> > Do I need change my smb.conf from:
> >
> > # Global parameters
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> > netbios name = EMPRESA
> > server role = active directory domain controller
> > dns forwarder = 192.168.1.1
> > ldap server require strong auth = no
> >
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> > read only = No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> > acl_xattr:ignore system acls = yes
> >
> > To
> >
> > # Global parameters
> > [global]
> > workgroup = EMPRESA
> > realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> > netbios name = EMPRESA
> > server role = active directory domain controller
> > dns forwarder = 192.168.1.1
> > idmap_ldb:use rfc2307 = yes
> > ldap server require strong auth = no
> >
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> > read only = No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> > acl_xattr:ignore system acls = yes
> >
> Ah, I think I see the problem, If I remember correctly, you joined the
> the Samba DC to a Windows DC and if you didn't have IDMU installed on
> the Windows DC, you wouldn't get the required objects in AD created on
> the Samba DC either.
>
> All the RFC2307 attributes are in the AD schema by default, so they are
> available for use.
>
> You have a few options:
>
> Check if IDMU is installed and install it if not.
>
> Install the ypServ30.ldif on the Samba DC
> (/usr/share/samba/setup/ypServ30.ldif), see here:
>
>
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions
>
> Write your own script using ldbmodify or ldapmodify to add the uidNumber
> & gidNumber attributes.
>
> You should be aware that even if you do any of the above, your users
> will still get Domain Users as their primary group on the DC.
>
> To get your AD users to show on your Samba AD DC, you need to have
> libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the
> 'passwd' & 'group' lines in /etc/nsswitch.conf look like this:
>
> passwd: compat winbind
> group: compat winbind
>
> If you do the above, you should get your users & groups without doing
> any of the above, but the IDs will be in the '3000000' range.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list