[Samba] Problems with NIS Server on Samba 4

Marcio Demetrio Bacci marciobacci at gmail.com
Mon Aug 19 20:45:36 UTC 2019 

Hi,

>Ah, I think I see the problem, If I remember correctly, you joined the
>the Samba DC to a Windows DC and if you didn't have IDMU installed on
>the Windows DC, you wouldn't get the required objects in AD created on
>the Samba DC either.

Really, IDMU was not installed.


There is the file ypServ30.ldif
ls /usr/share/samba/setup/
...
 ypServ30.ldif

But, I believe the extension is not enabled:

ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br cn
search error - No such Base DN:
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=empresa,DC=com,DC=br


This way, Do I need to install NIS (apt-get install nis) or only Replace
the variables in LDIF file with the domain distinguished name (DN), NetBIOS
name, and the NIS domain ?

Regards,

Márcio Bacci

Em seg, 19 de ago de 2019 às 11:53, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 19/08/2019 15:12, Marcio Demetrio Bacci wrote:
> > Hi,
> > >How are you trying to create the Unix (RFC2307) attributes ?
> > I am following the article:
> >
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC
> >
> > Open ADUC.
> > Right-click to a user account and choose properties.
> > Navigate to the "UNIX Attributes" tab.
> Do you have the IDMU server installed on the Windows DC ?
> >
> > >Also, what do you mean by 'it doesn't bother any NIS server' ?
> > Sorry, Google translated it wrong.
> > Did you mean: Not appear the domain name to select in the NIS Domain
> > field.
> >
> > >Do you mean that the RFC2307 attributes are not being used ?
> > No.
> OK
> > Do I need change my smb.conf from:
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> > To
> >
> > # Global parameters
> > [global]
> >  workgroup = EMPRESA
> >  realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >  netbios name = EMPRESA
> >  server role = active directory domain controller
> >  dns forwarder = 192.168.1.1
> >  idmap_ldb:use rfc2307 = yes
> >  ldap server require strong auth = no
> >
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> > <http://empresa.com.br/scripts>
> >  read only = No
> >
> > [sysvol]
> >  path = /usr/local/samba/var/locks/sysvol
> >  read only = No
> >  acl_xattr:ignore system acls = yes
> >
> Ah, I think I see the problem, If I remember correctly, you joined the
> the Samba DC to a Windows DC and if you didn't have IDMU installed on
> the Windows DC, you wouldn't get the required objects in AD created on
> the Samba DC either.
>
> All the RFC2307 attributes are in the AD schema by default, so they are
> available for use.
>
> You have a few options:
>
> Check if IDMU is installed and install it if not.
>
> Install the ypServ30.ldif on the Samba DC
> (/usr/share/samba/setup/ypServ30.ldif), see here:
>
>
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions
>
> Write your own script using ldbmodify or ldapmodify to add the uidNumber
> & gidNumber attributes.
>
> You should be aware that even if you do any of the above, your users
> will still get Domain Users as their primary group on the DC.
>
> To get your AD users to show on your Samba AD DC, you need to have
> libnss-winbind. libpam-krb5 & libpam-winbind installed and ensure the
> 'passwd' & 'group' lines in /etc/nsswitch.conf look like this:
>
> passwd:         compat winbind
> group:          compat winbind
>
> If you do the above, you should get your users & groups without doing
> any of the above, but the IDs will be in the '3000000' range.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list