[Samba] idmap config ad
rpenny at samba.org
Mon Jan 28 14:27:48 UTC 2019
On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba at lists.samba.org> wrote:
> Trying to use the idmap config ad on a domain member. The AD is an
> actual Windows server and when logged in the AD server running ADUC
> the NIS domain field on the UNIX attributes tab only shows a dash and
> is cannot be changed.
Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?
Do any Active directory groups have such a gidNumber ?
> Domain member is RHEL 7.6 running Samba 4.8.3.
> Pertinent part of smb.conf:
> security = ADS
> workgroup = MYDOMAIN
> realm = MYDOMAIN.LOCAL
> server string = mydomain
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-8999
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 10000-99999
> idmap config MYDOMAIN : unix_nss_info = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> The documentation seems to strictly point to using a Samba AD with the
> RSAT utility and here we're logged right on to the Windows AD using
> the native ADUC application.
ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.
More information about the samba