[Samba] Winbind issues with AD member file server
Rowland penny
rpenny at samba.org
Tue Jul 9 18:31:58 UTC 2019
On 09/07/2019 19:02, Eric Shell via samba wrote:
> Ugh, I knew I forgot something. Here is smb.conf:
>
> ---
>
> [global]
> kerberos method = system keytab
> template homedir = /soe/%U
> workgroup = BSOE
> template shell = /bin/bash
> security = ads
> realm = AD.SOE.UCSC.EDU
> idmap config BSOE : schema_mode = rfc2307
> idmap config BSOE : range = 100-999999
> idmap config BSOE : backend = ad
> idmap config BSOE : unix_nss_info = yes
> idmap config BSOE : unix_primary_group = yes
> idmap config * : range = 10000000-10999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> ################################################################################
> # You should not define any shares in this file directly, use
> shares.conf. #
> ################################################################################
>
> include = /etc/samba/shares.conf
>
> ---
>
> Here's an example of one of the share configurations from shares.conf,
> which are uniform:
>
> ---
>
> [backups]
> path = /notbackedup/backups
> comment = Window Servers Backups
> create mask = 0640
> directory mask = 0750
> force create mode = 0640
> force directory mode = 0750
> force group = backups
> valid users = +BSOE\backups-group +backups
Not much wrong there, except I would use 'kerberos method = secrets and
keytab' instead of 'kerberos method = system keytab'
For the winbind 'ad' backend to work, you need to set up smb.conf
correctly (you seem to have) and give any AD users you want to be
visible on Unix, a unique number stored in the uidNumber attribute in
the users AD object, you also need to give the Domain Users group a
gidNumber attribute containing a number. if you use 'unix_primary_group
= yes', then you can give your users a gidNumber attribute containing
the gidNumber of the required group. All of these numbers must be inside
the range set in smb.conf (in your case '100-999999'). Using such a low
start number does come with its own problems, the low numbers could
cause problems with the Unix system users & groups.
You seem to be hitting the problem a lot of people have hit, Samba
historically used low ID's because it was thought to be okay, time seems
to have proven otherwise.
Rowland
More information about the samba
mailing list