[Samba] Winbind issues with AD member file server

Rowland penny rpenny at samba.org
Tue Jul 9 18:31:58 UTC 2019


On 09/07/2019 19:02, Eric Shell via samba wrote:
> Ugh, I knew I forgot something.  Here is smb.conf:
>
> ---
>
> [global]
> kerberos method = system keytab
> template homedir = /soe/%U
> workgroup = BSOE
> template shell = /bin/bash
> security = ads
> realm = AD.SOE.UCSC.EDU
> idmap config BSOE : schema_mode = rfc2307
> idmap config BSOE : range = 100-999999
> idmap config BSOE : backend = ad
> idmap config BSOE : unix_nss_info = yes
> idmap config BSOE : unix_primary_group = yes
> idmap config * : range = 10000000-10999999
> idmap config * : backend = tdb
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
>
> ################################################################################
> #   You should not define any shares in this file directly, use
> shares.conf.   #
> ################################################################################
>
> include = /etc/samba/shares.conf
>
> ---
>
> Here's an example of one of the share configurations from shares.conf,
> which are uniform:
>
> ---
>
> [backups]
>   path = /notbackedup/backups
>   comment = Window Servers Backups
>   create mask = 0640
>   directory mask = 0750
>   force create mode = 0640
>   force directory mode = 0750
>   force group = backups
>   valid users = +BSOE\backups-group +backups
Not much wrong there, except I would use 'kerberos method = secrets and 
keytab' instead of 'kerberos method = system keytab'

For the winbind 'ad' backend to work, you need to set up smb.conf 
correctly (you seem to have) and give any AD users you want to be 
visible on Unix, a unique number stored in the uidNumber attribute in 
the users AD object, you also need to give the Domain Users group a 
gidNumber attribute containing a number. if you use 'unix_primary_group 
= yes', then you can give your users a gidNumber attribute containing 
the gidNumber of the required group. All of these numbers must be inside 
the range set in smb.conf (in your case '100-999999'). Using such a low 
start number does come with its own problems, the low numbers could 
cause problems with the Unix system users & groups.

You seem to be hitting the problem a lot of people have hit, Samba 
historically used low ID's because it was thought to be okay, time seems 
to have proven otherwise.

Rowland






More information about the samba mailing list