[Samba] Winbind issues with AD member file server
Eric Shell
eshell at ucsc.edu
Tue Jul 9 18:46:04 UTC 2019
Hi Rowland,
Thanks for the prompt reply. The gidNumber attribute is set to the
appropriate primary UNIX group for each user already. Are there any ways
to work around the ID issue, or at least to mitigate some of the
consequences? We looked at updating uid/gid values across the board but
there is so much data owned by existing users and groups that we haven't
been able to proceed.
On Tue, Jul 9, 2019 at 11:32 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 09/07/2019 19:02, Eric Shell via samba wrote:
> > Ugh, I knew I forgot something. Here is smb.conf:
> >
> > ---
> >
> > [global]
> > kerberos method = system keytab
> > template homedir = /soe/%U
> > workgroup = BSOE
> > template shell = /bin/bash
> > security = ads
> > realm = AD.SOE.UCSC.EDU
> > idmap config BSOE : schema_mode = rfc2307
> > idmap config BSOE : range = 100-999999
> > idmap config BSOE : backend = ad
> > idmap config BSOE : unix_nss_info = yes
> > idmap config BSOE : unix_primary_group = yes
> > idmap config * : range = 10000000-10999999
> > idmap config * : backend = tdb
> > winbind use default domain = no
> > winbind refresh tickets = yes
> > winbind offline logon = yes
> > winbind enum groups = no
> > winbind enum users = no
> >
> >
> ################################################################################
> > # You should not define any shares in this file directly, use
> > shares.conf. #
> >
> ################################################################################
> >
> > include = /etc/samba/shares.conf
> >
> > ---
> >
> > Here's an example of one of the share configurations from shares.conf,
> > which are uniform:
> >
> > ---
> >
> > [backups]
> > path = /notbackedup/backups
> > comment = Window Servers Backups
> > create mask = 0640
> > directory mask = 0750
> > force create mode = 0640
> > force directory mode = 0750
> > force group = backups
> > valid users = +BSOE\backups-group +backups
> Not much wrong there, except I would use 'kerberos method = secrets and
> keytab' instead of 'kerberos method = system keytab'
>
> For the winbind 'ad' backend to work, you need to set up smb.conf
> correctly (you seem to have) and give any AD users you want to be
> visible on Unix, a unique number stored in the uidNumber attribute in
> the users AD object, you also need to give the Domain Users group a
> gidNumber attribute containing a number. if you use 'unix_primary_group
> = yes', then you can give your users a gidNumber attribute containing
> the gidNumber of the required group. All of these numbers must be inside
> the range set in smb.conf (in your case '100-999999'). Using such a low
> start number does come with its own problems, the low numbers could
> cause problems with the Unix system users & groups.
>
> You seem to be hitting the problem a lot of people have hit, Samba
> historically used low ID's because it was thought to be okay, time seems
> to have proven otherwise.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Eric Shell
BSOE Technical Staff
eshell at ucsc.edu
831 459 4919
Baskin Engineering, Room 313
More information about the samba
mailing list