[Samba] setting up a new ADS infrastructure

Stefan Froehlich samba at froehlich.priv.at
Thu Jun 13 18:57:21 UTC 2019 

On Thu, Jun 13, 2019 at 07:02:27PM +0100, Rowland penny via samba wrote:
> On 13/06/2019 18:21, Stefan Froehlich via samba wrote:
> >File server and Linux clients shall use the AD-backend, so I read
> >and followed <https://wiki.samba.org/index.php/Idmap_config_ad>.
> >There it says:
> >
> >"Whichever setting you use, the group (or groups) set as the users
> >primary group must have the gidNumber attribute set"
> 
> I thought that was plain enough, but obviously not ;-)

Yes and no.

> All domain users are members of the 'Domain Users' group as their
> primary group and to make the group known to the Unix OS it must
> have a gidNumber attribute. Also winbind relies on the group being
> known to the Unix OS, if it isn't, then (whatever you do), no
> users will be known to the Unix OS.  There are very few domain
> users and groups that need to be known to Unix.

I did understand this (some parts were really obvious, some parts
only after browsing through the docs). What I did not get was that
besides the various config files and control programs like
samba-tool and net you need to dig into the LDAP database to set the
gid for "domain users" (at least I have basic knowledge about LDAP,
but I did not need this for the last 20 yrs). There are:

$ samba-tool user add --gid-number --uid-number
$ samba-tool group add --gid-number

...so I was looking for a corresponding option of "samba-tool domain
provision" or for something named like "samba-tool group modify".

> It used to be easy from Windows using the Unix Attributes tab in
> ADUC, but this has been removed from Windows 10.
> 
> The easiest way is to script around ldb-tools or ldap-utils.

Windows is no option anyway, I only have ssh access and do all the
stuff from remote. But ldbedit did the trick, thanks a lot.

> >| root at fileserver:~# wbinfo -i test
> >| failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> >| Could not get info for user test
> This should have worked.

And - heureka! - now it does:

| root at fileserver:~# wbinfo -i test
| test:*:10001:10000::/home/test:/bin/bash

So for the moment I can continue - let's see if anything else comes
up.

Thanks,

Stefan

-- 
Stefan - das faulste Werbegeschenk, welches es je gab.
Sloganizer, https://www.poetron-zone.de/

More information about the samba mailing list