[Samba] debian 10: errors with my server samba-ad

Rowland penny rpenny at samba.org
Tue May 14 10:40:08 UTC 2019 

On 14/05/2019 10:58, nathalie ramat wrote:
> hi,
>
> My user must be able to connect under windows and under linux. The 
> home is common. Their home is on the server.

This is easy

>
> Like there are students - they are identified by their formation( 
> group) and by their login
>
> for example /home/specifique/testlundi
>                   /home/l1info/testmardi
>
> For me the etudiant belong to a group  and i have create each group on OU
Then you MUST use the winbind 'ad' backend and set smb.conf to use the 
info stored in AD.
>
> and i take the last number for sid group for gidnumber - it was to 
> find out which group he belonged to - It's not a good idea ?

Definitely not, SID's start at '1000' and so do the Unix ID's, this 
means that you cannot have any local Unix users. There is also the 
problem of Domain Users, its RID is '513' and all your users and groups 
must have Unix ID's (set by uidNumber & gidNumber attributes in AD) 
inside the range you set in smb.conf

>
>
> on my smb.conf on the server i put
>
> [homes]
>     path=/home/%G/%U
>     read only = no
>
>
> Actually - i can't put my client linux in my ad.
> net ads join -S nameofsever -U administrator --> doestn't give my 
> response -- It wait  ...
>
You shouldn't need the '-S' option, so is your DNS set up correctly ?
> my client linux smb.conf is
>
>
>  [global]
>     security =ADS
>     realm = LENZSPITZE2.CALAIS.FR
>     workgroup =LENZSPITZE2
>     netbios name = testbugsterl
>     winbind separator = /
>     winbind enum users = yes
>     winbind enum groups = yes
Once you get everything working, remove the two lines above, you only 
need them for testing purposes.
>     idmap config LENZSPITZE2 : backend = ad
>     idmap config LENZSPITZE2 : schema_mode =rfc2307
>     idmap config LENZSPITZE2 : range = 10000-399999999

Hmm, your lowest ID is probably the one from Domain Users '513', which 
is less than '10000', this isn't going to work. I would change the 
uidNumber & gidNumber attributes in AD to match the above range.


>     idmap config LENZSPITZE2 : unix_nss_info = yes
>     template homedir =/etudiants/%U
>     template shell =/bin/bash
Remove the two lines above, for what you want to do, you must obtain 
this information from AD
>     winbind nss info = rfc2307
You do not require the line above
>     kerberos method =  secrets and keytab
>     dedicated keytab file =/etc/krb5.keytab
>     winbind refresh tickets =yes
>     username map = /etc/samba/samba_usermapping
>     winbind use default domain = yes
>     log file =/var/log/samba/log.%m
>     log level = 3
> # for acl support on members servers with shares
>     vfs object = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
>     winbind nss info = rfc2307

You still don't need the line above ;-)

Rowland

More information about the samba mailing list