[Samba] security = ads parameter not working in samba 4.9.5
Sérgio Basto
sergio at serjux.com
Wed Nov 27 23:57:34 UTC 2019
On Wed, 2019-11-27 at 15:51 +0000, Rowland penny via samba wrote:
> On 27/11/2019 15:30, Sérgio Basto wrote:
> > On Wed, 2019-11-27 at 12:29 +0000, Rowland penny via samba wrote:
> > > On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> > > > Sorry I meant man idmap_ad. But checking again man is equal of
> > > > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of
> > > > man
> > > > page [1]
> > > >
> > > > Examples don't mention netbios name ... I did [2] which instead
> > > > use
> > > > workgroup I used netbios name and it is working but still don't
> > > > know
> > > > why or even if it correct .
> > > You do not need to set 'netbios name', it will be set for you
> > > from
> > > the
> > > hostname
> > > > [2]
> > > > [global]
> > > > netbios name = REPO
> > > > security = ADS
> > > > workgroup = SAMDOM
> > > > realm = SAMDOM.EXAMPLE.COM
> > > >
> > > > winbind use default domain = yes
> > > >
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 1000000-1999999
> > > >
> > > > idmap config REPO : backend = ad
> > > > idmap config REPO : schema_mode = rfc2307
> > > > idmap config REPO : range = 10000-999999
> > > > idmap config REPO : unix_nss_info = yes
> > > You need to use the workgroup name, not the netbios name. There
> > > will
> > > be
> > > three domains on your Unix domain member:
> > >
> > > BUILTIN : Mostly used for the Well Known SIDs
> > >
> > > SAMDOM : Your AD domain
> > >
> > > REPO : a local domain and not really relevant
> >
> > Hi, many thanks for the reply and it started to work but I had to
> > use
> > realm
> >
> > security = ADS
> > workgroup = SAMDOM
> > realm = SAMDOM.LOCAL
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config SAMDOM.LOCAL : backend = ad
> > idmap config SAMDOM.LOCAL : schema_mode = rfc2307
> > idmap config SAMDOM.LOCAL : range = 10000-999999
> > idmap config SAMDOM.LOCAL : unix_nss_info = yes
>
> You have something mis-configured somewhere, it MUST be workgroup,
> not
> realm.
>
> Please download this:
>
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> Run it on the Unix domain member and paste the ouput into a post, do
> not
> attach it, this list strips attachments.
Thank you for the warning :) [1] , I'm fighting the same problem but I
have a different configuration that I never told you before , I'm
running my centos 7 packages (very similar to other fellows) [2] where
DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64 with
BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN corp
and I'm testing with SambaAD-4.10.9 or 10 .
What else ?
getent passwd and getent group just works with previous configuration
and stop when I set the workgroup in idmap when you wrote "it MUST be
workgroup not realm"
Notes on script :
Centos 7 dns configuration is on /etc/named.conf not in
/etc/bind/named.conf I had to hack a little the script and for dpkg -l,
I replaced with rpm -qa
[1]
https://paste.centos.org/view/8d205024
https://paste.centos.org/view/bba5f6c4
[2]
https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
[3]
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Rowland
>
Best regards,
--
Sérgio M. B.
More information about the samba
mailing list