[Samba] Samba AD-DC idmap config
Rowland penny
rpenny at samba.org
Sat Oct 19 07:59:06 UTC 2019
On 18/10/2019 22:54, John Redmond wrote:
> One step forward with respect to the fileserver configs. Good news
> first...
>
> * Netplan: The symlink /etc/resolv.conf to
> /run/systemd/resolve/stub-resolv.conf was wrong. It now goes to
> /run/systemd/resolve/resolv.conf. And
>
> _admin at fsvr0:/etc$ nslookup dc0.lan.lenkin.com
> <http://dc0.lan.lenkin.com>_
>
> Server: 10.199.251.10
>
> Address: 10.199.251.10#53
>
>
> Name: dc0.lan.lenkin.com <http://dc0.lan.lenkin.com>
>
> Address: 10.199.251.10
>
> So the command result shows the nameserver is now the DC, instead
> of 127.0.0.53
>
> * I changed the fileserver smb.conf and nsswitch.conf files as per
> your suggestions. No difference with respect to results of
> commands "sudo net ads join -U administrator" (join successful,
> error DNS update failed: NT_STATUS_INVALID_PARAMETER), "getent
> passwd" and "getent groups" (no domain users or groups listed).
>
OK, lets test the join, run (as root) in a terminal:
net ads join
It should return:
Join is OK
If that passes, change these lines in smb.conf:
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
To:
idmap config SAMDOM : backend = rid
#idmap config SAMDOM : schema_mode = rfc2307
Run: net cache flush and restart winbind
Do you now get a users info with 'getent passwd username' and a groups
info with 'getent group groupname' ?
If so, repeat the procedure, but put the original lines back, you should
get output from the two commands again, but with different IDs. If you
do not get any output, you need to check the uidNumber & gidNumber
attributes in AD.
Whilst typing this, I began to think 'is he just typing getent passwd',
if so, this will not work without the 'winbind enum' lines in smb.conf,
that is all they do (apart from slowing things down).
Rowland
More information about the samba
mailing list