[Samba] Problem with UID and GID
Rowland penny
rpenny at samba.org
Tue Oct 22 15:20:57 UTC 2019
On 22/10/2019 16:01, Stephen Atkins wrote:
> On 22/10/2019 8:48 a.m., Rowland penny via samba wrote:
>
>> Have you read this:
>>
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
>
>
> I have and I thought I set it up correctly. I followed the
> idmap_config_ad link to setup my domain member. But I'm going over it
> again as I'm sure I missed something.
>
>>>
>>> Let me know if you would like to see any other config files.
>>>
>> Yes, can we see your smb.conf files.
>>
>> It looks like you have given your user a uidNumber attribute, but
>> haven't given 'Domain Users' a gidNumber attribute. What OS is this
>> ? '4' isn't an ID for the 'users' group that I have come across.
>> Though thinking about it, perhaps the question is, just where have
>> you set that '4' ?
>
> I had set the Primary GID in the Unix Attributes section for that user
> to 4 (which I can't remember why I did) but have since changed it to
> "Domain Admins". For the Domain Admins group I have set the GID to
> 10004.
Try setting the gidNumber for 'Domain Users' to '10000'
>
> My smb.conf for the AD DC is:
>
> # Global parameters
> [global]
> netbios name = DC1
> realm = AD.MDWAINWRIGHT.CA
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbi$
> workgroup = AD
>
> idmap_ldb:use rfc2307 = yes
>
> template homedir = /home/%D/%U
You do not need the above line, it is the default
> template shell = /bin/bash
This is okay, but only required if your users will log into the DC
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
Remove the three lines above, they should not be in a DC smb.conf
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.mdwainwright.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> My smb.conf for the fileserver is:
> [global]
> workgroup = AD
> realm = AD.MDWAINWRIGHT.CA
> netbios name = FILESERVER
> security = ADS
> dns forwarder = 192.168.1.3
No, you do not have a dns forwarder on a Unix domain member
>
> # idmap config * : backend = tdb
> # idmap config *:range = 10000-50000
Interesting, you have commented out something you need (with an
incorrect range) but you haven't added the required replacements, are
you using sssd ?
If so, then stop, it isn't supported.
Try adding these lines:
idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config AD : backend = ad
idmap config AD : schema_mode = rfc2307
idmap config AD : unix_nss_info = yes
idmap config AD : range = 10000-999999
> idmap_ldb:use rfc2307 = yes
Remove the line above, it is only used on a dC
>
> winbind use default domain = true
OK
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
Remove the four lines above, they are not required.
>
>
> template homedir = /home/%D/%U
> template shell = /bin/bash
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> [shared]
> path = /mnt/usershares
> read only = no
>
> [users]
> path = /home/AD
> read only = no
>
Rowland
More information about the samba
mailing list