[Samba] getent shows only local entries.

Daniel Lang spaci76 at gmail.com
Sun Jan 26 14:21:20 UTC 2020 

Thank you very much for this information. That brings me a big step forward.

I expanded the required Attributes on the Groups. Now i see it with
"getent group".

INTERN\domain admins:x:10001:
INTERN\domain users:x:10000:

But, the primaryGroupID Attribute from the User has an default value
513 = (GROUP_RID_USERS). It throw an exception when i try to change
this to 10000

"error in module samldb: Unwilling to perform during LDB_MODIFY(53)

I adjusted the attributes with ADUC.

How can this fix it?

Thanks in advance

Am So., 26. Jan. 2020 um 12:28 Uhr schrieb Rowland penny via samba
<samba at lists.samba.org>:
>
> On 26/01/2020 10:59, Daniel Lang wrote:
> > Hi Rowland,
> >
> > Thank you for your prompt reply.
> >
> > Am So., 26. Jan. 2020 um 11:26 Uhr schrieb Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>>:
> >
> >     Whilst wbinfo is showing your users and groups, this does not mean
> >     that
> >     Unix knows who they are.
> >
> >
> >     Do you have libnss-winbind, libpam-winbind and libpam-krb5 installed ?
> >
> >
> > Yes,
> >
> > root at fs1:/var/log/samba# apt install libpam-winbind libpam-krb5
> > libnss-winbind
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > libpam-krb5 is already the newest version (4.8-2).
> > libnss-winbind is already the newest version (2:4.11.3+dfsg-1).
> > libpam-winbind is already the newest version (2:4.11.3+dfsg-1).
> > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> > root at fs1:/var/log/samba#
> >
> >
> >     Have you set 'winbind' in the 'passwd' & 'group' lines in
> >     /etc/nsswitch.conf ?
> >
> > yes,
> > root at fs1:/var/log/samba# cat /etc/nsswitch.conf | grep passwd
> > passwd:         files winbind systemd
> > root at fs1:/var/log/samba# cat /etc/nsswitch.conf | grep group
> > group:          files winbind systemd
> > root at fs1:/var/log/samba#
> >
> >
> >     Have you added uidNumber attributes to your users and a gidNumber to
> >     'Domain Users' ?
> >
> >     They are not added automatically, you need to add them manually.
> >
> >
> > really? On the Wiki site i havent found this information.
>
> It was there, just not very clearly, on the wikipage:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
>
> Under the heading:
>
> Advantages and Disadvantages of the ad Back End
>
> It said this:
>
> The values for the RFC2307 attributes must be set manually.
>
> It now says:
>
> The values for the RFC2307 attributes are not created automatically,
> they must be added manually.
>
> > Could you tell me, how i can do that?
>
> There are several ways, you can use ADUC on Windows, on later Windows
> version that do not have the Unix Attributes tab, you can use the
> attributes editor.
>
> You can create users with the required attributes using samba-tool
>
>  From Samba 4.12.0, you will be able to add RFC2307 attributes using
> samba-tool.
>
> There is a python program created by Jonathan Reinhart 'adman':
>
> https://gitlab.com/JonathonReinhart/adman
>
> You can use Ldap Account Manager
>
> You could write your own scripts around ldapsearch etc or ldbsearch etc
>
> Or to put it another way, this is Linux, there are multiple ways of
> doing this ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list