[Samba] Samba as member of DC - NT_STATUS_LOGON_FAILURE
rpenny at samba.org
Fri Sep 11 18:25:31 UTC 2020
On 11/09/2020 19:03, Epsilon Minus via samba wrote:
> El vie., 11 sept. 2020 a las 4:17, Rowland penny via samba
> (<samba at lists.samba.org>) escribió:
>> On 10/09/2020 21:28, Epsilon Minus via samba wrote:
>>> Hello !
>>> And i have problem with user validation. wbinfo work well, but i cant
>>> use de AD users.
>> Have you added uidNumber & gidNumber attributes to AD ?
> I use RFC2307 on the provision, but i don't edit anything de uidNumber
> & gidNumber.
> I change backend to rid and work de validation, but not understand de change.
> security = ADS
> workgroup = GALERNA
> realm = GALERNA.COM.AR
> log file = /var/log/samba/%m.log
> log level = 10
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config GALERNA :backend = rid
> idmap config GALERNA:schema_mode = rfc2307
> idmap config GALERNA :range = 10000-999999
> username map = /etc/samba/user.map
> is it okey ? or need to research more?
All that adding '--use-rfc2307' to the provision command does is to add
a line to the DC's smb.conf that makes it use the RFC2307 uidNumber &
gidNumber attributes in AD in preference to the xidNumbers from
idmap.ldb, it also adds the ldif that provides the framework that the
ADUC Unix attributes tab relies on.
What it doesn't do is to add any uidNumber or gidNumber attributes to
AD, you must add these manually yourself when creating users or groups.
If you do not add any uidNumber & gidNumber attributes to AD, you cannot
use the winbind 'ad' backend.
The winbind 'rid' backend calculates the user & group ID's from the RID
and the low range you set in the smb.conf on a Unix domain member, from
your range, the ID for Domain Users will be '10513'
More information about the samba