[Samba] New AD-DC missing some DNS Information

Robert Steinmetz AIA rob at steinmetznet.com
Mon Feb 15 22:31:49 UTC 2021 

Rowland penny via samba wrote:
> On 15/02/2021 17:38, Robert Steinmetz AIA wrote:
>>
>> The /etc/resolv.conf is still getting overwritten.
> Probably systemd-resolved
I don't think so. systemd-resolved is not running. It is disabled and 
masked.
There are a gazillion proposed methods to do this and I haven't figured 
out which one looks good.
In the interim I locked it down with chattr +i /etc/resolv.conf I can 
now reboot and it seems to work.
>
>
>> In my case I've added a user 'debbie'
>> # wbinfo -u
>> NO.STEINMETZNET\administrator
>> NO.STEINMETZNET\guest
>> NO.STEINMETZNET\krbtgt
>> NO.STEINMETZNET\debbie
>
> Why does your Netbios domain name have a dot in it ?
Because that is the name of the sub-domain I used. Did I misunderstand 
something? Our domain is steinmetznet.com which was my first attempt. 
The next attempt added the sub-domain no.steinmetznet.com. In our 
current NT Domain the domain name is something entirely different.
>
>> I created the user using samba-tool and supplied all of the Linux 
>> options for /etc/passwd
>>
>> # getent passwd 'debbie'
>> #
>>
>> # grep 'debbie' /etc/passwd
>> #
>
>
> Do you have these packages installed: libpam-winbind libnss-winbind 
> libpam-krb5
I do now, I actually had some of the but not all.
> Do the passwd & group lines in /etc/nsswitch.conf look like this:
>
> passwd: files winbind systemd
>
> group: files winbind systemd
I figured I needed that, but I don't remember seeing that in any of the 
documentation I reviewed. I did find a page on configuring winbindd but 
not that is was required.
>
>>
>>> If you use the 'ad' backend on Unix domain members, then you can use 
>>> the uidNumber and gidNumber attributes from AD along with the other 
>>> rfc2307 attributes,
>> That's what I think I did with samba-tool
>>> you can also opt to set the Unix home directories & login shell in 
>>> the smb.conf (note: this is the only way to these  on an AD DC or 
>>> using anyother winbind backend.
>> I don't understand what you're saying here. Particularly the part 
>> after the paren.
>
>
> OK, if you use the 'ad' backend on a Unix domain member, then you can 
> (provide the 'idmap config' lines in smb.conf are set correctly) use 
> the rfc2307 attributes from AD. If you use any other backend on a Unix 
> domain member or log into a DC, then you must use the 'template shell' 
> and 'template homedir' parameters. You can also use these template 
> lines with the 'ad' backend if you wish.
>
> See 'man idmap_ad' and 'man idmap_rid' for more info.
I'm sorry I'm not following this. I added the "template shell = 
/bin/bash' and 'template homedir= /home/%U' and 'user debbie' can now login.
What I think you're saying is that samba-tool user <username> 
--login-shell and --unix-home don't have any effect on a DC.
My ultimate intention is to make all of our three samba servers backup 
domain controllers.  But before I undertake that I want to have a basic 
understanding of the AD tools and requirements.

>
>>
>>>
>>>>
>>>> We have in the past used the /homes share to connect users to their 
>>>> Linux home directory.
>>> You can still use the 'homes' share, though you will probably need a 
>>> 'root preexec' script to create the users directory as they connect 
>>> (I can help you with this), note that you shouldn't confuse a users 
>>> Unix share with a the users Windows home directory.
>> In our current set up each user has a Windows profile and a Unix home 
>> directory which is mounted as a /homes share to a drive letter. That 
>> is used to store user specific information and things like the users 
>> profile for email clients and other user specific information. I'm 
>> not clear on what a Windows Home directory is. That is something I 
>> think I can leave till later.
>
>
> You are mixing up the Windows home directory and the Unix home directory.
>
> The Windows home directory is the one you should link to the Windows 
> Drive letter, the Unix home directory is what the user would use if 
> they log into a Unix domain member.
Why can't they be the same directory? That is what we do now.

Steinmetz & Associates

New Orleans & Atlanta

More information about the samba mailing list