[Samba] New AD-DC missing some DNS Information
Robert Steinmetz AIA
rob at steinmetznet.com
Mon Feb 15 22:31:49 UTC 2021
Rowland penny via samba wrote:
> On 15/02/2021 17:38, Robert Steinmetz AIA wrote:
>> The /etc/resolv.conf is still getting overwritten.
> Probably systemd-resolved
I don't think so. systemd-resolved is not running. It is disabled and
There are a gazillion proposed methods to do this and I haven't figured
out which one looks good.
In the interim I locked it down with chattr +i /etc/resolv.conf I can
now reboot and it seems to work.
>> In my case I've added a user 'debbie'
>> # wbinfo -u
> Why does your Netbios domain name have a dot in it ?
Because that is the name of the sub-domain I used. Did I misunderstand
something? Our domain is steinmetznet.com which was my first attempt.
The next attempt added the sub-domain no.steinmetznet.com. In our
current NT Domain the domain name is something entirely different.
>> I created the user using samba-tool and supplied all of the Linux
>> options for /etc/passwd
>> # getent passwd 'debbie'
>> # grep 'debbie' /etc/passwd
> Do you have these packages installed: libpam-winbind libnss-winbind
I do now, I actually had some of the but not all.
> Do the passwd & group lines in /etc/nsswitch.conf look like this:
> passwd: files winbind systemd
> group: files winbind systemd
I figured I needed that, but I don't remember seeing that in any of the
documentation I reviewed. I did find a page on configuring winbindd but
not that is was required.
>>> If you use the 'ad' backend on Unix domain members, then you can use
>>> the uidNumber and gidNumber attributes from AD along with the other
>>> rfc2307 attributes,
>> That's what I think I did with samba-tool
>>> you can also opt to set the Unix home directories & login shell in
>>> the smb.conf (note: this is the only way to these on an AD DC or
>>> using anyother winbind backend.
>> I don't understand what you're saying here. Particularly the part
>> after the paren.
> OK, if you use the 'ad' backend on a Unix domain member, then you can
> (provide the 'idmap config' lines in smb.conf are set correctly) use
> the rfc2307 attributes from AD. If you use any other backend on a Unix
> domain member or log into a DC, then you must use the 'template shell'
> and 'template homedir' parameters. You can also use these template
> lines with the 'ad' backend if you wish.
> See 'man idmap_ad' and 'man idmap_rid' for more info.
I'm sorry I'm not following this. I added the "template shell =
/bin/bash' and 'template homedir= /home/%U' and 'user debbie' can now login.
What I think you're saying is that samba-tool user <username>
--login-shell and --unix-home don't have any effect on a DC.
My ultimate intention is to make all of our three samba servers backup
domain controllers. But before I undertake that I want to have a basic
understanding of the AD tools and requirements.
>>>> We have in the past used the /homes share to connect users to their
>>>> Linux home directory.
>>> You can still use the 'homes' share, though you will probably need a
>>> 'root preexec' script to create the users directory as they connect
>>> (I can help you with this), note that you shouldn't confuse a users
>>> Unix share with a the users Windows home directory.
>> In our current set up each user has a Windows profile and a Unix home
>> directory which is mounted as a /homes share to a drive letter. That
>> is used to store user specific information and things like the users
>> profile for email clients and other user specific information. I'm
>> not clear on what a Windows Home directory is. That is something I
>> think I can leave till later.
> You are mixing up the Windows home directory and the Unix home directory.
> The Windows home directory is the one you should link to the Windows
> Drive letter, the Unix home directory is what the user would use if
> they log into a Unix domain member.
Why can't they be the same directory? That is what we do now.
Steinmetz & Associates
New Orleans & Atlanta
More information about the samba