[Samba] Problem with AD & idmap
Rowland Penny
rpenny at samba.org
Fri Mar 4 11:39:45 UTC 2022
On Fri, 2022-03-04 at 11:48 +0100, Lars Schimmer via samba wrote:
>
>
> At least our security department. Also I did run castleping on our
> domains and it was described as good practise to change that key
> every year.
> Over the end, thats just the Krb5TGTkey, it should not change the
> way
> users are found, as krb5 should accept the new key, to.
> Esp if the client was added to domain AFTER the keychange.
So, just because one entity said to change the key, you did, words fail
me. Samba provides a script to change the script, but you decided to
change it from Windows.
>
>
>
>
>
>
> Checking file: /etc/samba/smb.conf
>
> #======================= Global Settings =======================
> [global]
> security = ADS
> workgroup = CGV
> realm = CGV.TUGRAZ.AT
> min protocol = SMB2
You do not require the above line, it is the default now.
> dns proxy = no
> bind interfaces only = yes
> interfaces = lo 129.27.218.0/24
> # Default idmap config for local BUILTIN accounts and groups
> # Mandatory, but hopefully not used, because the ids must not
> overlap
> idmap config * : backend = tdb
> idmap config * : range = 2000000-3000000
> #idmap config for the CGV domain
> idmap config CGV:backend = ad
> idmap config CGV:schema_mode = template
> #idmap config CGV:schema_mode = rfc2307
> # We have the Users group with id 100 - so we neet to start at
> 100.
> # Probably a really bad idea, but at the moment we have no other
> choice
Why are you using 'users' a Unix group, what is wrong with Domain Users
?
> idmap config CGV:range = 300-1999999
> idmap config CGV:unix_primary_group = yes
If every users gidNumber is '100', then there is no point to the above
line.
> idmap config CGV:unix_nss_info = yes
> #winbind nss info = template
> template shell = /bin/zsh
Is there some reason to use the 'Z' shell shell ?
> template homedir = /home/%U
> winbind enum users = yes
> winbind enum groups = yes
I would suggest you remove the two lines above, you do not need them.
> winbind use default domain = yes
> map to guest = bad user
> #syslog only = yes
> panic action = /usr/share/samba/panic-action %d
> log file = /var/log/samba/%m.log
> log level = 10
>
> -----------
>
>
> Installed packages:
> ii attr 1:2.4.48-
> 6 amd64
> utilities for manipulating filesystem extended attributes
You do not seem to have the 'acl' package installed.
Rowland
More information about the samba
mailing list