[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
Gary Dale
gary at extremeground.com
Wed Apr 26 18:40:53 UTC 2023
On 2023-04-26 13:54, Rowland Penny via samba wrote:
>
>
> On 26/04/2023 18:27, Gary Dale via samba wrote:
>
>> No. I am running the tests suggested by the various Samba wiki pages.
>> I can do a getent passwd <local account> on my workstation and on my
>> file & print server but I can't do a getent passwd <domain account>
>> except on my DC. I explicitly showed that in the message before the
>> one you replied to. I also showed how I can't do a login to a domain
>> account except on the DC.
>>
>> This failure to get domain account information seems likely to be at
>> the heart of the problems I'm having.
>>
>>
>
> So you are running 'getent passwd gary' and getting no output, this is
> usually caused by libpam-winbind and libnss-winbind not being
> installed, or /etc/nsswitch.conf not being configured correctly, the
> relevant lines from mine look like this:
>
> passwd: files winbind
> group: files winbind
installed and configured correctly
>
> Or pam-auth-update is configured correctly, again these are the lines
> from mine:
>
> [*] Unix authentication
> [*] Winbind NT/Active Directory authentication
> [*] Register user sessions in the systemd control group ...
> [*] Create home directory on login
>
Have an extra entry for systemd that is checked but have Create home
directory on login unchecked. Shouldn't cause the problems I'm seeing.
> Or you are using the 'ad' idmap backend on a Unix domain member and
> haven't added a uidNumber attribute to the users and added a gidNumber
> attribute to the Domain Users group. The numbers you use in these
> attributes have to be unique, though you can use the same range for
> users and groups, that is 'gary' could have the ID 10000 and Domain
> Users could also the same ID 10000. Whatever numbers you use, the
> Domain idmap config line in smb.conf must enclose those numbers e.g.
> idmap config DOMAIN : range = 10000-999999
Ah, so that explains it. I originally was using autorid because that
seemed the best fit for my circumstances but you complained about me
doing that. Re-reading the
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
I see it mentions that I have to add a the uidNumber and gidNumber
attributes without actually telling me how to do it.
I found
https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account
which gives insufficient instruction in the matter. I note, for example,
the line:
samba-tool user addunixattrs sambauser uid --gid-number=gid
--login-shell=/bin/bash --unix-home=/home/sambauser
which I think may be better written as:
samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid>
--login-shell=/bin/bash --unix-home=/home/<sambauser>
followed by an example showing reasonable values (or some discussion
about what those values should be). My immediate reaction would be to
use normal Linux user ids (i.e. starting at 1000 on Debian) and group
ids (i.e. 100 is the normal group for users). However, you have reacted
in horror to that idea, so this would probably be a good wiki to present
an explanation as to why it is a bad idea,
>
> You may have done all of these, if so I will have another think.
>
> Rowland
>
More information about the samba
mailing list