[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Rowland Penny rpenny at samba.org
Wed Apr 26 19:21:59 UTC 2023 


On 26/04/2023 19:40, Gary Dale via samba wrote:
> 
> On 2023-04-26 13:54, Rowland Penny via samba wrote:
>>
>>
>> On 26/04/2023 18:27, Gary Dale via samba wrote:
>>
>>> No. I am running the tests suggested by the various Samba wiki pages. 
>>> I can do a getent passwd <local account> on my workstation and on my 
>>> file & print server but I can't do a getent passwd <domain account> 
>>> except on my DC. I explicitly showed that in the message before the 
>>> one you replied to. I also showed how I can't do a login to a domain 
>>> account except on the DC.
>>>
>>> This failure to get domain account information seems likely to be at 
>>> the heart of the problems I'm having.
>>>
>>>
>>
>> So you are running 'getent passwd gary' and getting no output, this is 
>> usually caused by libpam-winbind and libnss-winbind not being 
>> installed, or /etc/nsswitch.conf not being configured correctly, the 
>> relevant lines from mine look like this:
>>
>> passwd:         files winbind
>> group:          files winbind
> 
> installed and configured correctly
> 
> 
>>
>> Or pam-auth-update is configured correctly, again these are the lines 
>> from mine:
>>
>> [*] Unix authentication
>> [*] Winbind NT/Active Directory authentication
>> [*] Register user sessions in the systemd control group ...
>> [*] Create home directory on login
>>
> Have an extra entry for systemd that is checked but have Create home 
> directory on login unchecked. Shouldn't cause the problems I'm seeing.
> 
> 
>> Or you are using the 'ad' idmap backend on a Unix domain member and 
>> haven't added a uidNumber attribute to the users and added a gidNumber 
>> attribute to the Domain Users group. The numbers you use in these 
>> attributes have to be unique, though you can use the same range for 
>> users and groups, that is 'gary' could have the ID 10000 and Domain 
>> Users could also the same ID 10000. Whatever numbers you use, the 
>> Domain idmap config line in smb.conf must enclose those numbers e.g.
>> idmap config DOMAIN : range = 10000-999999
> 
> Ah, so that explains it. I originally was using autorid because that 
> seemed the best fit for my circumstances but you complained about me 
> doing that. Re-reading the 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba I see it mentions that I have to add a the uidNumber and gidNumber attributes without actually telling me how to do it.
> 
> I found 
> https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_using_samba-tool_and_ldb-tools#Adding_Unix_attributes_to_an_existing_user_account which gives insufficient instruction in the matter. I note, for example, the line:
> samba-tool user addunixattrs sambauser uid --gid-number=gid 
> --login-shell=/bin/bash --unix-home=/home/sambauser
> 
> which I think may be better written as:
> 
> samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid> 
> --login-shell=/bin/bash --unix-home=/home/<sambauser>
> 
> followed by an example showing reasonable values (or some discussion 
> about what those values should be). My immediate reaction would be to 
> use normal Linux user ids (i.e. starting at 1000 on Debian) and group 
> ids (i.e. 100 is the normal group for users). However, you have reacted 
> in horror to that idea, so this would probably be a good wiki to present 
> an explanation as to why it is a bad idea,
> 

Try reading this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Which will lead you to this:

https://wiki.samba.org/index.php/Idmap_config_ad

Rowland

More information about the samba mailing list