Web lists-archives.com

Re: [Samba] [samba] Winbindd without RFC2307 question




On Wed, 19 Jul 2017 15:33:46 +0200
mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi all,
> 
> I'm trying to set up some Samba files server retrieving users from
> AD. This AD has no RFC2307 installed yet.
> 
> The Linux system hosting this files server is Debian 9.0.
> 
> The issue is system side commands as "getent passwd some_user" or "id
> some_user" are not working, not showing any result.
> 
> Here is my whole smb.conf (shares will come later) :
> 
> [global]
>    workgroup = DOMAIN
>    realm = DOMAIN.TLD
>    security = ads
> 
>    winbind use default domain = true
>    winbind offline logon = false
> 
>    winbind nss info = template
>    template shell = /bin/bash
>    template homedir = /home/%U
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 10000-999999
> 
> 
>    idmap config DOMAIN:backend = ad
>    idmap config DOMAIN:schema_mode = template
>    idmap config DOMAIN:range = 16777216-33554431
> 
>    log level = 6
> 
> 
> Using that smb.conf "wbinfo -u" or -g are working, as is working
> "wbinfo -t some_user"
> 

Lets get this out of the way, just because wbinfo works is meaningless
to a Unix host.
You need to set up smb.conf, libnss_winbind and PAM to get the OS to
recognise your Windows users as Unix users.

From what you have posted, you need to do one of two things, either
set up RFC2307 attributes for your users & groups in AD, or use the
'rid' winbind backend. 
If you decide to go with the later, then change the 'idmap config'
lines to something like this:

    idmap config *:backend = tdb
    idmap config *:range = 3000-9999
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range = 10000-999999

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba