Web lists-archives.com

Re: [Samba] [samba] Member server winbind issue

On Sun, 23 Jul 2017 14:13:52 +0200
mathias dufresne <infractory@xxxxxxxxx> wrote:

>  winbind nss info = rfc2307
>  idmap config * : backend = tdb
>  idmap config * : range = 3000-7999
>  idmap config AD:backend = ad
>  idmap config AD:schema_mode = rfc2307
>  idmap config AD:range = 8000-99999999
> I see two differences: ranges and spaces around ":" but I don't expect
> these spaces are mandatory.

No, not mandatory, just easier to read and Samba will ignore the spaces.

> Both group and user have uidNumber and gidNumber declared in AD,
> inside the range defined by "idmap config AD:range = 8000-99999999"
> dc02:~# ldbsearch -H $sam cn="domain users" dn objectclass gidNumber
> # record 1
> dn: CN=Domain Users,CN=Users,DC=ad,DC=domain,DC=tld
> objectClass: top
> objectClass: group
> gidNumber: 20000002
> So, here again, it seems to to be OK.

Everything looks okay.

> And I'm still completely puzzled.

Just a thought, does the libnss_winbind package match the rest of the
Samba packages ?

> DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I
> don't really expect this to change anything.

You will then need to use the 'new' idmap config settings.

> DC were provisioned without RFC2307. I set it up yesterday using
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup
> So I've added the following line in DCs smb.conf:
> idmap_ldb:use rfc2307 = yes
> after I followed "Installing the NIS Extensions" paragraph (with
> mainly copy/paste).
> After these changes by DC side I was able to manage Unix attributes
> with ADUC from some Windows client, which seems to mean the changes
> were correct.

If everything is correct, then it should work, what does running
'pam-auth-update' show ?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba