Web lists-archives.com

Re: [Samba] Access to sharing by hostname but not by its IP




Ok, lets try again :)
idmap range is set from 700 to 3000300.
Range from 700 to 999 is reserved to default idmap and from 1000 to
3000300 for users and groups.

Le 25/07/2017 à 17:39, Rowland Penny via samba a écrit :
> If you use the winbind 'ad' backend, then any user you want to be
> visible to Unix, must have a uidNumber attribute containing a number
> inside the 'DOMAIN' range set in smb.conf. 

Yes, that already was like this.


> The users Unix primary group must also have a gidNumber attribute
> containing a number inside the same range. 

Ah ?
No, it was not.
Primary Group for all the users was "Domain Users" with the gid set to
513. So i define a new Group that i called "Domain Standard Users" with
GID set to 2513. All users have this group as a primary group and for
each user, i've change the value of gidNumber to 2513.


> Before Samba 4.6.0 this meant that 'Domain Users' must have a
> gidNumber, From 4.6.0 this changes. You now need to give your users a
> gidNumber containing the Unix ID number of a group and the group would
> have to have a gidNumber attribute containing the same number.

An example is always better :

user called myident has an uidNumber set to 1072.
This user is member of differents groups but its primary is "Domain
Standard Users" wich gidNumber is set to 2513.

Am i in the true ?

> For instance, if you have a group in AD called 'unixgroup' and this
> group has a gidnumber attribute containing the ID '10000', then to make
> this group your users Unix primary group, you would add 'gidNumber:
> 10000' to the users AD objects.

Well, after reading this i'm not sure now...


> You would also need to add a line to
> smb.conf:
> 
> idmap config SAMDOM:unix_primary_group = yes
> 
> If you do not have the above line in smb.conf, then, as far as I
> understand, it still works in the same way as earlier versions i.e.
> Domain Users needs a gidNumber.

I did not add this line in smb.conf as i understand it is not necessary.


> If everything else is setup correctly, 'getent passwd username' should
> show the users info and until it does, your user is unknown to Unix.

Yeah !
You are a king !

# getent passwd myident
myident:*:1072:2513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash

# getent group "domain standard users"
domain standard users:x:2513:

Strange that no one apears as member of that group. But it is their
Primary Group so it may be usual.
I will check other stuff but Samba is presented under better auspices.

Regards,
-- 
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba