Web lists-archives.com

Re: [Samba] Windows pre-requisites for login with winbind?




Please, could the documentation be enhanced so that it mentions this prerequisite? (Domain Users group must have gidnumber attribute set, and it must be inside idmap range)?



Dňa 25.08.2017 o 18:37 tuharsky--- via samba napísal(a):
Hi, Rowland

You were right, it was the Domain Users issue. After setting the gidnumber to a number inside range, users are there.

Thank You.


And as of change from AD to RIS, the 'net cache flush' is not enough.

For the record, I must have rebooted the server. Probably the records have been stored in some NIS cache or so too, that I don't know how to flush on-the-fly. After the reboot, the RIS works.

Thank You


Dňa 25.08.2017 o 16:28 Rowland Penny via samba napísal(a):
On Fri, 25 Aug 2017 16:03:08 +0200
"Mgr. Peter Tuharsky via samba" <samba@xxxxxxxxxxxxxxx> wrote:

Rowland,


I'm following this thread because I'm trying to use Linux member
server (Debian 9) and use Windows AD users in Linux (filesystem etc).

It seems I have working Kerberos and to a degree, Winbind too,
because both

wbinfo -u

wbinfo -g

give me valid and complete results.
This just shows that winbind can contact and connect to AD


However I'm stuck with NIS.

First I attempted to use AD idmap with settings (smb.conf)

idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : range = 10000-9999999
The above looks okay

idmap_ldb:use rfc2307 = yes
You should only use the above line on a DC

winbind nss info = rfc2307
winbind use default domain = true
The above two lines are okay

winbind enum users = yes
winbind enum groups = yes
You should only add the above two lines for testing purposes.


When I issue

#getent group

I get only few groups with nonempty gidnumber attribute. This I can
understand, but

#getent passwd

dosen't bring me any AD user, althought they all have valid uidnumber
attribute that is well inside the idmap range.
Does 'Domain Users' have a gidNumber inside '10000-9999999'
If it doesn't, then ALL your users will be ignored


Now, I also try to use RID, as it seems better to go this way, however
it dosen't work for me either, and it still displays only those groups
as before, and they still have gidnumber from AD, not the computed one
from RID.

It seems I'm missing something.
Try running 'net cache flush'

The 'rid' backend should work without any changes to AD, as long as the
user is in AD and isn't in /etc/passwd.

Rowland







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba