Re: [Samba] Opensolaris-ish joins but does not seem to be valid
- Date: Tue, 10 Oct 2017 15:19:06 -0500 (CDT)
- From: Andrew Martin via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid
----- Original Message -----
> From: "samba" <samba@xxxxxxxxxxxxxxx>
> To: "samba" <samba@xxxxxxxxxxxxxxx>
> Sent: Tuesday, October 10, 2017 12:02:11 PM
> Subject: Re: [Samba] Opensolaris-ish joins but does not seem to be valid
> On Tue, 10 Oct 2017 11:28:09 -0500 (CDT)
> Andrew Martin <amartin@xxxxxxxxxxx> wrote:
>> > Is this from the Opensolaris-ish machine ?
>> > I expected to see a smb.conf file from a Unix domain member.
>> > If it is from the machine where you are getting '[NT
>> > AUTHORITY]\[ANONYMOUS LOGON]', then can you try 'getent passwd
>> > username'. By default winbind doesn't enumerate users and groups.
>> Running "getent passwd username" does not return anything on the
>> client machine.
> Then you have a problem, your users and groups seem to be unknown to
> the underlying OS.
>> The Solaris CIFS service, aka smb/server, is joined to the domain
>> with "smbadm join -u Administrator example.com" and once joined you
>> can query AD users using "idmap show -cV user@xxxxxxxxxxx". By
>> default, idmapd uses "Ephemeral mapping", so AD users are represented
>> locally by a randomly-chosen, high-numbered uid rather than their
>> actual uid as stored in uidNumber or elsewhere in AD. This is
>> undesirable, so we have reconfigured idmap to use
>> "directory-based mapping" instead:
> If you provisioned the Samba AD DC with --use-rfc2307, then I think you
> should have gone with the IDMU mapping, what we call around here
> 'RFC2307'. By using this, you will doing something very similar to
> using the winbind 'ad' backend and will be able to use RSAT on a WIN 7
> or 8.1 to admin it.
It has been awhile, but the last time I looked into IDMU mode I thought
Samba didn't support it. I thought Windows AD required a separate
installer to be run to add IDMU mode and then some extra fields in AD
needed to be created and proactively synced on a regular basis (e.g.
syncing from the normal userPassword field to unixUserPassword). Are
there any guides or information on how to setup IDMU mode on a Samba DC?
At least on Solaris, it sounds like IDMU is not 100% identical to RFC2307:
> IDMU adds a "UNIX Attributes" panel to the Active Directory Users and
> Computers user interface that lets the administrator specify a number
> of UNIX-related parameters: UID, GID, login shell, home directory, and
> similar for groups. These parameters are made available through AD
> through a schema similar to (but not the same as) RFC2307, and through
> the NIS service.
To unsubscribe from this list go to the following URL and read the