Web lists-archives.com

Re: [Samba] winbind rfc2307 not being obeyed




fedora's authconfig must edit a bunch of files

On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski@xxxxxxxxx> wrote:
> I found what I needed to do
> DOMAIN=MIND.UNM.EDU
> SHORT=MIND
> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
> --enablemkhomedir --enablewinbindusedefaultdomain --update
>
> this worked
>
> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote:
>> On Mon, 30 Oct 2017 09:49:24 -0600
>> Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>
>>> OS:fedora-26
>>> SAMBA:4.6.8
>>> [root@squints ~]# cat /etc/samba/smb.conf
>>> [global]
>>>    security = ads
>>>    realm = MIND.UNM.EDU
>>>    workgroup = MIND
>>>    idmap config * : backend = tdb
>>>    idmap config * : range = 2000-7999
>>>    idmap config MIND:backend = ad
>>>    idmap config MIND:schema_mode = rfc2307
>>>    idmap config MIND:range = 8000-9999999
>>>    winbind nss info = rfc2307
>>>    winbind use default domain = yes
>>>    # so that the users show up in getent
>>>    winbind enum users = yes
>>>    # so that the groups show up in getent
>>>    winbind enum groups = yes
>>>    restrict anonymous = 2
>>>    #added the following 2 for the Badlock updates that change the
>>> defaults #to no longer work with my domain controllers
>>>    ldap server require strong auth = no
>>>    client ldap sasl wrapping = plain
>>>
>>> [root@squints ~]# getent passwd jsadowski
>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>
>>> however from an ubuntu machine with the same smb.conf it looks like so
>>> OS:ubuntu-16.04
>>> SAMBA:4.3.11
>>> root@daddles:~# getent passwd jsadowski
>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>
>>> which is how AD shows it as well.
>>>
>>> Did something change in newer versions of samba that I need to add
>>> more config options?
>>>
>>
>> Yes, there have been changes and no, you don't have to use them and
>> they wouldn't cause your problem.
>>
>> Your smb.conf shows you are using the 'ad' backend and you say you are
>> using the same smb.conf on both machines.
>>
>> So, why are there these different:
>>
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> Which RFC2307 attributes have you added to AD ?
>> The above user seems to have the same uidNumber, but Domain Users
>> seems to have two different gidNumbers (8513 and 8000), the
>> unixHomeDirectory also has two identities, as does loginShell
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba