Web lists-archives.com

Re: [Samba] Member Server Configuration




On Thu, 9 Nov 2017 21:47:11 -0000
Roy Eastwood via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks Rowland.
> See inline comments.
> 
> >On Thu, 9 Nov 2017 17:08:52 -0000
> >Rowland Penny via samba<samba at lists.samba.org> wrote:
> > See inline Comments:
> > 
> > On Thu, 9 Nov 2017 16:11:49 -0000
> > Roy Eastwood via samba <samba at lists.samba.org> wrote:
> > 
> > > Hi,
> > > I have a Debian Stretch machine with Louis' samba 4.7.1 package
> > > installed.  I have configured it as a member server and joined it
> > > to my test domain.   I tried the idmap rid back end and all
> > > worked ok, but am now trying the idmap ad back end.   I have
> > > users' home folders saved to a users share on the member server,
> > > configured to allow auto-creation of home folders when the
> > > windows user logs in for the first time.    That's working OK
> > > after some adjustments to the ntfs and share permissions which
> > > vary from the samba WiKi page
> > > (https://wiki.samba.org/index.php/User_Home_Folders ) after
> > > reading this https://support.microsoft.com/en-gb/help/555046.
> > > Also if users are allowed to log in locally as a unix user to the
> > > member server, I found that the unix permissions had to include
> > > rwx for the domain users group otherwise they are unable to
> > > access their home folder.        Does the WiKi need updating?
> > 
> > Probably not.
> 
> OK, fine, but I couldn't get auto-creation of home folders to work
> with just the settings in the WiKi.

If you are talking about creating auto-creating users home folders on
Unix machines, this is quite easy, when you know how ;-)

Add this line to /etc/pam.d/common-session

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

Then when a user logs in, if the users homedir doesn't exist, it will
be created.

> > > I either
> > > allocate a UID/GID in AD - in which case I can log in OK.
> > > However, if I use the username map parameter in smb.conf along
> > > with the appropriate file user.map to map administrator to root,
> > > the WiKi says do not allocate a UID and GID in AD.   So I took
> > > these off  but I cannot log in now to the member server as
> > > administrator. Neither does administrator show up in the output
> > > of getent passwd.
> > 
> > Ah, but you are using a user.map, which maps 'Administrator' to
> > 'root', so guess who you should log onto the Unix machine as ?
> 
> Yes, indeed.  Actually I use another user and then sudo, but winds up
> as the same thing.

It also works from windows, you can do things from windows on a Unix
machine, set windows ACLs etc.

> So the section on the WiKi page for "Mapping the Domain Administrator
> Account to the local root user" is never going to work for logging
> onto the member server itself?   I assume therefore this will only
> apply if the administrator on another member client machine saves
> files etc, they will be owned by root rather than the Domain
> Administrator account?   If so I misunderstood the purpose of that
> section!

Yes, that is basically how it works, but it goes further, it allows you
to do the things that Administrator does on Windows, on Unix domain
members.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba