Web lists-archives.com

Re: [Samba] Samba AD and NIS integration




On Thu, 16 Nov 2017 10:08:32 +0000
Stephen Parry via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thanks for your reply Rowland.
> 
> > The id ranges are what you choose, reading this may help:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
> >
> > >/Is there any working way of controlling those ranges, />/given
> > >idmap breaks stuff? /
> > What do you mean 'idmap breaks things' ?
> >
> Sorry, should have made it clearer that my SAMBA is configured as AD 
> Primary Domain Controller; According to 
> https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File, 
> idmapping does not work for AD Domain Controllers. 

It does ;-)

>Other pages
> suggest many of the winbind parameters are simply ignored and I can
> confirm this is the case.

This is the main problem with using a Samba AD DC as a fileserver, you
can only use the uidNumber & gidNumber attributes.

> 
> Ranges are clearly being set; if I create a user with uidNumber in
> the 30xxxxxx range, 

Do you mean the '30000000' range as found on the DC ?
If so these numbers are 'xidNumber' attributes and are only used on a
DC.
 
>the user can log in to the linux shell correctly
> and her details are clearly visible in linux using the id command. If
> I use a lower uidNumber of say 3000, she can log in in to linux, but
> the prompt shows "This user has no name!" and the id command fails to
> resolve her uid. There are ranges there but I have no control over
> them. Setting the correct domain specific settings in smb.conf appear
> to have no effect. I have tried.

If you have given a user a uidNumber attribute this should be used
instead of the xidNumber.

On a DC:
getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

On a Unix domain member:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

> 
> > If you mean make the Unix OS know who the AD users and groups are,
> > then yes.
> Specifically, what I need is my Linux clients to be able to both log
> in locally and also connect to NFS shares on the server,
> authenticating using either LDAP or NIS, but in both cases using the
> same logins and passwords as the Windows clients who will be
> connecting to SMB shares using SMB protocols.

Forget ldap, forget nis, use winbind. I am typing this on a Unix domain
member, so I can assure you that it works.

> So far I have the auth working just locally on the server. 

If you have the auth working, but cannot log in, it sounds like you do
not have libnss_winbind and/or nsswitch set up correctly.

>If I join my win clients to the domain, I believe that will also
> work, though I will try that last to avoid any catastrophes should
> I need to change the domain setup. However, linux client logins client
> to server NIS/LDAP/NFS connections are in the wind currently.
> 
> I will trawl through the wiki again later, but what I am missing is
> full context. What is often not clear from the docs is whether or not
> what is documented there applies to / work with my specific set up,
> e.g. whether it works when you are using AD and a Samba PDC; whether
> it applies to clients local linux log on, etc.

If you can point to something in the wiki that is ambiguous, I will
try to explain it to you and if required, rewrite that part of the
wiki.
 
Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba