Re: [Samba] Samba AD and NIS integration
- Date: Thu, 16 Nov 2017 10:46:17 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba AD and NIS integration
On Thu, 16 Nov 2017 10:08:32 +0000
Stephen Parry via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Thanks for your reply Rowland.
> > The id ranges are what you choose, reading this may help:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File
> > >/Is there any working way of controlling those ranges, />/given
> > >idmap breaks stuff? /
> > What do you mean 'idmap breaks things' ?
> Sorry, should have made it clearer that my SAMBA is configured as AD
> Primary Domain Controller; According to
> idmapping does not work for AD Domain Controllers.
It does ;-)
> suggest many of the winbind parameters are simply ignored and I can
> confirm this is the case.
This is the main problem with using a Samba AD DC as a fileserver, you
can only use the uidNumber & gidNumber attributes.
> Ranges are clearly being set; if I create a user with uidNumber in
> the 30xxxxxx range,
Do you mean the '30000000' range as found on the DC ?
If so these numbers are 'xidNumber' attributes and are only used on a
>the user can log in to the linux shell correctly
> and her details are clearly visible in linux using the id command. If
> I use a lower uidNumber of say 3000, she can log in in to linux, but
> the prompt shows "This user has no name!" and the id command fails to
> resolve her uid. There are ranges there but I have no control over
> them. Setting the correct domain specific settings in smb.conf appear
> to have no effect. I have tried.
If you have given a user a uidNumber attribute this should be used
instead of the xidNumber.
On a DC:
getent passwd rowland
On a Unix domain member:
getent passwd rowland
> > If you mean make the Unix OS know who the AD users and groups are,
> > then yes.
> Specifically, what I need is my Linux clients to be able to both log
> in locally and also connect to NFS shares on the server,
> authenticating using either LDAP or NIS, but in both cases using the
> same logins and passwords as the Windows clients who will be
> connecting to SMB shares using SMB protocols.
Forget ldap, forget nis, use winbind. I am typing this on a Unix domain
member, so I can assure you that it works.
> So far I have the auth working just locally on the server.
If you have the auth working, but cannot log in, it sounds like you do
not have libnss_winbind and/or nsswitch set up correctly.
>If I join my win clients to the domain, I believe that will also
> work, though I will try that last to avoid any catastrophes should
> I need to change the domain setup. However, linux client logins client
> to server NIS/LDAP/NFS connections are in the wind currently.
> I will trawl through the wiki again later, but what I am missing is
> full context. What is often not clear from the docs is whether or not
> what is documented there applies to / work with my specific set up,
> e.g. whether it works when you are using AD and a Samba PDC; whether
> it applies to clients local linux log on, etc.
If you can point to something in the wiki that is ambiguous, I will
try to explain it to you and if required, rewrite that part of the
To unsubscribe from this list go to the following URL and read the