Web lists-archives.com

Re: [Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails




On Sun, 19 Nov 2017 10:16:53 +0100
Sina Owolabi via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi List
> 
> Absolute confused newb here. Again.
> 
> I noticed that the user gid and uids on my DCs were different from the
> uids and gids I would find on the domain member file server. ( I
> created users with samba-tool). User UIDs on the DCs would start in
> the 30000XX range, while on the file server, the uid would start in
> the 1000XX range.
> In an attempt to rectify this, I changed the smb.conf from
> 
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.TESTING.COM
> 
>     server string = Samba Server Version %v
> 
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind refresh tickets = Yes
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 3000-9999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /share/%U
> 
> to (after reading the wiki):
> 
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.TESTING.COM
> 
>     server string = Samba Server Version %v
> 
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind refresh tickets = Yes
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 3000-9999
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : unix_nss_info = yes
>     idmap config SAMDOM: schema_mode = rfc2307
>     idmap config SAMDOM : range = 3000000-9999999
>     template shell = /bin/bash
>     template homedir = /share/%U
> 
> Now getent is no longer retrieving domain users and groups.
> I know I have messed up, please how can I fix it?
> 

Fairly obvious, put the smb.conf back to what it was ;-)

The IDs you are getting on the DC are 'xidNumbers' and are only used on
the DC (and unless you sync idmap.ldb to other DCs, used only on that
DC)
You have moved from the winbind 'ad' backend on the Unix domain member
to the 'ad' backend and I am willing to wager a large amount that you
have not added anything to AD.
The only way to get the same IDs everywhere is to add uidNumber
attributes to your user objects in AD and a gidNumber to Domain Users
(at least). These uidNumber and gidNumber attributes must contain
numbers inside the range you set in smb.conf and shouldn't be in the
'3000000' range.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba