Web lists-archives.com

Re: [Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails




:-o :-D

Thanks. Nothing was in AD.
Changed back to idmap config SAMDOM : backend = rid and getent worked again.

As an aside, does anyone know where I can find windows kvm images?
Where the servers are hosted is remote and no gui access.


On Sun, Nov 19, 2017 at 11:00 AM, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> On Sun, 19 Nov 2017 10:16:53 +0100
> Sina Owolabi via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hi List
>>
>> Absolute confused newb here. Again.
>>
>> I noticed that the user gid and uids on my DCs were different from the
>> uids and gids I would find on the domain member file server. ( I
>> created users with samba-tool). User UIDs on the DCs would start in
>> the 30000XX range, while on the file server, the uid would start in
>> the 1000XX range.
>> In an attempt to rectify this, I changed the smb.conf from
>>
>> [global]
>>     workgroup = SAMDOM
>>     security = ADS
>>     realm = SAMDOM.TESTING.COM
>>
>>     server string = Samba Server Version %v
>>
>>     winbind use default domain = yes
>>     winbind expand groups = 4
>>     winbind refresh tickets = Yes
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 3000-9999
>>     idmap config SAMDOM : backend = rid
>>     idmap config SAMDOM : range = 10000-999999
>>     template shell = /bin/bash
>>     template homedir = /share/%U
>>
>> to (after reading the wiki):
>>
>>     workgroup = SAMDOM
>>     security = ADS
>>     realm = SAMDOM.TESTING.COM
>>
>>     server string = Samba Server Version %v
>>
>>     winbind use default domain = yes
>>     winbind expand groups = 4
>>     winbind refresh tickets = Yes
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 3000-9999
>>     idmap config SAMDOM : backend = ad
>>     idmap config SAMDOM : unix_nss_info = yes
>>     idmap config SAMDOM: schema_mode = rfc2307
>>     idmap config SAMDOM : range = 3000000-9999999
>>     template shell = /bin/bash
>>     template homedir = /share/%U
>>
>> Now getent is no longer retrieving domain users and groups.
>> I know I have messed up, please how can I fix it?
>>
>
> Fairly obvious, put the smb.conf back to what it was ;-)
>
> The IDs you are getting on the DC are 'xidNumbers' and are only used on
> the DC (and unless you sync idmap.ldb to other DCs, used only on that
> DC)
> You have moved from the winbind 'ad' backend on the Unix domain member
> to the 'ad' backend and I am willing to wager a large amount that you
> have not added anything to AD.
> The only way to get the same IDs everywhere is to add uidNumber
> attributes to your user objects in AD and a gidNumber to Domain Users
> (at least). These uidNumber and gidNumber attributes must contain
> numbers inside the range you set in smb.conf and shouldn't be in the
> '3000000' range.
>
> Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba