Web lists-archives.com

Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares




On Fri, 2 Mar 2018 14:32:15 +1100
Norman Gaywood <ngaywood@xxxxxxxxxx> wrote:

> On 1 March 2018 at 18:49, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> 
> >
> > > idmap range not specified for domain '*'
> > > ERROR: Invalid idmap range for domain *!
> > >
> >
> > You haven't set the 'idmap config' lines correctly, which may mean
> > you are using sssd instead. If this is the case, then you are
> > asking in the wrong place, you need to ask on the sssd-users
> > mailing list.
> >
> 
> After reading a lot about idmap conf and idmap backends, I'm thinking
> that what I've been doing is not expressible with idmap.
> 
> What I need is what is described, much better than I did, here:
> 
>  https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP
> 
> That is:
> 
> Samba will authenticate against AD, and then utilize the normal
> 'getent' system calls to gather the uid/gid numbers, and those will
> come from OpenLDAP, and/or the local system files as configured
> within the nsswitch.conf file.
> 
> Is this type of setup still possible?
> 
> 

Your Samba machine can be a Unix active directory domain member or it
can be a member of an NT4-style domain that uses ldap, it cannot be
both.
It can also authenticate from an ldap server on another machine, in
this case, it wouldn't be a domain member.
It should be possible to authenticate to the ldap server (or AD), but
you are getting into a bit of a mess here. Your users will need to
exist (separately) everywhere.  

I think you should consider just joining the Samba machine to the AD
domain and use the 'rid' backend. This way, your users & groups are
only stored in one place and you do not need to add anything to AD.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba