Web lists-archives.com

Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares

On 2 March 2018 at 20:37, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
> Your Samba machine can be a Unix active directory domain member or it
> can be a member of an NT4-style domain that uses ldap, it cannot be
> both.
> It can also authenticate from an ldap server on another machine, in
> this case, it wouldn't be a domain member.
> It should be possible to authenticate to the ldap server (or AD), but
> you are getting into a bit of a mess here. Your users will need to
> exist (separately) everywhere.

The users do exist separately everywhere (openldap and AD). Both openldap
and AD are provisioning targets from the identity management system, so
they both contain the users. AD does not have uid/gid information.

> I think you should consider just joining the Samba machine to the AD
> domain and use the 'rid' backend. This way, your users & groups are
> only stored in one place and you do not need to add anything to AD.

So the way I understand this, my samba server is joined to the AD domain. I
think I know this because I can retrieve usernames and SID info from wbinfo.

Also, reading the idmap_rid man page, unix uid/gid numbers are determined
algorithmically from the SID. But that would be wrong would it not? The
uid/gid numbers are already defined on the unix system. So idmap_rid would
not use the correct uid/gid numbers.

Or am I missing something?

I'm thinking perhaps I should implement an idmap_script backend that does
something similar to idmap_nis.sh


But, instead of using ypmatch (as in idmap_nis.sh) I would use "getent
passwd" calls instead to map between uid/gid and the SID number from wbinfo.

Thanks for listening and helping :-)

Norman Gaywood, Computer Systems Officer
School of Science and Technology
University of New England
Armidale NSW 2351, Australia

ngaywood@xxxxxxxxxx  http://turing.une.edu.au/~ngaywood
Phone: +61 (0)2 6773 2412  Mobile: +61 (0)4 7862 0062

Please avoid sending me Word or Power Point attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba