Web lists-archives.com

Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares

Am Samstag, 3. März 2018, 17:27:56 CET schrieb Norman Gaywood via 
> On 2 March 2018 at 20:37, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx>
> wrote:
> > Your Samba machine can be a Unix active directory domain member or
> > it
> > can be a member of an NT4-style domain that uses ldap, it cannot be
> > both.
> > It can also authenticate from an ldap server on another machine, in
> > this case, it wouldn't be a domain member.
> > It should be possible to authenticate to the ldap server (or AD),
> > but
> > you are getting into a bit of a mess here. Your users will need to
> > exist (separately) everywhere.
> The users do exist separately everywhere (openldap and AD). Both
> openldap and AD are provisioning targets from the identity management
> system, so they both contain the users. AD does not have uid/gid
> information.
Your IM is the source for users and groups and fill both AD and openldap 
with the identical information. Is this true?

> > I think you should consider just joining the Samba machine to the AD
> > domain and use the 'rid' backend. This way, your users & groups are
> > only stored in one place and you do not need to add anything to AD.
> So the way I understand this, my samba server is joined to the AD
> domain.

> I think I know this because I can retrieve usernames and SID
> info from wbinfo.
This is not necessaryly true. I assume your AD and your Samba/Ldap has 
different domain names and different SIDs.
> Also, reading the idmap_rid man page, unix uid/gid numbers are
> determined algorithmically from the SID. But that would be wrong
> would it not? The uid/gid numbers are already defined on the unix
> system. So idmap_rid would not use the correct uid/gid numbers.
Yes. The standard setup use one DB of any kind for local unix users, via 
NSS and AD or NT style SAM for windows users.

The solution for you could be an other approach.

First one question:
The subject of this mail indicates that you have problems after updating 
from Fedora 26 to 27, versus samba 4.6 to 4.7. 
So, your Fedora 26 setup has worked properly? If this is true, why are you 
searching for new solutions. You should fix your upgrade procedure.

> Or am I missing something?
> I'm thinking perhaps I should implement an idmap_script backend that
> does something similar to idmap_nis.sh
> https://searchcode.com/codesearch/view/29414590/
> But, instead of using ypmatch (as in idmap_nis.sh) I would use "getent
> passwd" calls instead to map between uid/gid and the SID number from
> wbinfo.
> Thanks for listening and helping :-)


	Harry Jede
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba