Web lists-archives.com

Re: [Samba] problem map uuid users and group




On Thu, 14 Jun 2018 18:02:29 +0500
Шигапов Денис Вильданович via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> How to make the user id on the domain controller and the file server
> the same
> 
> SERVER DC:
> [global]
>          netbios name = SRV-DC02
>          realm = EXAMPLE.RU
>          workgroup = EXAMPLE
>          server role = active directory domain controller
>          log level = 2 auth_json_audit:3
>          username map = /etc/samba/username_map
>          vfs objects = acl_xattr
>          store dos attributes = Yes
> 
> [root@srv-dc02 ~]# id vas.lah@xxxxxxxxxx
> uid=3000416(EXAMPLE\vas.lah) gid=100(users) 
> группы=100(users),3000416(EXAMPLE\vas.lah),3000051(EXAMPLE\domain 
> admins),3000054(EXAMPLE\группа с запрещением репликации паролей 
> rodc),3000055(EXAMPLE\администраторы wsus),3000056(EXAMPLE\wsus 
> administrators),3000035(EXAMPLE\1c_links_ут),3000001(BUILTIN\users),3000000(BUILTIN\administrators),3000057(BUILTIN\performance 
> log users),3000043(BUILTIN\performance monitor users)
> 
> 
> 
> SHARE:
> [global]
>    netbios name = SRV-SHARE
>    workgroup = EXAMPLE
>    realm = EXAMPLE.RU
>    server string = %h rsync host
>    # server role = member server
>    security = ads
> 
> [root@srv-share samba]# id vas.lah@xxxxxxxxxx
> uid=3188138(EXAMPLE.RU\vas.lah) gid=3000513(domain users) 
> группы=3000513(domain users),3188138(EXAMPLE.RU\vas.lah),3109633(wsus 
> administrators),3034556(1c_links_ут),3111123(администраторы 
> wsus),3100572(группа с запрещением репликации паролей 
> rodc),3100512(domain admins),3153446(администратор 4 
> категории),3000001(BUILTIN\users),3000000(BUILTIN\administrators)

The first thing to do, remove these lines from the Samba AD DC:

         username map = /etc/samba/username_map
         vfs objects = acl_xattr
         store dos attributes = Yes

They have no place in a Samba AD DC smb.conf.

There is only one way to have the same ID's everywhere on Unix and that
is to use the winbind 'ad' backend. This entails giving your users &
groups uidNumber & gidNumber attributes, then run 'net cache flush' on
the DC, most ID's will change.

You then need to set up the smb.conf correctly on the Unix domain
member (yours is correct as far as it goes, it just doesn't go far
enough).

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Anything you don't understand, or have questions about, please ask.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba