Web lists-archives.com

Re: [Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?




On Mon, 19 Nov 2018 15:29:44 +0000
"Barry D. Adkins via samba" <samba@xxxxxxxxxxxxxxx> wrote:


> >Where did you find this and where have you imported this to and how.
> Here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

That is Samba's version of IDMU, didn't know it worked with a Windows
DC, good to know though.

> 
> You have to have the schema in the Active Directory Schema.  So you
> either have to add it to a Samba AD Schema or the Windows AD Schema.

You have to have it for the Unix attributes tab in ADUC. The actual
RFC2307 attributes are part of the standard Windows AD schema.

> 
> I used the windows tool LDIFDE to import the schema to the Windows AD
> Schema.  Otherwise there is no schema for the Unix Attributes. 

Yes there is.

>  From
> my reading about Unix Services for Windows it would have added to the
> schema, and I assume it would have at least been the ypServ30 stuff.
> It's 55 entries.

It just adds the required framework for ADUC to work.

> 
> I found and deduced that Samba wasn't adding the needed Schema, and
> the wiki clearly addressed how to add it for a Samaba AD further
> indicating that Samba was not somehow otherwise going to add the
> needed schema entries.

Samba, when running as a Unix domain member, doesn't add anything to
AD.

> >There wouldn't be, everything on the Samba wiki refers to Samba and
> >there is very little about Windows directly. You need to do an
> >internet search to find out what you need to install on your
> >>Windows 2012 DC and how to do it.
> 
> Well I understand it's Samba, but it's integrating I suspect quite a
> lot with Windows companion servers.  It provides substantial detail
> where Windows tools must be used, AD Users & Computers, Access List
> permissions, etc.  I'm not trying to be critical, but if there are
> assumptions about the Windows Environment it would help if they are
> stated.  Clearly I did miss things that were in the wikis, so your
> patience with me has been appreciated.

The Samba wiki is just that, it is a wiki about using Samba. Whist it
touches on using Samba with a Windows AD DC, it is not a Windows wiki.

If you are going to continue using a Windows DC, then you really should
use Windows documentation for this, for whilst Samba is trying to
become compatible with Windows, it isn't quite there yet. 
 
> >The big point behind using a Samba AD DC is that you don't need to
> >pay for Server licences and CAL's for the clients. You could try
> >joining a Samba DC to the domain and then add the yp30server.ldif,
> >replication will then do the rest.
> 
> But I already have all the Windows Servers, clients, and licenses.  I
> began this journey to migrate away from it.  Yes, I could join a
> Samba DC but I was trying to take one step at a time thinking that
> would be perhaps a more complicated task, AND my first migration step
> was based on the need to setup a file server with replicated storage.

As I said, joining a Samba DC to an existing Windows AD domain is the
easiest thing you will have to do.

> 
> Never the less, I got the schema into the Windows AD.  The uid's and
> gid's are there for all users and groups.  It really was not
> difficult getting the schema into the Windows AD once I knew I needed
> to do it.

I personally wouldn't have thought of trying what you did, but it seems
to have worked.
> 
> >The Samba DC is the easiest part of that and will be the easiest way
> >to install the required IDMU framework.

Which you have now proved isn't really the case.

> 
> So, there is more to the IDMU framework than the AD Schema?  Should I
> remove the added schema before doing the Samba DC or just leave it?

Leave it, you need it.

> I don't see a problem leaving it as it will be needed anyway.  It
> would be added to the Samba Schema and then replicated to the Windows
> DCs, so I wouldn't need to add it to the Samba DC as it would get it
> from the replica it receives when it joins the Domain.

Not sure just what Samba packages you have installed on the Debian
computer, but you may have the schema text files installed, they are
in /usr/share/samba/setup/ad-schema on my Debian computer. These will
show you what objectclasses and attributes are available to you,
including thr RFC2307 attributes that are standard in AD. You also
already have the yp30server.ldif, an examination of this will show you
what you added to AD, most of which is never used, the important bit is
this:

CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com

Which is where 'msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' live,
these are required by the Unix attributes tab in AD.

> 
> If I do the Samba DC, I'll either have to leave the Windows Servers
> doing DHCP and DNS or deal with doing all that in Linux/Samba now....
> I'd rather do that later.

Again this is easy, we have a wiki page for this:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba