Web lists-archives.com

Re: [Samba] idmap config ad




On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Trying to use the idmap config ad on a domain member. The AD is an
> actual Windows server and when logged in the AD server running ADUC
> the NIS domain field on the UNIX attributes tab only shows a dash and
> is cannot be changed.

Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?

Do any Active directory groups have such a gidNumber ?

> 
> Domain member is RHEL 7.6 running Samba 4.8.3.
> 
> Pertinent part of smb.conf:
> =====================================
> [global]
>         security = ADS
>         workgroup = MYDOMAIN
>         realm = MYDOMAIN.LOCAL
>         server string = mydomain
> 
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
> 
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-8999
>         idmap config MYDOMAIN : backend = ad
>         idmap config MYDOMAIN : schema_mode = rfc2307
>         idmap config MYDOMAIN : range = 10000-99999
>         idmap config MYDOMAIN : unix_nss_info = yes
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
> =====================================
> 
> The documentation seems to strictly point to using a Samba AD with the
> RSAT utility and here we're logged right on to the Windows AD using
> the native ADUC application.

ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba