Re: [Samba] idmap config ad
- Date: Mon, 28 Jan 2019 14:27:48 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] idmap config ad
On Mon, 28 Jan 2019 09:10:58 -0500
Sonic via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Trying to use the idmap config ad on a domain member. The AD is an
> actual Windows server and when logged in the AD server running ADUC
> the NIS domain field on the UNIX attributes tab only shows a dash and
> is cannot be changed.
Does Domain Users have a gidNumber attribute containing a number
inside the 10000-99999' range ?
Do any Active directory groups have such a gidNumber ?
>
> Domain member is RHEL 7.6 running Samba 4.8.3.
>
> Pertinent part of smb.conf:
> =====================================
> [global]
> security = ADS
> workgroup = MYDOMAIN
> realm = MYDOMAIN.LOCAL
> server string = mydomain
>
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-8999
> idmap config MYDOMAIN : backend = ad
> idmap config MYDOMAIN : schema_mode = rfc2307
> idmap config MYDOMAIN : range = 10000-99999
> idmap config MYDOMAIN : unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> =====================================
>
> The documentation seems to strictly point to using a Samba AD with the
> RSAT utility and here we're logged right on to the Windows AD using
> the native ADUC application.
ADUC is part of RSAT and the Samba 'ad' backend works in the same way
that the Unix Attributes tab dows.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba