Discussion:
[Samba] Samba4 Domain Member Server "Getent show diferents UID"
Juan Ignacio
2016-06-13 18:37:16 UTC
Permalink
Rowland:

I'll use this email from now, the other does not work well.

A few years ago around 2.

We did everything that could be used for NIX and it worked.
The main DC_AD had been provisioned without rfc2307 and we did later.

The problem is that at that time by not having infrastructure had to be
used as fileserver and this was a problem because all directories are UID
of 3000000 onwards.

Now I installed a new server following the procedure here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

All seems to work well but UIDs are different when for example I run
wbinfo --user-info = uanaco

Primary AD-DC
ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / ADDC1 / uanaco: / bin /
false

member Server
uanaco: *: 100642: 100008: uanaco: / home / ADDC1 / uanaco: / bin / false

This is a problem because my intention is to use this file server and
testify pass all directories Primary AD-DC to Member Server.

Is there any way the member server read the same UID as the primary-

Thank Rowland.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 14:36:16 UTC
Permalink
I go to answer all, here I go.

Have you given your users a uidNumber attribute ?

Not all, but im set it in my user and not work.

Have you given 'Domain Users' (at least) a gidNumber attribute ?

Not all, but im set it in my user and not work.

If you have done the above, have you run 'net cache flush' on the DC ?

Yes :-(

Is PAM set up correctly on the DC and domain member ?
Yes.

The smb.conf on the DC.

[global]
netbios name = XXXXXX
security = ADS
workgroup = XXXXXXX
realm = XXXXXXX

log file = /var/log/samba/%m.log
log level = 1

# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.

# Just adding the following three lines is not enough!!
# - idmap config ad
# - idmap config rid
# - idmap_config_autorid

idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes


[test]
read only = no
path = /testSamba
~

The smb.conf in the AD DC.

Global parameters
[global]
workgroup = XXXXX
realm = XXXXXXXX
netbios name = XXXXXXX
server role = active directory domain controller
dns forwarder = xxx.xx.xxx.xxx
allow dns updates = nonsecure and secure
#server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
#winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
#winbind nested groups = yes
log level = 3
log file = /var/log/samba/samba.log
# unix charset = ISO8859-1

#[netlogon antes]
#path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
#read only = No




Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
Post by Juan Ignacio
I'll use this email from now, the other does not work well.
A few years ago around 2.
We did everything that could be used for NIX and it worked.
The main DC_AD had been provisioned without rfc2307 and we did later.
The problem is that at that time by not having infrastructure had to be
used as fileserver and this was a problem because all directories are UID
of 3000000 onwards.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
All seems to work well but UIDs are different when for example I run
wbinfo --user-info = uanaco
Primary AD-DC
ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / ADDC1 / uanaco: / bin
/ false
member Server
uanaco: *: 100642: 100008: uanaco: / home / ADDC1 / uanaco: / bin / false
This is a problem because my intention is to use this file server and
testify pass all directories Primary AD-DC to Member Server.
Is there any way the member server read the same UID as the primary-
Thank Rowland.
Yes, but what does 'getent passwd ADDC1\uanaco' on the DC show ???
if it shows '3000783' as the users UID, then, unless you have set the
users uidNumber attribute to 3000783, you are not using RFC2307 attributes.
This is further backed up by the fact that the same user may get '100642'
as its UID on the domain member.
Have you given your users a uidNumber attribute ?
Have you given 'Domain Users' (at least) a gidNumber attribute ?
If you have done the above, have you run 'net cache flush' on the DC ?
Is PAM set up correctly on the DC and domain member ?
Rowland
Also can you post (as I asked) the smb.conf from the domain member.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 15:16:49 UTC
Permalink
Sorry, this is the Domain Member smb.con
Im using Debian last version.
Samba compiled from the sources.

[global]
netbios name = XXXXX
security = ADS
workgroup = XXXXXX
realm = XXXXXXX

log file = /var/log/samba/%m.log
log level = 1

# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.

# Just adding the following three lines is not enough!!
# - idmap config ad
# - idmap config rid
# - idmap_config_autorid

idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config XXXXXX : schema_mode = rfc2307
idmap config XXXXXX : backend = rid
idmap config XXXXXX : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes


[test]
read only = no
path = /testSamba


Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
Post by Juan Ignacio
I go to answer all, here I go.
Have you given your users a uidNumber attribute ?
Not all, but im set it in my user and not work.
Have you given 'Domain Users' (at least) a gidNumber attribute ?
Not all, but im set it in my user and not work.
If you have done the above, have you run 'net cache flush' on the DC ?
Yes :-(
Is PAM set up correctly on the DC and domain member ?
Yes.
The smb.conf on the DC.
[global]
netbios name = XXXXXX
security = ADS
workgroup = XXXXXXX
realm = XXXXXXX
log file = /var/log/samba/%m.log
log level = 1
# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.
# Just adding the following three lines is not enough!!
# - idmap config ad
# - idmap config rid
# - idmap_config_autorid
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
[test]
read only = no
path = /testSamba
~
The smb.conf in the AD DC.
Global parameters
[global]
workgroup = XXXXX
realm = XXXXXXXX
netbios name = XXXXXXX
server role = active directory domain controller
dns forwarder = xxx.xx.xxx.xxx
allow dns updates = nonsecure and secure
#server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
#winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
#winbind nested groups = yes
log level = 3
log file = /var/log/samba/samba.log
# unix charset = ISO8859-1
#[netlogon antes]
#path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
#read only = No
Analista Inf.
Juan Ignacio Pazos <
http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
I'll use this email from now, the other does not work well.
A few years ago around 2.
We did everything that could be used for NIX and it worked.
The main DC_AD had been provisioned without rfc2307 and we
did later.
The problem is that at that time by not having
infrastructure had to be used as fileserver and this was a
problem because all directories are UID of 3000000 onwards.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
All seems to work well but UIDs are different when for
example I run
wbinfo --user-info = uanaco
Primary AD-DC
ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / ADDC1 /
uanaco: / bin / false
member Server
uanaco: *: 100642: 100008: uanaco: / home / ADDC1 /
uanaco: / bin / false
This is a problem because my intention is to use this file
server and testify pass all directories Primary AD-DC to
Member Server.
Is there any way the member server read the same UID as
the primary-
Thank Rowland.
Yes, but what does 'getent passwd ADDC1\uanaco' on the DC show ???
if it shows '3000783' as the users UID, then, unless you have
set the users uidNumber attribute to 3000783, you are not
using RFC2307 attributes. This is further backed up by the
fact that the same user may get '100642' as its UID on the
domain member.
Have you given your users a uidNumber attribute ?
Have you given 'Domain Users' (at least) a gidNumber attribute ?
If you have done the above, have you run 'net cache flush' on the DC ?
Is PAM set up correctly on the DC and domain member ?
Rowland
Also can you post (as I asked) the smb.conf from the domain member.
Rowland
-- To unsubscribe from this list go to the following URL and read
the
instructions: https://lists.samba.org/mailman/options/samba
For the third time, will you please post the smb.conf from your domain
member, not the one from your DC.
What OS are you using ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 16:32:53 UTC
Permalink
Rowland, a question.


"is to copy idmap.ldap from the first DC to all others and then keep them
in sync, the other is to use RFC2307 attributes."

I can do the same with my member server? Maybe it works, or not for beign a
member server.

Maybe i can change my Member Server to a Domain Controller and after use
idmap, sync.

Its ok?

Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
Post by Juan Ignacio
Sorry, this is the Domain Member smb.con
Im using Debian last version.
Samba compiled from the sources.
[global]
netbios name = XXXXX
security = ADS
workgroup = XXXXXX
realm = XXXXXXX
log file = /var/log/samba/%m.log
log level = 1
# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.
# Just adding the following three lines is not enough!!
# - idmap config ad
# - idmap config rid
# - idmap_config_autorid
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config XXXXXX : schema_mode = rfc2307
idmap config XXXXXX : backend = rid
idmap config XXXXXX : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
[test]
read only = no
path = /testSamba
Analista Inf.
Juan Ignacio Pazos <
http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
I go to answer all, here I go.
Have you given your users a uidNumber attribute ?
Not all, but im set it in my user and not work.
Have you given 'Domain Users' (at least) a gidNumber attribute ?
Not all, but im set it in my user and not work.
If you have done the above, have you run 'net cache flush' on the DC ?
Yes :-(
Is PAM set up correctly on the DC and domain member ?
Yes.
The smb.conf on the DC.
[global]
netbios name = XXXXXX
security = ADS
workgroup = XXXXXXX
realm = XXXXXXX
log file = /var/log/samba/%m.log
log level = 1
# idmap config used for your domain.
# Click on the following links for more information
# on the available winbind idmap backends,
# Choose the one that fits your requirements
# then add the corresponding configuration.
# Just adding the following three lines is not enough!!
# - idmap config ad
# - idmap config rid
# - idmap_config_autorid
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
[test]
read only = no
path = /testSamba
~
The smb.conf in the AD DC.
Global parameters
[global]
workgroup = XXXXX
realm = XXXXXXXX
netbios name = XXXXXXX
server role = active directory domain controller
dns forwarder = xxx.xx.xxx.xxx
allow dns updates = nonsecure and secure
#server services = rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl,winbind, ntp_signd, kcc, dnsupdate, dns
idmap_ldb:use rfc2307 = yes
#winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
#winbind nested groups = yes
log level = 3
log file = /var/log/samba/samba.log
# unix charset = ISO8859-1
#[netlogon antes]
#path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
#read only = No
Analista Inf.
Juan Ignacio Pazos
<
http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
I'll use this email from now, the other does not work well.
A few years ago around 2.
We did everything that could be used for NIX and it worked.
The main DC_AD had been provisioned without rfc2307 and we
did later.
The problem is that at that time by not having
infrastructure had to be used as fileserver and this was a
problem because all directories are UID of 3000000 onwards.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
All seems to work well but UIDs are different when for
example I run
wbinfo --user-info = uanaco
Primary AD-DC
ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / ADDC1 /
uanaco: / bin / false
member Server
uanaco: *: 100642: 100008: uanaco: / home / ADDC1 /
uanaco: / bin / false
This is a problem because my intention is to use this file
server and testify pass all directories Primary AD-DC to
Member Server.
Is there any way the member server read the same UID as
the primary-
Thank Rowland.
Yes, but what does 'getent passwd ADDC1\uanaco' on the
DC show ???
if it shows '3000783' as the users UID, then, unless you have
set the users uidNumber attribute to 3000783, you are not
using RFC2307 attributes. This is further backed up by the
fact that the same user may get '100642' as its UID on the
domain member.
Have you given your users a uidNumber attribute ?
Have you given 'Domain Users' (at least) a gidNumber attribute ?
If you have done the above, have you run 'net cache
flush' on
the DC ?
Is PAM set up correctly on the DC and domain member ?
Rowland
Also can you post (as I asked) the smb.conf from the domain member.
Rowland
-- To unsubscribe from this list go to the following
URL and read the
instructions: https://lists.samba.org/mailman/options/samba
For the third time, will you please post the smb.conf from your
domain member, not the one from your DC.
What OS are you using ?
Rowland
-- To unsubscribe from this list go to the following URL and read
the
instructions: https://lists.samba.org/mailman/options/samba
OK, you are using the winbind 'rid' backend on the domain member, this
ID = RID - BASE_RID + LOW_RANGE_ID
The BASE_RID is usually '0' unless you explicitly set it in smb.conf
you have set the LOW_RANGE_ID to '10000'
ID = RID - 0 + 10000
ID = 1002 -0 + 10000
ID = 11002
The problem is that a Samba 4 AD DC uses something similar, but a
different method is used to allocate the UID, this is done by starting the
range from 3000000 and they seem to be allocated on a first come basis
(this is the reason why sysvol can have different numbers on each DC)
So, if you use 'rid' on domain members and idmap.ldb on DCs, you cannot
get the same UIDs & GIDs everywhere, the only way is to use RFC2307
attributes and set the domain members & DCs to use them.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 17:36:28 UTC
Permalink
Traducir del: Inglés
Ok, I have correctly configured the option to use RFC2307 in the
Actide Directory
Domain Controller and the option on the member server.

But anyway still showing bad UIDs.

Here we show how both configurations are actualemente.

Within RSAT I can place the UID attribute for example uanaco.

AD Domain Controller

wbinfo --user-info = uanaco
KENNEDY \ uanaco: *: 3000783: 100: uanaco: / home / ADDC / uanaco: / bin /
false

RSAT changed by UID 1111

wbinfo --user-info = uanaco
ADDC \ uanaco: *: 1111: 100: uanaco: / home / ADDC / uanaco: / bin / false

member Server

wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false

After the change of UID.

wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false

When I add the UID number to uanaco, information within the AD Domain
Controller changed.

In the member server he did not change the UID.
Post by Juan Ignacio
Rowland, a question.
"is to copy idmap.ldap from the first DC to all others and then keep them
in sync, the other is to use RFC2307 attributes."
I can do the same with my member server? Maybe it works, or not for beign
a member server.
Maybe i can change my Member Server to a Domain Controller and after use
idmap, sync.
Its ok?
Analista Inf.
Juan Ignacio Pazos <
http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
If you want to have the same UIDs & GIDs everywhere, the only option is to
use RFC2307 attributes and the winbind 'ad' backend on Unix domain members
(note: a 'member server' is just a domain member that serves files,
printers etc)
You only need to give your users & groups a uidNumber or gidNumber
attribute, there is no need to give the BUILTIN users & groups a uidNumber
or gidNumber.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 17:46:22 UTC
Permalink
Yes, im run ´´net cache flush´ on ADDC and MEMBER SERVER.

Im using Win10, And Win7
Post by Juan Ignacio
Traducir del: Inglés
Ok, I have correctly configured the option to use RFC2307 in the Actide
Directory Domain Controller and the option on the member server.
But anyway still showing bad UIDs.
Here we show how both configurations are actualemente.
Within RSAT I can place the UID attribute for example uanaco.
AD Domain Controller
wbinfo --user-info = uanaco
KENNEDY \ uanaco: *: 3000783: 100: uanaco: / home / ADDC / uanaco: / bin
/ false
RSAT changed by UID 1111
wbinfo --user-info = uanaco
ADDC \ uanaco: *: 1111: 100: uanaco: / home / ADDC / uanaco: / bin / false
member Server
wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false
After the change of UID.
wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false
When I add the UID number to uanaco, information within the AD Domain
Controller changed.
In the member server he did not change the UID.
Try running 'net cache flush' on the Unix domain machines.
Can I ask what version of windows you are using ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 17:51:02 UTC
Permalink
The member server still not in production so I can do anything with it.
Post by Juan Ignacio
Yes, im run ´´net cache flush´ on ADDC and MEMBER SERVER.
Im using Win10, And Win7
Post by Juan Ignacio
Traducir del: Inglés
Ok, I have correctly configured the option to use RFC2307 in the Actide
Directory Domain Controller and the option on the member server.
But anyway still showing bad UIDs.
Here we show how both configurations are actualemente.
Within RSAT I can place the UID attribute for example uanaco.
AD Domain Controller
wbinfo --user-info = uanaco
KENNEDY \ uanaco: *: 3000783: 100: uanaco: / home / ADDC / uanaco: / bin
/ false
RSAT changed by UID 1111
wbinfo --user-info = uanaco
ADDC \ uanaco: *: 1111: 100: uanaco: / home / ADDC / uanaco: / bin / false
member Server
wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false
After the change of UID.
wbinfo --user-info = uanaco
uanaco: *: 100642: 100008: uanaco: / home / ADDC / uanaco: / bin / false
When I add the UID number to uanaco, information within the AD Domain
Controller changed.
In the member server he did not change the UID.
Try running 'net cache flush' on the Unix domain machines.
Can I ask what version of windows you are using ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-14 18:40:16 UTC
Permalink
Yes, i use attributes on win 10, and in win7 i can see the tabs.

Yes nsswitch.conf is correctly i think.


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
Post by Juan Ignacio
Yes, im run ´´net cache flush´ on ADDC and MEMBER SERVER.
Im using Win10, And Win7
OK, if you are running RSAT on a windows 10 machine, can I suggest you use
a windows 7 machine instead, it is my understanding that win10 no longer
has the Unix attributes tab.
If you use ADUC on a win7 machine, you can install IDMU, this will get you
the Unix attributes tabs, when you add a UID to a windows user, it will
unixUserPassword
uid
msSFU30Name
msSFU30NisDomain
uidNumber
unixHomeDirectory
loginShell
Domain Users also needs to have a gidNumber attribute
If everything is setup correctly, you should get the same UID for a user
on a DC or domain member.
Is /etc/nsswitch.conf set up correctly ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-15 13:49:38 UTC
Permalink
Are there any test I can do to see if need to configure something in the
member server?
Post by Juan Ignacio
Yes, im run ´´net cache flush´ on ADDC and MEMBER SERVER.
Im using Win10, And Win7
OK, if you are running RSAT on a windows 10 machine, can I suggest you use
a windows 7 machine instead, it is my understanding that win10 no longer
has the Unix attributes tab.
If you use ADUC on a win7 machine, you can install IDMU, this will get you
the Unix attributes tabs, when you add a UID to a windows user, it will
unixUserPassword
uid
msSFU30Name
msSFU30NisDomain
uidNumber
unixHomeDirectory
loginShell
Domain Users also needs to have a gidNumber attribute
If everything is setup correctly, you should get the same UID for a user
on a DC or domain member.
Is /etc/nsswitch.conf set up correctly ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Ignacio
2016-06-15 17:55:44 UTC
Permalink
The UID of the users in the command output: "getent passwd" remain
different in the member server.
I give to the user uanaco a gid and a uid throw RSAT.

***@memberserver:/usr/local/samba/etc# getent passwd | less
uanaco:*:100642:100008:uanaco:/home/ADSERVER/uanaco:/bin/false

There is a service besides winbindd need to be running on the member server?

I'm currently running all manually, "nmbd, smbd, samba, winbindd"
The startup script here I did not work properly on Debian.

https://wiki.samba.org/index.php/Samba4/InitScript

How can we verify that the AD Domain Controller is using the RFC2307
attribute correctly?

How can we verify that the Member server is using the RFC2307 attribute and
receiving data?

I remember seeing configured correctly and from windows UIDs can be added
without problem, so I think the ADDC is doing its job well.

Thanks
Post by Juan Ignacio
Post by Juan Ignacio
Are there any test I can do to see if need to configure something in the
member server?
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
If you have given your users a uidNumber attribute and 'Domain Users' a
gidNumber attribute, 'getent passwd username' should display info for each
user. If you do not info for any users, check that libnss-winbind is setup
correctly.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...