Discussion:
[Samba] id shows only primary group on domain member server
Daniel Thielking
2016-06-15 12:33:22 UTC
Permalink
Hi,

know I have another problem. I compiled samba 4.4.4 on a Centos 7.2
Server no special options for ./configure.
Afterwards I followed the article from mentioned below wiki article
below, to join Centos 7.2 as an member server to our existing AD.

WIKI Article:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Now, if i type id USERNAME I only get the users UID, GID and only the
GID as the supplementary Group no more groups are showing up. What have
I missed?

Thanks Guys
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Thielking
2016-06-15 13:00:55 UTC
Permalink
cat /usr/local/samba/etc/smb.conf:

# Eintraege fuer das ActiveDirectory Samba4 workgroup = SAMDOM
realm =SAMDOM.LOCAL security = ADS # Alle Template
Einstellungen kommen direkt aus der AD # Die Shell ist nur aus
Sicherheitsgruenden hier eingetragen template shell = /bin/false
kerberos method = secrets and keytab dedicated keytab file =
/etc/krb5.keytab # Auswaehlen der Domain ist hier nicht noetig,
da default domain die Workgroup nimmt # Offline Logon ist aus.
Einschalten macht nur bei Mobilengeraeten sinn winbind use
default domain = true winbind offline logon = false
#--authconfig--end-line-- server string = Samba %v on %h
local master = No # --------------------------- Logging Options
----------------------------- # # Log File let you specify
where to put logs and how to split them up. # # Max Log Size
let you specify the max size log files should reach # logs
split per machine log file = /usr/local/samba/var/log.%m
# max 500KB per log file, then rotate max log size
= 500 log level = 1 # Use settings from AD for login
shell and home directory winbind nss info = rfc2307
winbind refresh tickets = yes winbind cache time = 300
winbind trusted domains only = no winbind enum
users = yes winbind enum groups = yes winbind expand
groups = 4 # Important: The ranges of the default (*) idmap
config # and the domain(s) must not overlap! #
Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb idmap config *:range =
1000000-1100000 # idmap config for domain SAMDOM
idmap config IAS:backend = ad idmap config IAS:schema_mode =
rfc2307 idmap config IAS:range = 500-999999 #
Caching auf 5 Minuten fuer Gids/Uids einrichten idmap cache
time = 300 idmap negative cache time = 1 #
--------------------------- Printer Options
----------------------------- load printers = no #
--------------------------- Filesystem Options
--------------------------- unix charset = UTF8 dos
charset = 850 # Fuer Dateien # u-x g-x o-rwx create mask
= 0660 # ug+rw (SVN) force create mode = 0660 # Fuer
Verzeichnisse directory mask = 0770 force directory mode
= 0770 # Mappings der Speziellen Dateien unter Windows map
archive = no map hidden = no map read only =
Permissions map system = no # Verhalten von Samba
gegenueber von Speziellen Dateien wide links = no
blocking locks = no delete veto files = yes hide
files = /.*/desktop.ini/.DS_Store/ hide special files = yes
delete readonly = yes vfs objects = acl_xattr map
acl inherit = yes store dos attributes = yes #
--------------------------- Share Definitions
---------------------------
Post by Daniel Thielking
Hi,
know I have another problem. I compiled samba 4.4.4 on a Centos 7.2
Server no special options for ./configure.
Afterwards I followed the article from mentioned below wiki article
below, to join Centos 7.2 as an member server to our existing AD.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Now, if i type id USERNAME I only get the users UID, GID and only the
GID as the supplementary Group no more groups are showing up. What
have I missed?
Thanks Guys
Daniel
Can you please post your smb.conf from the domain member.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Volker Lendecke
2016-06-16 06:29:35 UTC
Permalink
know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 Server
no special options for ./configure.
Afterwards I followed the article from mentioned below wiki article below,
to join Centos 7.2 as an member server to our existing AD.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Now, if i type id USERNAME I only get the users UID, GID and only the GID as
the supplementary Group no more groups are showing up. What have I missed?
What happens if you do a "wbinfo -a <username>" successfully first?

Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:***@sernet.de

SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Thielking
2016-06-16 06:57:21 UTC
Permalink
@ Rowland
I'm using the same configuration on a different domain member with
CentOS7.2 with packaged samba4 RPM's from OS. If I try to use `id
USERNAME` i get the output in a complete version e.g. uid=USERNAME
gid=PRIMARY groups=PRIMARY, SUPGROUP1, SUPGROUP2.
Because of the parameter :
template shell = /bin/false
I read that this parameter is active just in case if no loginshell was
set in the AD. In my opinion Security feature to prevent users to login
without loginshell ;-).

I set all Unix-Attributes (RFC2307) in AD e.g.:

NIS-Domain: SAMDOM
UID: Chosen by ADUC
Login-Shell: /bin/tcsh
Home-Directory: /home/USERNAME
GID: PRIMARY

For the SUPGroups I am using the member of tab in ADUC.
Mentioned above ALL works on the member server with packaged RPM's and
NOT on the compiled on mentioned earlier in my mails.

@Volker
If i enter "wbinfo -a USERNAME" I get following output:

Enter USERNAME's password:
plaintext password authentication succeeded
Enter USERNAME's password:
challenge/response password authentication succeeded

I hope it helps. Thanks guys!
Post by Volker Lendecke
know I have another problem. I compiled samba 4.4.4 on a Centos 7.2 Server
no special options for ./configure.
Afterwards I followed the article from mentioned below wiki article below,
to join Centos 7.2 as an member server to our existing AD.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Now, if i type id USERNAME I only get the users UID, GID and only the GID as
the supplementary Group no more groups are showing up. What have I missed?
What happens if you do a "wbinfo -a <username>" successfully first?
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...