2013-04-11 01:14 keltezéssel, François Lafont írta:
Le 10/04/2013 06:59, Gémes Géza a écrit :
You should check rfc2307 on the samba AD, if your users do not have
uidNumber gidNumber attributes they are going to be ignored by the
winbind daemon if you specify rfc2307 schema mode on the domain member.
If I have understood, when I don't use rfc2307 in the dc server (this is
the default) and if I don't use rfc2307 in the member server with this
config:
-------------------------------------------------------------------
# No refer to "rfc2307".
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
It seems to work well, but the uid and the gid of the domain accounts
are different between the dc and the member. And if I use the rfc2307,
then it's possible to have the same uid and gid on the dc and the
member. Is it correct ?
For the moment, I don't succeed in the use "rfc2307" with a dc and a
member. Without "rfc2307", I think It works well with:
1. For the dc:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-------------------------------------------------------------------
2. And for the member:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
It works well (imho), but, for each account, the uid/gid are different
between the dc and the member, and I don't like it.
When I try to use "rfc2307", it doesn't work for me (but I should make
mistakes). For example, I have tried this:
1. On the dc server:
# samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI
--server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123'
--use-rfc2307
that creates this smb.conf:
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-------------------------------------------------------------------
Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -->
names.
2. On the member, I edit this smb.conf file (found here
https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf):
-------------------------------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config CHEZMOI:backend = ad
idmap config CHEZMOI:schema_mode = rfc2307
idmap config CHEZMOI:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
and I join the server with "net ads join" (next I use winbind too in
nsswitch.conf).
Next, I create a account in the dc (samba-tool user add test1
--random-password) and, under a Windows station, I edit this account
with dsa.msc and I set:
- the UID attribute in the "Unix attributes" tab
- the GID attribute in the "Unix attributes" tab
But, the dc and the member seems to ignore this value and, for example,
with "getent passwd" the uid/gid are different for each user between the
dc and the member.
If you are advices or links to install dc and member so that the uid/gid
are the same between the dc and the member, It interest me very much. :-)
Thanks in advance.
PS: and very sorry for my poor english.
The easiest way to test out rfc2307 would be to provision a new domain
with samba-tool domain provision --use-rfc2307
--the-other-options-of-your-choice, and test a rfc2307 client against
it. The difference is, that in this case the provisioning script loads a
schema file (ypServ30.ldif) which makes it easier to administer the
rfc2307 attributes using ADUC. Then join a client to the domain and see
if rfc2307 schema mode works or not. If it works, then you will probably
need to load the schema modifications and a few other entries from the
provisioning with --use-rfc2307.
BTW. I use in production a classicupgraded Samba (actually two
replicating DCs) where --use-rfc2307 is (was) enabled by default, and a
few samba 3.6 installations using rfc2307 schema mode successfully
authenticate, get account data from the AD.
Regards
Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
