Le 10/04/2013 06:59, Gémes Géza a écrit : > You should check rfc2307 on the samba AD, if your users do not have > uidNumber gidNumber attributes they are going to be ignored by the > winbind daemon if you specify rfc2307 schema mode on the domain member.
If I have understood, when I don't use rfc2307 in the dc server (this is the default) and if I don't use rfc2307 in the member server with this config: ------------------------------------------------------------------- # No refer to "rfc2307". [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes ------------------------------------------------------------------- It seems to work well, but the uid and the gid of the domain accounts are different between the dc and the member. And if I use the rfc2307, then it's possible to have the same uid and gid on the dc and the member. Is it correct ? For the moment, I don't succeed in the use "rfc2307" with a dc and a member. Without "rfc2307", I think It works well with: 1. For the dc: ------------------------------------------------------------------- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No ------------------------------------------------------------------- 2. And for the member: ------------------------------------------------------------------- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes ------------------------------------------------------------------- It works well (imho), but, for each account, the uid/gid are different between the dc and the member, and I don't like it. When I try to use "rfc2307", it doesn't work for me (but I should make mistakes). For example, I have tried this: 1. On the dc server: # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' --use-rfc2307 that creates this smb.conf: ------------------------------------------------------------------- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No ------------------------------------------------------------------- Next, I use winbind in nsswitch.conf in order to resolv the uid/gid --> names. 2. On the member, I edit this smb.conf file (found here https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf): ------------------------------------------------------------------- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes ------------------------------------------------------------------- and I join the server with "net ads join" (next I use winbind too in nsswitch.conf). Next, I create a account in the dc (samba-tool user add test1 --random-password) and, under a Windows station, I edit this account with dsa.msc and I set: - the UID attribute in the "Unix attributes" tab - the GID attribute in the "Unix attributes" tab But, the dc and the member seems to ignore this value and, for example, with "getent passwd" the uid/gid are different for each user between the dc and the member. If you are advices or links to install dc and member so that the uid/gid are the same between the dc and the member, It interest me very much. :-) Thanks in advance. PS: and very sorry for my poor english. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba