samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] smb.conf works for 3.4.0; doesn't work

Re: [Samba] smb.conf works for 3.4.0; doesn't work for 3.4.7 - RESOLVED

From: Mike Leone <turgon_at_nospam>
Date: Sat May 08 2010 - 20:34:31 GMT

I got it (almost) working. Finally!

Here's what I found:

1. For Win2003 AD (with SFU), you need

idmap config DACRIB:schema_mode = sfu
winbind nss info = sfu

     If you have Win2003 AD R2, you should be using:

idmap config DACRIB:schema_mode = rfc2307
winbind nss info = rfc2307

(I found a forum post that said that; haven't seen it in any official docs)

2. When you install SFU in AD, you get a "Unix Attributes" tab for each
user. On that tab, you *have* to set the UID, shell, home directory and
primary group, for all users you want your Linux box to see. If you
don't set these attributes, Samba won't see those users.

3. Watch out for typos. :-)

Oh, and don't try and over-think the situation. If your distro has
kindly pre-configured PAm for you, go with that. :-)

SO, using :

         idmap config DACRIB:backend = ad
         idmap config DACRIB:range = 10000 - 20000
         idmap config DACRIB:schema_mode = sfu

         idmap uid = 10000-20000
         idmap gid = 10000-20000

         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = No
         winbind nested groups = Yes
         winbind refresh tickets = true
         winbind separator = +
         winbind nss info = sfu
         allow trusted domains = No

AND making sure that the UIDs you specify in point #2 above, must be
within the range specified. If you make a typo and set a UID outside
that range, that user will *not* be seen by Samba.

getent passwd from Dual-Booter:

DACRIB+administrator:*:10002:10000:Administrator:/home/DACRIB/Administrator:/bin/sh

DACRIB+krbtgt:*:10006:10000:krbtgt:/home/DACRIB/krbtgt:/bin/sh
DACRIB+turgon:*:10003:10000:Mike Leone:/home/DACRIB/turgon:/bin/bash
DACRIB+leonem:*:10000:10000:Leone, Mike:/home/DACRIB/LeoneM:/bin/bash
DACRIB+servicerunner:*:10005:10000:ServiceRunner:/home/DACRIB/ServiceRunner:/bin/sh

DACRIB+bearclan:*:10004:10000:Andie Philo:/home/bearclan:/bin/bash
DACRIB+ldap-proxy:*:10001:10000:LDAP Proxy:/home/DACRIB/ldap-proxy:/bin/sh

Those are all the proper UIDs I set in AD.

Now, of course, the *other* Samba server is acting up. I removed it from
the domain, and tried to use the above settings on it. And now "wbinfo
-t" fails for IT.

<SIGH>

Oh, well. Something more to do ...

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba