On 15/02/2021 17:38, Robert Steinmetz AIA wrote:> > The /etc/resolv.conf is still getting overwritten.Probably systemd-resolved> In my case I've added a user 'debbie' > # wbinfo -u > NO.STEINMETZNET\administrator > NO.STEINMETZNET\guest > NO.STEINMETZNET\krbtgt > NO.STEINMETZNET\debbieWhy does your Netbios domain name have a dot in it ?> > I created the user using samba-tool and supplied all of the Linux > options for /etc/passwd > > # getent passwd 'debbie' > # > > # grep 'debbie' /etc/passwd > #Do you have these packages installed: libpam-winbind libnss-winbind libpam-krb5 Do the passwd & group lines in /etc/nsswitch.conf look like this: passwd: files winbind systemd group: files winbind systemd> > > >> If you use the 'ad' backend on Unix domain members, then you can use >> the uidNumber and gidNumber attributes from AD along with the other >> rfc2307 attributes, > That's what I think I did with samba-tool >> you can also opt to set the Unix home directories & login shell in >> the smb.conf (note: this is the only way to these? on an AD DC or >> using anyother winbind backend. > I don't understand what you're saying here. Particularly the part > after the paren.OK, if you use the 'ad' backend on a Unix domain member, then you can (provide the 'idmap config' lines in smb.conf are set correctly) use the rfc2307 attributes from AD. If you use any other backend on a Unix domain member or log into a DC, then you must use the 'template shell' and 'template homedir' parameters. You can also use these template lines with the 'ad' backend if you wish. See 'man idmap_ad' and 'man idmap_rid' for more info.> >> >>> >>> We have in the past used the /homes share to connect users to their >>> Linux home directory. >> You can still use the 'homes' share, though you will probably need a >> 'root preexec' script to create the users directory as they connect >> (I can help you with this), note that you shouldn't confuse a users >> Unix share with a the users Windows home directory. > In our current set up each user has a Windows profile and a Unix home > directory which is mounted as a /homes share to a drive letter. That > is used to store user specific information and things like the users > profile for email clients and other user specific information. I'm not > clear on what a Windows Home directory is. That is something I think I > can leave till later.You are mixing up the Windows home directory and the Unix home directory. The Windows home directory is the one you should link to the Windows Drive letter, the Unix home directory is what the user would use if they log into a Unix domain member.> The only difference I can see from samba tool and /etc/passwd is the > uid. did I miss something? Is the reason to use a different range > simply to avoid conflicts?No, you cannot have the same user in /etc/passwd and AD, if you do the user in AD will be ignored and there is absolutely no reason to have the user in both databases. You may have done this with an old style NT4-style domain, but it isn't required any more, you users should all be in AD. It might help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File> > Also is it necessary to modify nsswitch.conf to include winbind? >Yes, no winbind in /etc/nsswitch.conf == no AD users Rowland
Rowland penny via samba wrote:> On 15/02/2021 17:38, Robert Steinmetz AIA wrote: >> >> The /etc/resolv.conf is still getting overwritten. > Probably systemd-resolvedI don't think so. systemd-resolved is not running. It is disabled and masked. There are a gazillion proposed methods to do this and I haven't figured out which one looks good. In the interim I locked it down with chattr +i /etc/resolv.conf I can now reboot and it seems to work.> > >> In my case I've added a user 'debbie' >> # wbinfo -u >> NO.STEINMETZNET\administrator >> NO.STEINMETZNET\guest >> NO.STEINMETZNET\krbtgt >> NO.STEINMETZNET\debbie > > Why does your Netbios domain name have a dot in it ?Because that is the name of the sub-domain I used. Did I misunderstand something? Our domain is steinmetznet.com which was my first attempt. The next attempt added the sub-domain no.steinmetznet.com. In our current NT Domain the domain name is something entirely different.> >> I created the user using samba-tool and supplied all of the Linux >> options for /etc/passwd >> >> # getent passwd 'debbie' >> # >> >> # grep 'debbie' /etc/passwd >> # > > > Do you have these packages installed: libpam-winbind libnss-winbind > libpam-krb5I do now, I actually had some of the but not all.> Do the passwd & group lines in /etc/nsswitch.conf look like this: > > passwd: files winbind systemd > > group: files winbind systemdI figured I needed that, but I don't remember seeing that in any of the documentation I reviewed. I did find a page on configuring winbindd but not that is was required.> >> >>> If you use the 'ad' backend on Unix domain members, then you can use >>> the uidNumber and gidNumber attributes from AD along with the other >>> rfc2307 attributes, >> That's what I think I did with samba-tool >>> you can also opt to set the Unix home directories & login shell in >>> the smb.conf (note: this is the only way to these? on an AD DC or >>> using anyother winbind backend. >> I don't understand what you're saying here. Particularly the part >> after the paren. > > > OK, if you use the 'ad' backend on a Unix domain member, then you can > (provide the 'idmap config' lines in smb.conf are set correctly) use > the rfc2307 attributes from AD. If you use any other backend on a Unix > domain member or log into a DC, then you must use the 'template shell' > and 'template homedir' parameters. You can also use these template > lines with the 'ad' backend if you wish. > > See 'man idmap_ad' and 'man idmap_rid' for more info.I'm sorry I'm not following this. I added the "template shell = /bin/bash' and 'template homedir= /home/%U' and 'user debbie' can now login. What I think you're saying is that samba-tool user <username> --login-shell and --unix-home don't have any effect on a DC. My ultimate intention is to make all of our three samba servers backup domain controllers.? But before I undertake that I want to have a basic understanding of the AD tools and requirements.> >> >>> >>>> >>>> We have in the past used the /homes share to connect users to their >>>> Linux home directory. >>> You can still use the 'homes' share, though you will probably need a >>> 'root preexec' script to create the users directory as they connect >>> (I can help you with this), note that you shouldn't confuse a users >>> Unix share with a the users Windows home directory. >> In our current set up each user has a Windows profile and a Unix home >> directory which is mounted as a /homes share to a drive letter. That >> is used to store user specific information and things like the users >> profile for email clients and other user specific information. I'm >> not clear on what a Windows Home directory is. That is something I >> think I can leave till later. > > > You are mixing up the Windows home directory and the Unix home directory. > > The Windows home directory is the one you should link to the Windows > Drive letter, the Unix home directory is what the user would use if > they log into a Unix domain member.Why can't they be the same directory? That is what we do now. Steinmetz & Associates New Orleans & Atlanta