[Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 4 13:13:24 MST 2013


On 04/12/13 19:53, Werthmuller, Derek wrote:
> Yea the user base is rather old > 10 years, 500 is the lowest.  Trying to make use of the uid and gid numbers since we have several linux file servers and that's how the users shared spaces are setup.  We really don't want to have to reassign owner and group permissions on all the shares.
>
> OS version
> -bash-4.1$ more /etc/redhat-release
> CentOS release 6.5 (Final)
> -bash-4.1$ uname -a
> Linux 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux
>
> Samba DC versions
> -bash-4.1$ rpm -qa |grep samba
> sernet-samba-common-4.1.2-7.el6.i686
> sernet-samba-winbind-4.1.2-7.el6.i686
> sernet-samba-libs-4.1.2-7.el6.i686
> sernet-samba-4.1.2-7.el6.i686
> sernet-samba-libsmbclient0-4.1.2-7.el6.i686
> sernet-samba-ad-4.1.2-7.el6.i686
> sernet-samba-client-4.1.2-7.el6.i686
> -bash-4.1$
>
> Samba member version
> uname -a
> Linux 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
> [more /etc/redhat-release
> CentOS release 6.5 (Final)
>
> sernet-samba-libs-4.1.2-7.el6.x86_64
> sernet-samba-winbind-4.1.2-7.el6.x86_64
> sernet-samba-common-4.1.2-7.el6.x86_64
> sernet-samba-libsmbclient0-4.1.2-7.el6.x86_64
> sernet-samba-4.1.2-7.el6.x86_64
> sernet-samba-client-4.1.2-7.el6.x86_64
>
> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Wednesday, December 04, 2013 2:40 PM
> To: Werthmuller, Derek; samba at lists.samba.org
> Subject: Re: [Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?
>
> On 04/12/13 19:02, Werthmuller, Derek wrote:
>> Got part of it working, seems the gidnumber is not being pulled properly through.  Here is the member server smb.conf
>> Note        idmap config DOM : range = 500 - 2000 is the number space where all my uidnumbers and gidnumbers are.
>> Currently a getent passwd retrieves the list of users and displays the proper uid, but the gidnumber is in the outer range.
>>
>> Username:*:500:100::/exports/users/%U:/bin/bash   <- this is not correct group #  - it should be 500
> You really shouldn't be using uidNumber's & gidNumber's that low, you are down in Unix range there. 0-500 is used by red hat based distros and
> 0-1000 by debian based distros. The group '100' is probably the 'users'
> group and is set by samba 4 idmap.
>
>> I wonder if I need to clear a windbind cache?  Net cache flush the correct way to do this on the member server?
>>
>> An ldapsearch of the ad directory to verify that the proper uid and gid are stored for that user reveals that they are.
>> ...
>> uidNumber: 500
>> gidNumber: 500
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> ...
>>
>> Smb.conf
>> [global]
>>           workgroup = DOM
>>           realm = DOM.EXAMPLE.COM
>>           server string = Samba Server Version %v
>>           security = ADS
>>           log file = /var/log/samba/log.%m
>>           max log size = 50
>>           template homedir = /exports/users/%U
>>           template shell = /bin/bash
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
>>           winbind use default domain = Yes
>>           idmap_ldb : use rfc2307 = yes
>>           idmap config DOM : range = 500 - 2000      # range winbind has authority over to set.
>>           idmap config DOM : backend = ad
>>           idmap config * : range = 1000000-1999999  # range for entries if winbind can't find proper #
>>           idmap config * : backend = tdb
>>           cups options = raw
>>
>> Thanks
>> 	Derek
>>
> Please post what your OS is and what precise versions of samba you are
> using.
>
> Rowland
Hmm, just noticed this:
idmap config DOM : range = 500 - 2000

I think it should be this:
idmap config DOM : range = 500-2000

I still think that 500 is a bit low but it should work, try changing the 
above line and if this doesn't work, there is always plan B: sssd

Rowland



More information about the samba mailing list