[Samba] Problem with one User after upgrade to 4.5.0
Paul R. Ganci
ganci at nurdog.com
Sun Oct 9 17:50:42 UTC 2016
On 10/09/2016 02:51 AM, Rowland Penny via samba wrote:
> Have you by any chance got another 3001108 'xidNumber' in idmap.ldb ?
> If you give a user a 'uidNumber' attribute, the contents of this will be
> used instead of the 'xidNumber' in idmap.ldb, hence you do not need to
> (and probably shouldn't) use numbers in the '3000000' range.
I managed to make this right at least for the DC, two Windows 7
Professional boxes, and two CentOS 6 systems. I have one CentOS 6 VM
that doesn't work but it would seem that has to be specific to the VM.
In order to fix the problem I had "accidentally" removed this line
idmap_ldb:use rfc2307 = yes
from the DC /etc/samba/smb.conf
# Global parameters
[global]
server string = Example Active Directory Server
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
netbios name = DC_EXAMPLE
server role = active directory domain controller
server services = -dns
bind interfaces only = yes
interfaces = br0 lo
encrypt passwords = true
kerberos method = secrets and keytab
winbind use default domain = yes
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
# winbind separator = +
winbind nss info = rfc2307
map untrusted to domain = no
template homedir = /home/%U
template shell = /bin/bash
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[Profiles]
path = /home/Profiles/
read only = No
[home]
path = /home
read only = No
After I added back the missing line everything seemed to work again. The
history to all this is that I am running the sernet-samba packages on a
CentOS 6 system which seem to be not very compatible with sssd.
Therefore I just want winbindd which is adequate for my purposes. To
that end I tried to follow these wiki pages:
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
When I provisioned I had done so with rfc2307. So all the NIS
extrensions are there.
So this gets me to the problem at hand. First, there is actually no
3001108 xidNumber in the idmap.ldb. The xidNumber for this particular
user is actually 3000062. For a user that works it turns out I
apparently gave uidNumber = xidNumber = 3001107. I only have two users.
I'm an unclear on what the correct thing to do in this case. Are you
saying that since the xidNumbers are in the "3000000" I should not use
uidNumbers in the same range? How should I "pick" the idmap ranges, the
uidNumbers, etc.? Wouldn't the uidNumbers be independent from the
xidNumbers which is why the addition of the "idmap_ldb:use rfc2307 =
yes" in the DC smb.conf fixes the issue?
Also on the member server side I have been using this smb.conf
[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
server string = Example Samba Server Version %v
netbios name = EXAMPLE
security = ads
bind interfaces only = yes
interfaces = br0
kerberos method = system keytab
idmap config *:backend = tdb
idmap config *:range = 1000000-2999999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 3000000-40000000
winbind nss info = rfc2307
winbind use default domain = true
winbind offline logon = false
winbind enum groups = yes
winbind enum users = yes
So what should I do at this point? Does it make sense to change the
uidNumbers (possibly the gidNumbers too)? I really would like to make
this right before I try to move the DC to other hardware.
--
Paul (ganci at nurdog.com)
Cell: (303)257-5208
More information about the samba
mailing list