[Samba] Winbind problem with more details.
Trimble, Ronald D
Ronald.Trimble at unisys.com
Fri Feb 15 18:27:59 GMT 2008
You are 100% correct. I did have a situation several weeks ago where I was forced to delete the cache and as a result I had to go through the entire file structure to reset all the ACLs. It was a mess, but thankfully I have a very simple security model.
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Friday, February 15, 2008 12:30 PM
To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.
Ross S. W. Walker wrote:
> Trimble, Ronald D wrote:
> > Here you go...
> I forgot to ask which version of samba your now running, but
> assuming it is something around '3.0.25', then here is my
> suggestion config. If it is an earlier version let me know.
I just realized that your config is pre-RID mapping so your
uid/gid base is in a single tdb file that if lost or broken
will seriously mess up your user base!
If that is the case then I suggest this:
idmap domains = default
idmap config default:default = yes
idmap alloc backend = tdb
idmap uid = 16777216 - 33554431
idmap gid = 16777216 - 33554431
idmap config NA:backend = rid
idmap config NA:range = 16777216 - 33554431
But remove these:
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
Backup your tdb cache directory and smb.conf first though to
be on the safe side.
> > [global]
> > workgroup = NA
> > realm = NA.UIS.UNISYS.COM
> > netbios name = ustr-linux-1
> > server string = USTR-LINUX-1 Samba Server
> > encrypt passwords = yes
> > security = ADS
> > password server = 192.xx.xxx.xxx
> I believe for an AD domain, if you set the password server
> equal to the local domain name it will round-robin query
> the closest domain controller. Test it out, it will eliminate
> the single point of failure if it works in your environment.
> > passdb backend = smbpasswd
> I tend to use tdb for my passwd backend, especially if the number
> of users is large, tdb can speed lookups tremendously.
> > log level = 2 winbind:10 ads:10 auth:10
> > syslog = 0
> > log file = /var/log/samba/%m.log
> > # debug level = 10
> > max log size = 5000
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> I see no idmap entries here, and don't understand how winbind
> is working at all without them, maybe some old compatibility
> I suggest, and of course I don't know your full topology, so it
> will most definitely need adjusting:
> idmap domains = default NA
> idmap config default:default = yes
> idmap config NA:backend = rid
> idmap config NA:range = 16777216 - 33554431
> Is that id range valid? I have never used anything over 999999, it
> seems very oddly arbitrary, but I suppose you have a reason...
> Normally I allocate a 100000 id range per domain, so NA would have
> range 100000 - 199999, domain NA2 would have 200000 - 299999 and
> so on, makes it easier to determine the RID if the base of the
> range is on a power of ten and if you have multiple domains.
> idmap alloc backend = tdb
> idmap uid = 90000 - 99999
> idmap gid = 90000 - 99999
> This section here is for local mappings, BUILTINs and such, I
> set it as the default, but I'm sure other people will have
> their preferences or recommendations.
> > winbind use default domain = no
> > winbind enum users = no
> > winbind enum groups = no
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
> > nt acl support = yes
> > map acl inherit = yes
> Notice I removed these lines:
> > winbind uid = 16777216-33554431
> > winbind gid = 16777216-33554431
> This is old depreciated syntax, the syntax is now 'idmap uid',
> and it applies to id domains not explicitly configured with
> the 'id config' directive.
> Let me know if that helps.
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the samba