[Samba] Winbind problem with more details.
Trimble, Ronald D
Ronald.Trimble at unisys.com
Fri Feb 15 18:48:14 GMT 2008
Just an FYI, we are currently on 3.0.28. This server was built when 3.0 was just coming around.
-----Original Message-----
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Friday, February 15, 2008 12:30 PM
To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.
Ross S. W. Walker wrote:
>
> Trimble, Ronald D wrote:
> >
> > Here you go...
>
> I forgot to ask which version of samba your now running, but
> assuming it is something around '3.0.25', then here is my
> suggestion config. If it is an earlier version let me know.
I just realized that your config is pre-RID mapping so your
uid/gid base is in a single tdb file that if lost or broken
will seriously mess up your user base!
If that is the case then I suggest this:
idmap domains = default
idmap config default:default = yes
idmap alloc backend = tdb
idmap uid = 16777216 - 33554431
idmap gid = 16777216 - 33554431
Forget this:
idmap config NA:backend = rid
idmap config NA:range = 16777216 - 33554431
But remove these:
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
Backup your tdb cache directory and smb.conf first though to
be on the safe side.
-Ross
> > [global]
> > workgroup = NA
> > realm = NA.UIS.UNISYS.COM
> > netbios name = ustr-linux-1
> > server string = USTR-LINUX-1 Samba Server
> > encrypt passwords = yes
> > security = ADS
> > password server = 192.xx.xxx.xxx
>
> I believe for an AD domain, if you set the password server
> equal to the local domain name it will round-robin query
> the closest domain controller. Test it out, it will eliminate
> the single point of failure if it works in your environment.
>
> > passdb backend = smbpasswd
>
> I tend to use tdb for my passwd backend, especially if the number
> of users is large, tdb can speed lookups tremendously.
>
> > log level = 2 winbind:10 ads:10 auth:10
> > syslog = 0
> > log file = /var/log/samba/%m.log
> > # debug level = 10
> > max log size = 5000
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> I see no idmap entries here, and don't understand how winbind
> is working at all without them, maybe some old compatibility
> feature...
>
> I suggest, and of course I don't know your full topology, so it
> will most definitely need adjusting:
>
> idmap domains = default NA
> idmap config default:default = yes
> idmap config NA:backend = rid
> idmap config NA:range = 16777216 - 33554431
>
> Is that id range valid? I have never used anything over 999999, it
> seems very oddly arbitrary, but I suppose you have a reason...
>
> Normally I allocate a 100000 id range per domain, so NA would have
> range 100000 - 199999, domain NA2 would have 200000 - 299999 and
> so on, makes it easier to determine the RID if the base of the
> range is on a power of ten and if you have multiple domains.
>
> idmap alloc backend = tdb
> idmap uid = 90000 - 99999
> idmap gid = 90000 - 99999
>
> This section here is for local mappings, BUILTINs and such, I
> set it as the default, but I'm sure other people will have
> their preferences or recommendations.
>
> > winbind use default domain = no
> > winbind enum users = no
> > winbind enum groups = no
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
> > nt acl support = yes
> > map acl inherit = yes
>
> Notice I removed these lines:
> > winbind uid = 16777216-33554431
> > winbind gid = 16777216-33554431
>
> This is old depreciated syntax, the syntax is now 'idmap uid',
> and it applies to id domains not explicitly configured with
> the 'id config' directive.
>
> <snip>
>
> Let me know if that helps.
>
> -Ross
>
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.
More information about the samba
mailing list