[Samba] Winbind problem with more details.

Trimble, Ronald D Ronald.Trimble at unisys.com
Fri Feb 15 18:48:14 GMT 2008


Just an FYI, we are currently on 3.0.28.  This server was built when 3.0 was just coming around.

-----Original Message-----
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Friday, February 15, 2008 12:30 PM
To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.

Ross S. W. Walker wrote:
>
> Trimble, Ronald D wrote:
> >
> > Here you go...
>
> I forgot to ask which version of samba your now running, but
> assuming it is something around '3.0.25', then here is my
> suggestion config. If it is an earlier version let me know.

I just realized that your config is pre-RID mapping so your
uid/gid base is in a single tdb file that if lost or broken
will seriously mess up your user base!

If that is the case then I suggest this:
           idmap domains = default
           idmap config default:default = yes
           idmap alloc backend = tdb
           idmap uid = 16777216 - 33554431
           idmap gid = 16777216 - 33554431

Forget this:
           idmap config NA:backend = rid
           idmap config NA:range = 16777216 - 33554431

But remove these:
           winbind uid = 16777216-33554431
           winbind gid = 16777216-33554431

Backup your tdb cache directory and smb.conf first though to
be on the safe side.

-Ross

> > [global]
> >         workgroup = NA
> >         realm = NA.UIS.UNISYS.COM
> >         netbios name = ustr-linux-1
> >         server string = USTR-LINUX-1 Samba Server
> >         encrypt passwords = yes
> >         security = ADS
> >         password server = 192.xx.xxx.xxx
>
> I believe for an AD domain, if you set the password server
> equal to the local domain name it will round-robin query
> the closest domain controller. Test it out, it will eliminate
> the single point of failure if it works in your environment.
>
> >         passdb backend = smbpasswd
>
> I tend to use tdb for my passwd backend, especially if the number
> of users is large, tdb can speed lookups tremendously.
>
> >         log level = 2 winbind:10 ads:10 auth:10
> >         syslog = 0
> >         log file = /var/log/samba/%m.log
> > #       debug level = 10
> >         max log size = 5000
> >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> I see no idmap entries here, and don't understand how winbind
> is working at all without them, maybe some old compatibility
> feature...
>
> I suggest, and of course I don't know your full topology, so it
> will most definitely need adjusting:
>
>           idmap domains = default NA
>           idmap config default:default = yes
>           idmap config NA:backend = rid
>           idmap config NA:range = 16777216 - 33554431
>
> Is that id range valid? I have never used anything over 999999, it
> seems very oddly arbitrary, but I suppose you have a reason...
>
> Normally I allocate a 100000 id range per domain, so NA would have
> range 100000 - 199999, domain NA2 would have 200000 - 299999 and
> so on, makes it easier to determine the RID if the base of the
> range is on a power of ten and if you have multiple domains.
>
>           idmap alloc backend = tdb
>           idmap uid = 90000 - 99999
>           idmap gid = 90000 - 99999
>
> This section here is for local mappings, BUILTINs and such, I
> set it as the default, but I'm sure other people will have
> their preferences or recommendations.
>
> >         winbind use default domain = no
> >         winbind enum users = no
> >         winbind enum groups = no
> >         template homedir = /home/%D/%U
> >         template shell = /bin/bash
> >         admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
> >         nt acl support = yes
> >         map acl inherit = yes
>
> Notice I removed these lines:
> >         winbind uid = 16777216-33554431
> >         winbind gid = 16777216-33554431
>
> This is old depreciated syntax, the syntax is now 'idmap uid',
> and it applies to id domains not explicitly configured with
> the 'id config' directive.
>
> <snip>
>
> Let me know if that helps.
>
> -Ross
>
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.



More information about the samba mailing list