[Samba] Winbind problem with more details.

Ross S. W. Walker rwalker at medallion.com
Fri Feb 15 19:29:02 GMT 2008 

Trimble, Ronald D wrote:
> 
> You are 100% correct.  I did have a situation several weeks 
> ago where I was forced to delete the cache and as a result I 
> had to go through the entire file structure to reset all the 
> ACLs.  It was a mess, but thankfully I have a very simple 
> security model.

I would seriously think about using idmap_rid as it will make
sure if you need to re-create your maps your UIDs and GIDs
will be identical each time and on each server.

Of course doing so will force you to have to reset ACLs in your
file structure again... :-(

-Ross

> -----Original Message-----
> From: Ross S. W. Walker [mailto:rwalker at medallion.com]
> Sent: Friday, February 15, 2008 12:30 PM
> To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Winbind problem with more details.
> 
> Ross S. W. Walker wrote:
> >
> > Trimble, Ronald D wrote:
> > >
> > > Here you go...
> >
> > I forgot to ask which version of samba your now running, but
> > assuming it is something around '3.0.25', then here is my
> > suggestion config. If it is an earlier version let me know.
> 
> I just realized that your config is pre-RID mapping so your
> uid/gid base is in a single tdb file that if lost or broken
> will seriously mess up your user base!
> 
> If that is the case then I suggest this:
>            idmap domains = default
>            idmap config default:default = yes
>            idmap alloc backend = tdb
>            idmap uid = 16777216 - 33554431
>            idmap gid = 16777216 - 33554431
> 
> Forget this:
>            idmap config NA:backend = rid
>            idmap config NA:range = 16777216 - 33554431
> 
> But remove these:
>            winbind uid = 16777216-33554431
>            winbind gid = 16777216-33554431
> 
> Backup your tdb cache directory and smb.conf first though to
> be on the safe side.
> 
> -Ross
> 
> > > [global]
> > >         workgroup = NA
> > >         realm = NA.UIS.UNISYS.COM
> > >         netbios name = ustr-linux-1
> > >         server string = USTR-LINUX-1 Samba Server
> > >         encrypt passwords = yes
> > >         security = ADS
> > >         password server = 192.xx.xxx.xxx
> >
> > I believe for an AD domain, if you set the password server
> > equal to the local domain name it will round-robin query
> > the closest domain controller. Test it out, it will eliminate
> > the single point of failure if it works in your environment.
> >
> > >         passdb backend = smbpasswd
> >
> > I tend to use tdb for my passwd backend, especially if the number
> > of users is large, tdb can speed lookups tremendously.
> >
> > >         log level = 2 winbind:10 ads:10 auth:10
> > >         syslog = 0
> > >         log file = /var/log/samba/%m.log
> > > #       debug level = 10
> > >         max log size = 5000
> > >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >
> > I see no idmap entries here, and don't understand how winbind
> > is working at all without them, maybe some old compatibility
> > feature...
> >
> > I suggest, and of course I don't know your full topology, so it
> > will most definitely need adjusting:
> >
> >           idmap domains = default NA
> >           idmap config default:default = yes
> >           idmap config NA:backend = rid
> >           idmap config NA:range = 16777216 - 33554431
> >
> > Is that id range valid? I have never used anything over 999999, it
> > seems very oddly arbitrary, but I suppose you have a reason...
> >
> > Normally I allocate a 100000 id range per domain, so NA would have
> > range 100000 - 199999, domain NA2 would have 200000 - 299999 and
> > so on, makes it easier to determine the RID if the base of the
> > range is on a power of ten and if you have multiple domains.
> >
> >           idmap alloc backend = tdb
> >           idmap uid = 90000 - 99999
> >           idmap gid = 90000 - 99999
> >
> > This section here is for local mappings, BUILTINs and such, I
> > set it as the default, but I'm sure other people will have
> > their preferences or recommendations.
> >
> > >         winbind use default domain = no
> > >         winbind enum users = no
> > >         winbind enum groups = no
> > >         template homedir = /home/%D/%U
> > >         template shell = /bin/bash
> > >         admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
> > >         nt acl support = yes
> > >         map acl inherit = yes
> >
> > Notice I removed these lines:
> > >         winbind uid = 16777216-33554431
> > >         winbind gid = 16777216-33554431
> >
> > This is old depreciated syntax, the syntax is now 'idmap uid',
> > and it applies to id domains not explicitly configured with
> > the 'id config' directive.
> >
> > <snip>
> >
> > Let me know if that helps.
> >
> > -Ross
> >
> > 
> ______________________________________________________________________
> > This e-mail, and any attachments thereto, is intended only 
> for use by
> > the addressee(s) named herein and may contain legally privileged
> > and/or confidential information. If you are not the 
> intended recipient
> > of this e-mail, you are hereby notified that any dissemination,
> > distribution or copying of this e-mail, and any attachments thereto,
> > is strictly prohibited. If you have received this e-mail in error,
> > please immediately notify the sender and permanently delete the
> > original and any copy or printout thereof.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> 
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the samba mailing list