[Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

Werthmuller, Derek dwerthmu at ctg.albany.edu
Wed Dec 4 12:53:40 MST 2013 

Yea the user base is rather old > 10 years, 500 is the lowest.  Trying to make use of the uid and gid numbers since we have several linux file servers and that's how the users shared spaces are setup.  We really don't want to have to reassign owner and group permissions on all the shares.

OS version
-bash-4.1$ more /etc/redhat-release 
CentOS release 6.5 (Final)
-bash-4.1$ uname -a
Linux 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux

Samba DC versions
-bash-4.1$ rpm -qa |grep samba
sernet-samba-common-4.1.2-7.el6.i686
sernet-samba-winbind-4.1.2-7.el6.i686
sernet-samba-libs-4.1.2-7.el6.i686
sernet-samba-4.1.2-7.el6.i686
sernet-samba-libsmbclient0-4.1.2-7.el6.i686
sernet-samba-ad-4.1.2-7.el6.i686
sernet-samba-client-4.1.2-7.el6.i686
-bash-4.1$

Samba member version
uname -a
Linux 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[more /etc/redhat-release 
CentOS release 6.5 (Final)

sernet-samba-libs-4.1.2-7.el6.x86_64
sernet-samba-winbind-4.1.2-7.el6.x86_64
sernet-samba-common-4.1.2-7.el6.x86_64
sernet-samba-libsmbclient0-4.1.2-7.el6.x86_64
sernet-samba-4.1.2-7.el6.x86_64
sernet-samba-client-4.1.2-7.el6.x86_64

-----Original Message-----
From: Rowland Penny [mailto:rowlandpenny at googlemail.com] 
Sent: Wednesday, December 04, 2013 2:40 PM
To: Werthmuller, Derek; samba at lists.samba.org
Subject: Re: [Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

On 04/12/13 19:02, Werthmuller, Derek wrote:
> Got part of it working, seems the gidnumber is not being pulled properly through.  Here is the member server smb.conf
> Note        idmap config DOM : range = 500 - 2000 is the number space where all my uidnumbers and gidnumbers are.
> Currently a getent passwd retrieves the list of users and displays the proper uid, but the gidnumber is in the outer range.
>
> Username:*:500:100::/exports/users/%U:/bin/bash   <- this is not correct group #  - it should be 500

You really shouldn't be using uidNumber's & gidNumber's that low, you are down in Unix range there. 0-500 is used by red hat based distros and
0-1000 by debian based distros. The group '100' is probably the 'users' 
group and is set by samba 4 idmap.

>
> I wonder if I need to clear a windbind cache?  Net cache flush the correct way to do this on the member server?
>
> An ldapsearch of the ad directory to verify that the proper uid and gid are stored for that user reveals that they are.
> ...
> uidNumber: 500
> gidNumber: 500
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> ...
>
> Smb.conf
> [global]
>          workgroup = DOM
>          realm = DOM.EXAMPLE.COM
>          server string = Samba Server Version %v
>          security = ADS
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          template homedir = /exports/users/%U
>          template shell = /bin/bash
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          idmap_ldb : use rfc2307 = yes
>          idmap config DOM : range = 500 - 2000      # range winbind has authority over to set.
>          idmap config DOM : backend = ad
>          idmap config * : range = 1000000-1999999  # range for entries if winbind can't find proper #
>          idmap config * : backend = tdb
>          cups options = raw
>
> Thanks
> 	Derek
>
Please post what your OS is and what precise versions of samba you are 
using.

Rowland

More information about the samba mailing list