[Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

Werthmuller, Derek dwerthmu at ctg.albany.edu
Wed Dec 4 15:42:44 MST 2013


There are no local system uid or gid numbers less than 500 on this system so it will be fine.
Removed the space as suggested.  idmap config DOM : range = 500-2000

Any other suggestions to get this working?  

I'm assuming that nscd should be turned off.  Windindd has its own caching.
Gid 100 is a local system group found in /etc/group
users:x:100:


Once I make a change to the smb.conf file to affect how winbind works, what do I need to do to make sure past info is not being used.
I've been restarting winbindd up to this point.

Thanks
	Derek


-----Original Message-----
From: Rowland Penny [mailto:rowlandpenny at googlemail.com] 
Sent: Wednesday, December 04, 2013 3:13 PM
To: Werthmuller, Derek; samba at lists.samba.org
Subject: Re: [Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

On 04/12/13 19:53, Werthmuller, Derek wrote:
> Yea the user base is rather old > 10 years, 500 is the lowest.  Trying to make use of the uid and gid numbers since we have several linux file servers and that's how the users shared spaces are setup.  We really don't want to have to reassign owner and group permissions on all the shares.
>
> OS version
> -bash-4.1$ more /etc/redhat-release
> CentOS release 6.5 (Final)
> -bash-4.1$ uname -a
> Linux 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 
> i686 i386 GNU/Linux
>
> Samba DC versions
> -bash-4.1$ rpm -qa |grep samba
> sernet-samba-common-4.1.2-7.el6.i686
> sernet-samba-winbind-4.1.2-7.el6.i686
> sernet-samba-libs-4.1.2-7.el6.i686
> sernet-samba-4.1.2-7.el6.i686
> sernet-samba-libsmbclient0-4.1.2-7.el6.i686
> sernet-samba-ad-4.1.2-7.el6.i686
> sernet-samba-client-4.1.2-7.el6.i686
> -bash-4.1$
>
> Samba member version
> uname -a
> Linux 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 
> x86_64 x86_64 GNU/Linux [more /etc/redhat-release CentOS release 6.5 
> (Final)
>
> sernet-samba-libs-4.1.2-7.el6.x86_64
> sernet-samba-winbind-4.1.2-7.el6.x86_64
> sernet-samba-common-4.1.2-7.el6.x86_64
> sernet-samba-libsmbclient0-4.1.2-7.el6.x86_64
> sernet-samba-4.1.2-7.el6.x86_64
> sernet-samba-client-4.1.2-7.el6.x86_64
>
> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Wednesday, December 04, 2013 2:40 PM
> To: Werthmuller, Derek; samba at lists.samba.org
> Subject: Re: [Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?
>
> On 04/12/13 19:02, Werthmuller, Derek wrote:
>> Got part of it working, seems the gidnumber is not being pulled properly through.  Here is the member server smb.conf
>> Note        idmap config DOM : range = 500 - 2000 is the number space where all my uidnumbers and gidnumbers are.
>> Currently a getent passwd retrieves the list of users and displays the proper uid, but the gidnumber is in the outer range.
>>
>> Username:*:500:100::/exports/users/%U:/bin/bash   <- this is not correct group #  - it should be 500
> You really shouldn't be using uidNumber's & gidNumber's that low, you 
> are down in Unix range there. 0-500 is used by red hat based distros 
> and
> 0-1000 by debian based distros. The group '100' is probably the 'users'
> group and is set by samba 4 idmap.
>
>> I wonder if I need to clear a windbind cache?  Net cache flush the correct way to do this on the member server?
>>
>> An ldapsearch of the ad directory to verify that the proper uid and gid are stored for that user reveals that they are.
>> ...
>> uidNumber: 500
>> gidNumber: 500
>> loginShell: /bin/bash
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> ...
>>
>> Smb.conf
>> [global]
>>           workgroup = DOM
>>           realm = DOM.EXAMPLE.COM
>>           server string = Samba Server Version %v
>>           security = ADS
>>           log file = /var/log/samba/log.%m
>>           max log size = 50
>>           template homedir = /exports/users/%U
>>           template shell = /bin/bash
>>           winbind enum users = Yes
>>           winbind enum groups = Yes
>>           winbind use default domain = Yes
>>           idmap_ldb : use rfc2307 = yes
>>           idmap config DOM : range = 500 - 2000      # range winbind has authority over to set.
>>           idmap config DOM : backend = ad
>>           idmap config * : range = 1000000-1999999  # range for entries if winbind can't find proper #
>>           idmap config * : backend = tdb
>>           cups options = raw
>>
>> Thanks
>> 	Derek
>>
> Please post what your OS is and what precise versions of samba you are 
> using.
>
> Rowland
Hmm, just noticed this:
idmap config DOM : range = 500 - 2000

I think it should be this:
idmap config DOM : range = 500-2000

I still think that 500 is a bit low but it should work, try changing the above line and if this doesn't work, there is always plan B: sssd

Rowland



More information about the samba mailing list