[Samba] [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 11 06:50:02 MST 2013


On 11/12/13 13:30, Patrick G. Stoesser wrote:
> Am 11.12.2013 13:43, schrieb steve:
>> On Wed, 2013-12-11 at 13:04 +0100, Patrick G. Stoesser wrote:
>>
>>>
>>> Oh, when I said I move the users I meant I move their data. The user
>>> accounts themselves are stored in the AD.
>>> I copy the user data via scp, and after that I chown and chmod the 
>>> data,
>>> and after that I make an entry in smb.conf.
>>
>> OK. So I assume that since there is only 1 file server then you can
>> chmod and chown as much as you like.
>
> No, I can do that on any server. To tell more details: The DC is a 
> Windows server. I "own" on OU where I can manage my users, machines 
> and GPOs.
> All users are created on the DC. I just provide name, username and 
> password. After a user is created in the AD, I can (for example) chown 
> to this user on any of my servers. chown -vR ad#user user. And that 
> works, after that (and the according smb.conf entry) the user can 
> connect to the share. That works from WinXP, Win7, Win8, Linux, Mac.
>
>  What I can't see is how the uid:gid
>> pair get over to your Linux clients. Or maybe this is just a file server
>> for win boxes. . . Is the uidNumber for the user stored in AD perhaps?
>> And what is the entry you make in smb.conf? Or are these new users in a
>> new share with new data wih perhaps just their personal files being
>> transferred from the old server? Guessing. . .
>
> In my "old" squeeze smb.confs I had the entry
>
> idmap uid = 10000-95000
> idmap gid = 10000-95000
>
> but on my wheezy servers testparm told that those are deprecated. Ahm, 
> it seems that one cannot just use the squeeze samba config 1:1 on a 
> whezzy samba...? But it worked for several weeks testing...

idmap uid & gid have been replaced by 'idmap config AD:range = 10000-95000'

But for the ad backend to work you need uidNumber & gidNumber stored in 
AD, if you do not have them, you can use the rid backend, this creates 
the uidNumber & gidNumber from the SIDs

Also deprecated means you shouldn't use them, it doesn't mean you cannot 
use them.

Rowland

>>>
>>>> How many users do you need to transfer? Do you have admin access to 
>>>> the
>>>> DC?
>>>
>>> I do not have full admin access to the DC, I can create users und
>>> machine accounts and edit the GPO in my OU.
>>>
>> Could you ask the admin to supply a (censored) DN of one of the users
>> you have just transferred so we can get a better idea?
>> HTH
>> Steve
>
> That's another part of my problem, currently I do not reach an admin 
> of the DC...
>>
>> (Just read the other post about the debian update. Maybe this is now
>> solved by the downgrade?)
>
> No, unfortunately not. I just transfer the data to a working server 
> (the one where the update has not been apllied yet) and start my 
> problem server from scratch. Ugly.
>
> Kind regards, pgs
>



More information about the samba mailing list