[Samba] Samba4 Dc Winbind and uidNumbers
Jim Potter
jimpotter at orange.net
Wed May 29 01:19:05 MDT 2013
Hi All,
Sory for late reply - I think I've got to the bottom of this...
The Domain controller windbindd needs the line
idmap_ldb:use rfc2307 = yes
This tells it to use the uidnumber from AD. The others don't seem to
make a lot of difference on a DC.
....but I also found this:
- If the 'use rfc2307' line wasn't there when the second DC was added,
that DC will make up its own uidnumbers which won't get overwritten by
the ones from AD, so its not always easy to tell that its worked. My top
tip for a second DC:
- Set up first DC with use rfc2307 - this won't put uid/gidnumbers into
AD - the DC will invent its own values
- copy the uid/gidnumbers and from your default AD users and groups from
your first DC (getent passwd and getent group) and put them into the
uidnumber and gidnumber attributes in AD
- now when you add your second DC make sure you have use rfc2307 and it
will pick up these uidnumbers from AD and you'll have consistent numbers
across all DCs.
I've found that this is part of the problem I was having with sysvol
replication too - rsync would copy files over and keep uidnumbers
intact, but these mapped to different users on different servers.
Does that make sense?
Jim
PS with samba4, why don't the different processes have nice names? I
have a whole bunch of processes called 'samba', one of which is an LDAP
server, one a kerberos server, DNS, winbind etc. Its a crazy idea, but
why not call them 'ldap', 'dns', 'kerberos' etc? It might make things a
bit easier..
On 27/03/2013 14:43, Jim Potter wrote:
>
> Thanks for the replies on this. I'm on holiday at the mo, but will try
> it when I get home and get back to you.
>
> cheers,
>
> Jim
>
> On Mar 27, 2013 2:21 PM, "Gémes Géza" <geza at kzsdabas.hu
> <mailto:geza at kzsdabas.hu>> wrote:
> >
> > Hi,
> >
> >> On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter
> <jimchuffff at googlemail.com <mailto:jimchuffff at googlemail.com>> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I'm trying to get the unix extensions working in AD. I'm obviously
> missing
> >>> something, but I can't see what...
> >>>
> >>> I've just created user Jim (using ADUC) and added a uidnumber (using
> >>> ADSIEdit). From this and what I have below, user Jim should have
> uidNumber
> >>> of 12345 (from AD) and not be prefixed with Domain name. This isn't
> >>> happening. Does anyone have any idea why not?
> >>>
> >>> cheers,
> >>>
> >>> Jim
> >>>
> >>>
> >>> Excerpt from getent passwd:
> >>> saned:x:110:117::/home/saned:/bin/false
> >>>
> FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false
> >>> FASTFOOD\Guest:*:3000011:3000012::/home/FASTFOOD/Guest:/bin/false
> >>> FASTFOOD\krbtgt:*:3000016:100::/home/FASTFOOD/krbtgt:/bin/false
> >>> FASTFOOD\jim:*:3000019:100:Jim Chuffff:/home/FASTFOOD/jim:/bin/false
> >>>
> >>>
> >>> smb.conf:
> >>> [global]
> >>> workgroup = FASTFOOD
> >>> realm = FASTFOOD.LAN
> >>> netbios name = CHIPSHOP
> >>> server role = active directory domain controller
> >>>
> >>> dns forwarder = 62.24.199.13
> >>>
> >>> log level = 3
> >>>
> >>> algorithmic rid base = 10000
> >>>
> >>> idmap config * : range = 50001-60000
> >>> idmap config * : backend = ad
> >>>
> >>> idmap config FASTFOOD : range = 10000-50000
> >>> idmap config FASTFOOD : backend = ad
> >>
> >> Hello Jim,
> >> Try adding these lines. If this doesn't work, I think you're being
> >> bitten by a known bug specific to this setup on an S4 DC. Andrew wrote
> >> a patch back in Nov-Dec, but it may not have made it into the
> >> codebase. Let me know if that doesn't work and I'll try to find that
> >> thread. I'm pretty sure someone came up with a work around.
> >>
> >> idmap config FASTFOOD : schema_mode = rfc2307
> >> idmap config FASTFOOD : default = yes
> >>
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >>
> >>> winbind nss info = rfc2307
> >>> winbind use default domain = yes
> >>>
> >>> [netlogon]
> >>> path = /var/lib/samba/sysvol/fastfood.lan/scripts
> >>> read only = No
> >>>
> >>> [sysvol]
> >>> path = /var/lib/samba/sysvol
> >>> read only = No
> >>>
> >>> My user from AD:
> >>> dn: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
> >>> objectClass: top
> >>> objectClass: person
> >>> objectClass: organizationalPerson
> >>> objectClass: user
> >>> cn: Jim Chuffff
> >>> sn: Chuffff
> >>> givenName: Jim
> >>> instanceType: 4
> >>> whenCreated: 20130317212551.0Z
> >>> displayName: Jim Chuffff
> >>> uSNCreated: 3873
> >>> name: Jim Chuffff
> >>> objectGUID:: hXvFCY0pTUeIgltTLbnOcQ==
> >>> badPwdCount: 0
> >>> codePage: 0
> >>> countryCode: 0
> >>> badPasswordTime: 0
> >>> lastLogoff: 0
> >>> lastLogon: 0
> >>> primaryGroupID: 513
> >>> objectSid:: AQUAAAAAAAUVAAAAbDu04eltc/ij6yQSUQQAAA==
> >>> accountExpires: 9223372036854775807
> >>> logonCount: 0
> >>> sAMAccountName: jim
> >>> sAMAccountType: 805306368
> >>> userPrincipalName: jim at fastfood.lan
> >>> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan
> >>> pwdLastSet: 130080291520000000
> >>> userAccountControl: 66048
> >>> uidNumber: 12345
> >>> whenChanged: 20130317212824.0Z
> >>> uSNChanged: 3877
> >>> distinguishedName: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >
> > If you are running samba 4 as an AD DC (that is if you specify:
> server role = active directory domain controller)
> > you will need to configure winbind inside the samba binary. The
> settings you have are obeyed by the winbind binary which should be run
> e.g. on a member server, so you need to replace them with:
> > idmap_ldb:use rfc2307 = yes
> > that is the only settings (it defaults to no) which can affect
> winbind behavior on an AD DC.
> >
> > Regards
> >
> > Geza Gemes
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list