[Samba] idmap problems after update from 3.0.33 to 3.6.6
Thomas Attenberger
thomas.attenberger at gmx.net
Thu Nov 7 07:51:04 MST 2013
2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> On 07/11/13 13:24, Thomas Attenberger wrote:
>
>
>
>
> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
>
>> On 07/11/13 12:04, Thomas Attenberger wrote:
>>
>>> Hi again,
>>>
>>> we want to keep the tdb method.
>>> After many ours of reading and searching, I have still no idea what can
>>> be
>>> wrong.
>>> Actually I'm hanging here:
>>>
>>> wbinfo -n newuser (is working)
>>> wbinfo -s newusersid (is working)
>>> wbinfo -S newusersid
>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not convert sid xxx to uid
>>>
>>> If I take a look in the winbindd_idmap.tdb the newuser is not listed.
>>>
>>> Has anyone some idea, what can be wrong?
>>>
>>> Regards
>>> Thomas
>>>
>>>
>>> 2013/10/23 steve <steve at steve-ss.com>
>>>
>>> On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger wrote:
>>>>
>>>>> Thanks for your help.
>>>>>
>>>>>
>>>>> How can I manually populate the rfc2307 attributes?
>>>>>
>>>>>
>>>>> Before I tried it with "backend = ad", but then "wbinfo -u" lists only
>>>>> local users.
>>>>> Now it seems, there's no difference between using ad or tdb.
>>>>>
>>>>>
>>>>> Do I really need to use rfc2307 mode? Before I was running samba 3.0
>>>>> without it...
>>>>>
>>>>>
>>>>> What can I do now?
>>>>>
>>>> Hi
>>>> I can't help with the tdb method but your smb.conf is good to go for the
>>>> ad backend. To use it, you will have to add the rfc2307 attributes to
>>>> the 2008 box somehow. You can add e.g. uidNumber number to users under
>>>> the Unix tab on ADUC on your existing DC.
>>>>
>>>> Another good way to get the attributes would be to join a Samba4 machine
>>>> to the domain as another DC. It's then a simple matter to wrap a script
>>>> around ldbmodify to dump the attributes into AD from that box and let
>>>> replication do the rest.
>>>>
>>>> Do you have a lot of users?
>>>> Steve
>>>>
>>>>
>>>>
>>>> You are using RFC2307 on the clients, but do you have the users
>> RFC2307 info in AD? (msSFU30NisDomain, msSFU30Name, uidNumber, gidNumber,
>> loginShell, unixHomeDirectory, uid).
>> If you want to get all the RFC2307 info from AD using Samba, then the
>> machine needs to joined to the domain (like a windows pc) and you need to
>> use something to pull this info, with winbind this means 'backend = ad',
>> but you can use sssd or nslcd.
>>
>> Rowland
>>
>
> No, I don't use RFC2307. Here is my actual smb.conf:
>
> workgroup = ATRON
> realm = ATRON.LOCAL
> security = ADS
> ldap ssl = off
> preferred master = no
> server string = %h
> log file = /var/log/samba/smb.log.%m
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind separator = +
> idmap config *:backend = tdb
> idmap config *:range = 3000-4000
> idmap config ATRON:backend = tdb
> idmap config ATRON:range = 10000-20000
> winbind use default domain = Yes
> template shell = /bin/bash
> username map = /etc/samba/smbusers
>
> Regards
> Thomas
>
> So, you are connecting to an AD server and presumably getting the users
> authentication from said server, just where do think that you are going to
> get the rest of the users info from?
>
> Rowland
>
Yes, what is the rest??? All necessary info should come frome winbind
(winbindd_idmap.tdb).
Before the update it was working correctly over years with that config:
[global]
workgroup = ATRON
realm = ATRON.LOCAL
security = ADS
preferred master = no
server string = %h
log file = /var/log/samba/smb.log.%m
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
username map = /etc/samba/smbusers
More information about the samba
mailing list