[Samba] idmap problems after update from 3.0.33 to 3.6.6

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 7 08:03:02 MST 2013


On 07/11/13 14:51, Thomas Attenberger wrote:
>
> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>
>
>     On 07/11/13 13:24, Thomas Attenberger wrote:
>>
>>
>>
>>     2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>>
>>
>>         On 07/11/13 12:04, Thomas Attenberger wrote:
>>
>>             Hi again,
>>
>>             we want to keep the tdb method.
>>             After many ours of reading and searching, I have still no
>>             idea what can be
>>             wrong.
>>             Actually I'm hanging here:
>>
>>             wbinfo -n newuser    (is working)
>>             wbinfo -s newusersid (is working)
>>             wbinfo -S newusersid
>>             failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>             Could not convert sid xxx to uid
>>
>>             If I take a look in the winbindd_idmap.tdb the newuser is
>>             not listed.
>>
>>             Has anyone some idea, what can be wrong?
>>
>>             Regards
>>             Thomas
>>
>>
>>             2013/10/23 steve <steve at steve-ss.com
>>             <mailto:steve at steve-ss.com>>
>>
>>                 On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger
>>                 wrote:
>>
>>                     Thanks for your help.
>>
>>
>>                     How can I manually populate the rfc2307 attributes?
>>
>>
>>                     Before I tried it with "backend = ad", but then
>>                     "wbinfo -u" lists only
>>                     local users.
>>                     Now it seems, there's no difference between using
>>                     ad or tdb.
>>
>>
>>                     Do I really need to use rfc2307 mode? Before I
>>                     was running samba 3.0
>>                     without it...
>>
>>
>>                     What can I do now?
>>
>>                 Hi
>>                 I can't help with the tdb method but your smb.conf is
>>                 good to go for the
>>                 ad backend. To use it, you will have to add the
>>                 rfc2307 attributes to
>>                 the 2008 box somehow. You can add e.g. uidNumber
>>                 number to users under
>>                 the Unix tab on ADUC on your existing DC.
>>
>>                 Another good way to get the attributes would be to
>>                 join a Samba4 machine
>>                 to the domain as another DC. It's then a simple
>>                 matter to wrap a script
>>                 around ldbmodify to dump the attributes into AD from
>>                 that box and let
>>                 replication do the rest.
>>
>>                 Do you have a lot of users?
>>                 Steve
>>
>>
>>
>>         You are using RFC2307 on the clients, but do you have the
>>         users RFC2307 info in AD? (msSFU30NisDomain, msSFU30Name,
>>         uidNumber, gidNumber, loginShell, unixHomeDirectory, uid).
>>         If you want to get all the RFC2307 info from AD using Samba,
>>         then the machine needs to joined to the domain (like a
>>         windows pc) and you need to use something to pull this info,
>>         with winbind this means  'backend = ad', but you can use sssd
>>         or nslcd.
>>
>>         Rowland
>>
>>
>>     No, I don't use RFC2307. Here is my actual smb.conf:
>>
>>             workgroup       = ATRON
>>             realm           = ATRON.LOCAL
>>             security        = ADS
>>             ldap ssl        = off
>>             preferred master = no
>>             server string   = %h
>>             log file        = /var/log/samba/smb.log.%m
>>             winbind enum users = Yes
>>             winbind enum groups = Yes
>>             winbind separator = +
>>             idmap config *:backend = tdb
>>             idmap config *:range = 3000-4000
>>             idmap config ATRON:backend = tdb
>>             idmap config ATRON:range = 10000-20000
>>             winbind use default domain = Yes
>>             template shell  = /bin/bash
>>             username map    = /etc/samba/smbusers
>>
>>     Regards
>>     Thomas
>>
>     So, you are connecting to an AD server and presumably getting the
>     users authentication from said server, just where do think that
>     you are going to get the rest of the users info from?
>
>     Rowland
>
>
> Yes, what is the rest??? All necessary info should come frome winbind 
> (winbindd_idmap.tdb).
>
> Before the update it was working correctly over years with that config:
>
> [global]
>
> workgroup = ATRON
> realm= ATRON.LOCAL
> security= ADS
> preferred master = no
> server string = %h
> log file = /var/log/samba/smb.log.%m
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind separator = +
> idmap uid= 10000-20000
> idmap gid= 10000-20000
> template shell= /bin/bash
> username map= /etc/samba/smbusers
>
There have been massive changes between 3.0.33 and 3.6.6, for instance 
'idmap uid' is no longer used, you could, I suppose, use 'backend = 
rid', but this has the problem (against a Samba 4 AD server) of the user 
having different 'uidNumber' and 'gidNumber' on the client & the server.

My suggestion and I think everybody else's,  is to add all the users 
RFC2307 info to the AD server and then use the winbind ad backend or 
sssd or nslcd to pull the info from AD.

Rowland


More information about the samba mailing list