[Samba] idmap problems after update from 3.0.33 to 3.6.6
Thomas Attenberger
thomas.attenberger at gmx.net
Thu Nov 7 08:32:58 MST 2013
2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> On 07/11/13 14:51, Thomas Attenberger wrote:
>
>
> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
>
>> On 07/11/13 13:24, Thomas Attenberger wrote:
>>
>>
>>
>>
>> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
>>
>>> On 07/11/13 12:04, Thomas Attenberger wrote:
>>>
>>>> Hi again,
>>>>
>>>> we want to keep the tdb method.
>>>> After many ours of reading and searching, I have still no idea what can
>>>> be
>>>> wrong.
>>>> Actually I'm hanging here:
>>>>
>>>> wbinfo -n newuser (is working)
>>>> wbinfo -s newusersid (is working)
>>>> wbinfo -S newusersid
>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not convert sid xxx to uid
>>>>
>>>> If I take a look in the winbindd_idmap.tdb the newuser is not listed.
>>>>
>>>> Has anyone some idea, what can be wrong?
>>>>
>>>> Regards
>>>> Thomas
>>>>
>>>>
>>>> 2013/10/23 steve <steve at steve-ss.com>
>>>>
>>>> On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger wrote:
>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>>
>>>>>> How can I manually populate the rfc2307 attributes?
>>>>>>
>>>>>>
>>>>>> Before I tried it with "backend = ad", but then "wbinfo -u" lists only
>>>>>> local users.
>>>>>> Now it seems, there's no difference between using ad or tdb.
>>>>>>
>>>>>>
>>>>>> Do I really need to use rfc2307 mode? Before I was running samba 3.0
>>>>>> without it...
>>>>>>
>>>>>>
>>>>>> What can I do now?
>>>>>>
>>>>> Hi
>>>>> I can't help with the tdb method but your smb.conf is good to go for
>>>>> the
>>>>> ad backend. To use it, you will have to add the rfc2307 attributes to
>>>>> the 2008 box somehow. You can add e.g. uidNumber number to users under
>>>>> the Unix tab on ADUC on your existing DC.
>>>>>
>>>>> Another good way to get the attributes would be to join a Samba4
>>>>> machine
>>>>> to the domain as another DC. It's then a simple matter to wrap a script
>>>>> around ldbmodify to dump the attributes into AD from that box and let
>>>>> replication do the rest.
>>>>>
>>>>> Do you have a lot of users?
>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>>> You are using RFC2307 on the clients, but do you have the users
>>> RFC2307 info in AD? (msSFU30NisDomain, msSFU30Name, uidNumber, gidNumber,
>>> loginShell, unixHomeDirectory, uid).
>>> If you want to get all the RFC2307 info from AD using Samba, then the
>>> machine needs to joined to the domain (like a windows pc) and you need to
>>> use something to pull this info, with winbind this means 'backend = ad',
>>> but you can use sssd or nslcd.
>>>
>>> Rowland
>>>
>>
>> No, I don't use RFC2307. Here is my actual smb.conf:
>>
>> workgroup = ATRON
>> realm = ATRON.LOCAL
>> security = ADS
>> ldap ssl = off
>> preferred master = no
>> server string = %h
>> log file = /var/log/samba/smb.log.%m
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind separator = +
>> idmap config *:backend = tdb
>> idmap config *:range = 3000-4000
>> idmap config ATRON:backend = tdb
>> idmap config ATRON:range = 10000-20000
>> winbind use default domain = Yes
>> template shell = /bin/bash
>> username map = /etc/samba/smbusers
>>
>> Regards
>> Thomas
>>
>> So, you are connecting to an AD server and presumably getting the
>> users authentication from said server, just where do think that you are
>> going to get the rest of the users info from?
>>
>> Rowland
>>
>
> Yes, what is the rest??? All necessary info should come frome winbind
> (winbindd_idmap.tdb).
>
> Before the update it was working correctly over years with that config:
>
> [global]
>
> workgroup = ATRON
> realm = ATRON.LOCAL
> security = ADS
> preferred master = no
> server string = %h
> log file = /var/log/samba/smb.log.%m
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> username map = /etc/samba/smbusers
>
> There have been massive changes between 3.0.33 and 3.6.6, for instance
> 'idmap uid' is no longer used, you could, I suppose, use 'backend = rid',
> but this has the problem (against a Samba 4 AD server) of the user having
> different 'uidNumber' and 'gidNumber' on the client & the server.
>
> My suggestion and I think everybody else's, is to add all the users
> RFC2307 info to the AD server and then use the winbind ad backend or sssd
> or nslcd to pull the info from AD.
>
> Rowland
>
I know the changes of 'idmap uid' and replaced the parameter as you see in
the new config. But I don't find any information, that "tdb" is deprecated.
I tried "rid", but we have set acl access rights, which uses the UID as
user or group name. So, no alternative solution.
More information about the samba
mailing list