[Samba] idmap problems after update from 3.0.33 to 3.6.6

Thomas Attenberger thomas.attenberger at gmx.net
Thu Nov 7 08:32:58 MST 2013 

2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>

>  On 07/11/13 14:51, Thomas Attenberger wrote:
>
>
>  2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
>
>>  On 07/11/13 13:24, Thomas Attenberger wrote:
>>
>>
>>
>>
>> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
>>
>>> On 07/11/13 12:04, Thomas Attenberger wrote:
>>>
>>>> Hi again,
>>>>
>>>> we want to keep the tdb method.
>>>> After many ours of reading and searching, I have still no idea what can
>>>> be
>>>> wrong.
>>>> Actually I'm hanging here:
>>>>
>>>> wbinfo -n newuser    (is working)
>>>> wbinfo -s newusersid (is working)
>>>> wbinfo -S newusersid
>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not convert sid xxx to uid
>>>>
>>>> If I take a look in the winbindd_idmap.tdb the newuser is not listed.
>>>>
>>>> Has anyone some idea, what can be wrong?
>>>>
>>>> Regards
>>>> Thomas
>>>>
>>>>
>>>> 2013/10/23 steve <steve at steve-ss.com>
>>>>
>>>> On Wed, 2013-10-23 at 15:21 +0200, Thomas Attenberger wrote:
>>>>>
>>>>>> Thanks for your help.
>>>>>>
>>>>>>
>>>>>> How can I manually populate the rfc2307 attributes?
>>>>>>
>>>>>>
>>>>>> Before I tried it with "backend = ad", but then "wbinfo -u" lists only
>>>>>> local users.
>>>>>> Now it seems, there's no difference between using ad or tdb.
>>>>>>
>>>>>>
>>>>>> Do I really need to use rfc2307 mode? Before I was running samba 3.0
>>>>>> without it...
>>>>>>
>>>>>>
>>>>>> What can I do now?
>>>>>>
>>>>> Hi
>>>>> I can't help with the tdb method but your smb.conf is good to go for
>>>>> the
>>>>> ad backend. To use it, you will have to add the rfc2307 attributes to
>>>>> the 2008 box somehow. You can add e.g. uidNumber number to users under
>>>>> the Unix tab on ADUC on your existing DC.
>>>>>
>>>>> Another good way to get the attributes would be to join a Samba4
>>>>> machine
>>>>> to the domain as another DC. It's then a simple matter to wrap a script
>>>>> around ldbmodify to dump the attributes into AD from that box and let
>>>>> replication do the rest.
>>>>>
>>>>> Do you have a lot of users?
>>>>> Steve
>>>>>
>>>>>
>>>>>
>>>>>  You are using RFC2307 on the clients, but do you have the users
>>> RFC2307 info in AD? (msSFU30NisDomain, msSFU30Name, uidNumber, gidNumber,
>>> loginShell, unixHomeDirectory, uid).
>>> If you want to get all the RFC2307 info from AD using Samba, then the
>>> machine needs to joined to the domain (like a windows pc) and you need to
>>> use something to pull this info, with winbind this means  'backend = ad',
>>> but you can use sssd or nslcd.
>>>
>>> Rowland
>>>
>>
>>  No, I don't use RFC2307. Here is my actual smb.conf:
>>
>>          workgroup       = ATRON
>>         realm           = ATRON.LOCAL
>>         security        = ADS
>>          ldap ssl        = off
>>         preferred master = no
>>         server string   = %h
>>         log file        = /var/log/samba/smb.log.%m
>>         winbind enum users = Yes
>>         winbind enum groups = Yes
>>         winbind separator = +
>>          idmap config *:backend = tdb
>>         idmap config *:range = 3000-4000
>>          idmap config ATRON:backend = tdb
>>         idmap config ATRON:range = 10000-20000
>>          winbind use default domain = Yes
>>         template shell  = /bin/bash
>>          username map    = /etc/samba/smbusers
>>
>>  Regards
>> Thomas
>>
>>   So, you are connecting to an AD server and presumably getting the
>> users authentication from said server, just where do think that you are
>> going to get the rest of the users info from?
>>
>> Rowland
>>
>
>  Yes, what is the rest??? All necessary info should come frome winbind
> (winbindd_idmap.tdb).
>
> Before the update it was working correctly over years with that config:
>
>  [global]
>
>  workgroup  = ATRON
>  realm = ATRON.LOCAL
>  security = ADS
>  preferred master = no
>  server string  = %h
>  log file  = /var/log/samba/smb.log.%m
>  winbind enum users = Yes
>  winbind enum groups = Yes
>  winbind use default domain = Yes
>  winbind separator = +
>  idmap uid = 10000-20000
>  idmap gid = 10000-20000
>  template shell = /bin/bash
>  username map = /etc/samba/smbusers
>
>   There have been massive changes between 3.0.33 and 3.6.6, for instance
> 'idmap uid' is no longer used, you could, I suppose, use 'backend = rid',
> but this has the problem (against a Samba 4 AD server) of the user having
> different 'uidNumber' and 'gidNumber' on the client & the server.
>
> My suggestion and I think everybody else's,  is to add all the users
> RFC2307 info to the AD server and then use the winbind ad backend or sssd
> or nslcd to pull the info from AD.
>
> Rowland
>

I know the changes of 'idmap uid' and replaced the parameter as you see in
the new config. But I don't find any information, that "tdb" is deprecated.

I tried "rid", but we have set acl access rights, which uses the UID as
user or group name. So, no alternative solution.

More information about the samba mailing list