[Samba] idmap problems after update from 3.0.33 to 3.6.6

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 7 09:16:50 MST 2013 

On 07/11/13 15:32, Thomas Attenberger wrote:
>
>
>
> 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>
>
>     On 07/11/13 14:51, Thomas Attenberger wrote:
>>
>>     2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>>
>>
>>         On 07/11/13 13:24, Thomas Attenberger wrote:
>>>
>>>
>>>
>>>         2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
>>>         <mailto:rowlandpenny at googlemail.com>>
>>>
>>>             On 07/11/13 12:04, Thomas Attenberger wrote:
>>>
>>>                 Hi again,
>>>
>>>                 we want to keep the tdb method.
>>>                 After many ours of reading and searching, I have
>>>                 still no idea what can be
>>>                 wrong.
>>>                 Actually I'm hanging here:
>>>
>>>                 wbinfo -n newuser    (is working)
>>>                 wbinfo -s newusersid (is working)
>>>                 wbinfo -S newusersid
>>>                 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>                 Could not convert sid xxx to uid
>>>
>>>                 If I take a look in the winbindd_idmap.tdb the
>>>                 newuser is not listed.
>>>
>>>                 Has anyone some idea, what can be wrong?
>>>
>>>                 Regards
>>>                 Thomas
>>>
>>>
>>>                 2013/10/23 steve <steve at steve-ss.com
>>>                 <mailto:steve at steve-ss.com>>
>>>
>>>                     On Wed, 2013-10-23 at 15:21 +0200, Thomas
>>>                     Attenberger wrote:
>>>
>>>                         Thanks for your help.
>>>
>>>
>>>                         How can I manually populate the rfc2307
>>>                         attributes?
>>>
>>>
>>>                         Before I tried it with "backend = ad", but
>>>                         then "wbinfo -u" lists only
>>>                         local users.
>>>                         Now it seems, there's no difference between
>>>                         using ad or tdb.
>>>
>>>
>>>                         Do I really need to use rfc2307 mode? Before
>>>                         I was running samba 3.0
>>>                         without it...
>>>
>>>
>>>                         What can I do now?
>>>
>>>                     Hi
>>>                     I can't help with the tdb method but your
>>>                     smb.conf is good to go for the
>>>                     ad backend. To use it, you will have to add the
>>>                     rfc2307 attributes to
>>>                     the 2008 box somehow. You can add e.g. uidNumber
>>>                     number to users under
>>>                     the Unix tab on ADUC on your existing DC.
>>>
>>>                     Another good way to get the attributes would be
>>>                     to join a Samba4 machine
>>>                     to the domain as another DC. It's then a simple
>>>                     matter to wrap a script
>>>                     around ldbmodify to dump the attributes into AD
>>>                     from that box and let
>>>                     replication do the rest.
>>>
>>>                     Do you have a lot of users?
>>>                     Steve
>>>
>>>
>>>
>>>             You are using RFC2307 on the clients, but do you have
>>>             the users RFC2307 info in AD? (msSFU30NisDomain,
>>>             msSFU30Name, uidNumber, gidNumber, loginShell,
>>>             unixHomeDirectory, uid).
>>>             If you want to get all the RFC2307 info from AD using
>>>             Samba, then the machine needs to joined to the domain
>>>             (like a windows pc) and you need to use something to
>>>             pull this info, with winbind this means  'backend = ad',
>>>             but you can use sssd or nslcd.
>>>
>>>             Rowland
>>>
>>>
>>>         No, I don't use RFC2307. Here is my actual smb.conf:
>>>
>>>             workgroup       = ATRON
>>>             realm           = ATRON.LOCAL
>>>             security        = ADS
>>>             ldap ssl        = off
>>>             preferred master = no
>>>             server string   = %h
>>>             log file        = /var/log/samba/smb.log.%m
>>>             winbind enum users = Yes
>>>             winbind enum groups = Yes
>>>             winbind separator = +
>>>             idmap config *:backend = tdb
>>>             idmap config *:range = 3000-4000
>>>             idmap config ATRON:backend = tdb
>>>             idmap config ATRON:range = 10000-20000
>>>             winbind use default domain = Yes
>>>         template shell  = /bin/bash
>>>             username map    = /etc/samba/smbusers
>>>
>>>         Regards
>>>         Thomas
>>>
>>         So, you are connecting to an AD server and presumably getting
>>         the users authentication from said server, just where do
>>         think that you are going to get the rest of the users info from?
>>
>>         Rowland
>>
>>
>>     Yes, what is the rest??? All necessary info should come frome
>>     winbind (winbindd_idmap.tdb).
>>
>>     Before the update it was working correctly over years with that
>>     config:
>>
>>     [global]
>>
>>     workgroup = ATRON
>>     realm= ATRON.LOCAL
>>     security= ADS
>>     preferred master = no
>>     server string = %h
>>     log file = /var/log/samba/smb.log.%m
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind use default domain = Yes
>>     winbind separator = +
>>     idmap uid= 10000-20000
>>     idmap gid= 10000-20000
>>     template shell= /bin/bash
>>     username map= /etc/samba/smbusers
>>
>     There have been massive changes between 3.0.33 and 3.6.6, for
>     instance 'idmap uid' is no longer used, you could, I suppose, use
>     'backend = rid', but this has the problem (against a Samba 4 AD
>     server) of the user having different 'uidNumber' and 'gidNumber'
>     on the client & the server.
>
>     My suggestion and I think everybody else's,  is to add all the
>     users RFC2307 info to the AD server and then use the winbind ad
>     backend or sssd or nslcd to pull the info from AD.
>
>     Rowland
>
>
> I know the changes of 'idmap uid' and replaced the parameter as you 
> see in the new config. But I don't find any information, that "tdb" is 
> deprecated.

I never said that 'tdb' was depreciated, it is just not used in the way 
that you are trying to use it, I personally do not use winbind because 
initially I had a problem getting it work easily, so I moved to sssd. 
Shortly after starting to use sssd, I had another attempt at getting at 
getting winbind to work and this time I succeeded, you need something 
like this in smb.conf:

         idmap config DOMAIN:schema_mode = rfc2307
         idmap config DOMAIN:range = 1100-50000
         idmap config DOMAIN:backend = ad
         idmap config * : range = 210000-3100000
         idmap config * : backend = tdb

Notice that you use 'ad' as well as 'tdb', 'ad' is where to get the 
users info from and 'tdb' is where to store the built-in users info (I 
believe)

>
> I tried "rid", but we have set acl access rights, which uses the UID 
> as user or group name. So, no alternative solution.
>
This is the problem with the 'rid' backend, your Linux users are not 
known on the AD server as linux users , microsoft went to a lot of 
trouble to add the RFC2307 attributes to AD because of this problem.

You need to store your users in one place and if the computer is joined 
to a domain, that place is the domain AD server, this is also the place 
to store your users RFC2307 info.

What ever you use to get the users information, whether it is winbind, 
sssd or nslcd, you need the info in AD.

Rowland

More information about the samba mailing list