[Samba] idmap problems after update from 3.0.33 to 3.6.6
steve
steve at steve-ss.com
Thu Nov 7 10:55:52 MST 2013
On Thu, 2013-11-07 at 16:16 +0000, Rowland Penny wrote:
> On 07/11/13 15:32, Thomas Attenberger wrote:
>
> >
> >
> >
> > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> > On 07/11/13 14:51, Thomas Attenberger wrote:
> >
> > >
> > >
> > > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> > > On 07/11/13 13:24, Thomas Attenberger wrote:
> > >
> > > >
> > > >
> > > >
> > > > 2013/11/7 Rowland Penny
> > > > <rowlandpenny at googlemail.com>
> > > > On 07/11/13 12:04, Thomas Attenberger
> > > > wrote:
> > > > Hi again,
> > > >
> > > > we want to keep the tdb method.
> > > > After many ours of reading and
> > > > searching, I have still no idea
> > > > what can be
> > > > wrong.
> > > > Actually I'm hanging here:
> > > >
> > > > wbinfo -n newuser (is
> > > > working)
> > > > wbinfo -s newusersid (is
> > > > working)
> > > > wbinfo -S newusersid
> > > > failed to call wbcSidToUid:
> > > > WBC_ERR_DOMAIN_NOT_FOUND
> > > > Could not convert sid xxx to uid
> > > >
> > > > If I take a look in the
> > > > winbindd_idmap.tdb the newuser
> > > > is not listed.
> > > >
> > > > Has anyone some idea, what can
> > > > be wrong?
> > > >
> > > > Regards
> > > > Thomas
> > > >
> > > >
> > > > 2013/10/23 steve
> > > > <steve at steve-ss.com>
> > > >
> > > > On Wed, 2013-10-23 at
> > > > 15:21 +0200, Thomas
> > > > Attenberger wrote:
> > > > Thanks for your
> > > > help.
> > > >
> > > >
> > > > How can I
> > > > manually
> > > > populate the
> > > > rfc2307
> > > > attributes?
> > > >
> > > >
> > > > Before I tried
> > > > it with "backend
> > > > = ad", but then
> > > > "wbinfo -u"
> > > > lists only
> > > > local users.
> > > > Now it seems,
> > > > there's no
> > > > difference
> > > > between using ad
> > > > or tdb.
> > > >
> > > >
> > > > Do I really need
> > > > to use rfc2307
> > > > mode? Before I
> > > > was running
> > > > samba 3.0
> > > > without it...
> > > >
> > > >
> > > > What can I do
> > > > now?
> > > > Hi
> > > > I can't help with the
> > > > tdb method but your
> > > > smb.conf is good to go
> > > > for the
> > > > ad backend. To use it,
> > > > you will have to add the
> > > > rfc2307 attributes to
> > > > the 2008 box somehow.
> > > > You can add e.g.
> > > > uidNumber number to
> > > > users under
> > > > the Unix tab on ADUC on
> > > > your existing DC.
> > > >
> > > > Another good way to get
> > > > the attributes would be
> > > > to join a Samba4 machine
> > > > to the domain as another
> > > > DC. It's then a simple
> > > > matter to wrap a script
> > > > around ldbmodify to dump
> > > > the attributes into AD
> > > > from that box and let
> > > > replication do the rest.
> > > >
> > > > Do you have a lot of
> > > > users?
> > > > Steve
> > > >
> > > >
> > > >
> > > > You are using RFC2307 on the clients,
> > > > but do you have the users RFC2307 info
> > > > in AD? (msSFU30NisDomain, msSFU30Name,
> > > > uidNumber, gidNumber, loginShell,
> > > > unixHomeDirectory, uid).
> > > > If you want to get all the RFC2307 info
> > > > from AD using Samba, then the machine
> > > > needs to joined to the domain (like a
> > > > windows pc) and you need to use
> > > > something to pull this info, with
> > > > winbind this means 'backend = ad', but
> > > > you can use sssd or nslcd.
> > > >
> > > > Rowland
> > > >
> > > >
> > > > No, I don't use RFC2307. Here is my actual
> > > > smb.conf:
> > > >
> > > >
> > > > workgroup = ATRON
> > > > realm = ATRON.LOCAL
> > > > security = ADS
> > > > ldap ssl = off
> > > > preferred master = no
> > > > server string = %h
> > > > log file
> > > > = /var/log/samba/smb.log.%m
> > > > winbind enum users = Yes
> > > > winbind enum groups = Yes
> > > > winbind separator = +
> > > > idmap config *:backend = tdb
> > > > idmap config *:range = 3000-4000
> > > > idmap config ATRON:backend = tdb
> > > > idmap config ATRON:range = 10000-20000
> > > > winbind use default domain = Yes
> > > > template shell = /bin/bash
> > > >
> > > > username map = /etc/samba/smbusers
> > > >
> > > >
> > > > Regards
> > > > Thomas
> > > >
> > > >
> > > So, you are connecting to an AD server and
> > > presumably getting the users authentication from
> > > said server, just where do think that you are
> > > going to get the rest of the users info from?
> > >
> > > Rowland
> > >
> > >
> > >
> > > Yes, what is the rest??? All necessary info should come
> > > frome winbind (winbindd_idmap.tdb).
> > >
> > > Before the update it was working correctly over years with
> > > that config:
> > >
> > >
> > > [global]
> > >
> > >
> > > workgroup = ATRON
> > > realm = ATRON.LOCAL
> > > security = ADS
> > > preferred master = no
> > > server string = %h
> > > log file = /var/log/samba/smb.log.%m
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > winbind use default domain = Yes
> > > winbind separator = +
> > > idmap uid = 10000-20000
> > > idmap gid = 10000-20000
> > > template shell = /bin/bash
> > > username map = /etc/samba/smbusers
> > >
> > >
> > There have been massive changes between 3.0.33 and 3.6.6,
> > for instance 'idmap uid' is no longer used, you could, I
> > suppose, use 'backend = rid', but this has the problem
> > (against a Samba 4 AD server) of the user having different
> > 'uidNumber' and 'gidNumber' on the client & the server.
> >
> > My suggestion and I think everybody else's, is to add all
> > the users RFC2307 info to the AD server and then use the
> > winbind ad backend or sssd or nslcd to pull the info from
> > AD.
> >
> > Rowland
> >
> >
> >
> > I know the changes of 'idmap uid' and replaced the parameter as you
> > see in the new config. But I don't find any information, that "tdb"
> > is deprecated.
>
> I never said that 'tdb' was depreciated, it is just not used in the
> way that you are trying to use it, I personally do not use winbind
> because initially I had a problem getting it work easily, so I moved
> to sssd. Shortly after starting to use sssd, I had another attempt at
> getting at getting winbind to work and this time I succeeded, you need
> something like this in smb.conf:
>
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 1100-50000
> idmap config DOMAIN:backend = ad
> idmap config * : range = 210000-3100000
> idmap config * : backend = tdb
>
> Notice that you use 'ad' as well as 'tdb', 'ad' is where to get the
> users info from and 'tdb' is where to store the built-in users info (I
> believe)
>
> >
> >
> > I tried "rid", but we have set acl access rights, which uses the UID
> > as user or group name. So, no alternative solution.
> >
> >
> This is the problem with the 'rid' backend, your Linux users are not
> known on the AD server as linux users , microsoft went to a lot of
> trouble to add the RFC2307 attributes to AD because of this problem.
>
> You need to store your users in one place and if the computer is
> joined to a domain, that place is the domain AD server, this is also
> the place to store your users RFC2307 info.
>
> What ever you use to get the users information, whether it is winbind,
> sssd or nslcd, you need the info in AD.
>
> Rowland
Hi everyone
Just to try and put thinks into perspective. Rowland's advice for using
AD to store everything is very sound. Taking uid:gid out into a
different database just doesn't make much sense these days now tat we
have AD. Rather than debug an upgrade, maybe the best way to go is to
spend the debugging time on a new start. With rfc2307 in AD and e.g.
sssd to access it, uid mapping just works, because then it _can only_
come from a single source. Just my €0.02.
Cheers,
Steve
More information about the samba
mailing list