[Samba] idmap problems after update from 3.0.33 to 3.6.6

Thomas Attenberger thomas.attenberger at gmx.net
Thu Nov 7 23:59:42 MST 2013


Hi Steve,

principially I agree. But what is then with our acl rights, which we set on
the share? They are quite a lot of...

Regards
Thomas


2013/11/7 steve <steve at steve-ss.com>

> On Thu, 2013-11-07 at 16:16 +0000, Rowland Penny wrote:
> > On 07/11/13 15:32, Thomas Attenberger wrote:
> >
> > >
> > >
> > >
> > > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> > >         On 07/11/13 14:51, Thomas Attenberger wrote:
> > >
> > >         >
> > >         >
> > >         > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com>
> > >         >         On 07/11/13 13:24, Thomas Attenberger wrote:
> > >         >
> > >         >         >
> > >         >         >
> > >         >         >
> > >         >         > 2013/11/7 Rowland Penny
> > >         >         > <rowlandpenny at googlemail.com>
> > >         >         >         On 07/11/13 12:04, Thomas Attenberger
> > >         >         >         wrote:
> > >         >         >                 Hi again,
> > >         >         >
> > >         >         >                 we want to keep the tdb method.
> > >         >         >                 After many ours of reading and
> > >         >         >                 searching, I have still no idea
> > >         >         >                 what can be
> > >         >         >                 wrong.
> > >         >         >                 Actually I'm hanging here:
> > >         >         >
> > >         >         >                 wbinfo -n newuser    (is
> > >         >         >                 working)
> > >         >         >                 wbinfo -s newusersid (is
> > >         >         >                 working)
> > >         >         >                 wbinfo -S newusersid
> > >         >         >                 failed to call wbcSidToUid:
> > >         >         >                 WBC_ERR_DOMAIN_NOT_FOUND
> > >         >         >                 Could not convert sid xxx to uid
> > >         >         >
> > >         >         >                 If I take a look in the
> > >         >         >                 winbindd_idmap.tdb the newuser
> > >         >         >                 is not listed.
> > >         >         >
> > >         >         >                 Has anyone some idea, what can
> > >         >         >                 be wrong?
> > >         >         >
> > >         >         >                 Regards
> > >         >         >                 Thomas
> > >         >         >
> > >         >         >
> > >         >         >                 2013/10/23 steve
> > >         >         >                 <steve at steve-ss.com>
> > >         >         >
> > >         >         >                         On Wed, 2013-10-23 at
> > >         >         >                         15:21 +0200, Thomas
> > >         >         >                         Attenberger wrote:
> > >         >         >                                 Thanks for your
> > >         >         >                                 help.
> > >         >         >
> > >         >         >
> > >         >         >                                 How can I
> > >         >         >                                 manually
> > >         >         >                                 populate the
> > >         >         >                                 rfc2307
> > >         >         >                                 attributes?
> > >         >         >
> > >         >         >
> > >         >         >                                 Before I tried
> > >         >         >                                 it with "backend
> > >         >         >                                 = ad", but then
> > >         >         >                                 "wbinfo -u"
> > >         >         >                                 lists only
> > >         >         >                                 local users.
> > >         >         >                                 Now it seems,
> > >         >         >                                 there's no
> > >         >         >                                 difference
> > >         >         >                                 between using ad
> > >         >         >                                 or tdb.
> > >         >         >
> > >         >         >
> > >         >         >                                 Do I really need
> > >         >         >                                 to use rfc2307
> > >         >         >                                 mode? Before I
> > >         >         >                                 was running
> > >         >         >                                 samba 3.0
> > >         >         >                                 without it...
> > >         >         >
> > >         >         >
> > >         >         >                                 What can I do
> > >         >         >                                 now?
> > >         >         >                         Hi
> > >         >         >                         I can't help with the
> > >         >         >                         tdb method but your
> > >         >         >                         smb.conf is good to go
> > >         >         >                         for the
> > >         >         >                         ad backend. To use it,
> > >         >         >                         you will have to add the
> > >         >         >                         rfc2307 attributes to
> > >         >         >                         the 2008 box somehow.
> > >         >         >                         You can add e.g.
> > >         >         >                         uidNumber number to
> > >         >         >                         users under
> > >         >         >                         the Unix tab on ADUC on
> > >         >         >                         your existing DC.
> > >         >         >
> > >         >         >                         Another good way to get
> > >         >         >                         the attributes would be
> > >         >         >                         to join a Samba4 machine
> > >         >         >                         to the domain as another
> > >         >         >                         DC. It's then a simple
> > >         >         >                         matter to wrap a script
> > >         >         >                         around ldbmodify to dump
> > >         >         >                         the attributes into AD
> > >         >         >                         from that box and let
> > >         >         >                         replication do the rest.
> > >         >         >
> > >         >         >                         Do you have a lot of
> > >         >         >                         users?
> > >         >         >                         Steve
> > >         >         >
> > >         >         >
> > >         >         >
> > >         >         >         You are using RFC2307 on the clients,
> > >         >         >         but do you have the users RFC2307 info
> > >         >         >         in AD? (msSFU30NisDomain, msSFU30Name,
> > >         >         >         uidNumber, gidNumber, loginShell,
> > >         >         >         unixHomeDirectory, uid).
> > >         >         >         If you want to get all the RFC2307 info
> > >         >         >         from AD using Samba, then the machine
> > >         >         >         needs to joined to the domain (like a
> > >         >         >         windows pc) and you need to use
> > >         >         >         something to pull this info, with
> > >         >         >         winbind this means  'backend = ad', but
> > >         >         >         you can use sssd or nslcd.
> > >         >         >
> > >         >         >         Rowland
> > >         >         >
> > >         >         >
> > >         >         > No, I don't use RFC2307. Here is my actual
> > >         >         > smb.conf:
> > >         >         >
> > >         >         >
> > >         >         >         workgroup       = ATRON
> > >         >         >         realm           = ATRON.LOCAL
> > >         >         >         security        = ADS
> > >         >         >         ldap ssl        = off
> > >         >         >         preferred master = no
> > >         >         >         server string   = %h
> > >         >         >         log file
> > >         >         >  = /var/log/samba/smb.log.%m
> > >         >         >         winbind enum users = Yes
> > >         >         >         winbind enum groups = Yes
> > >         >         >         winbind separator = +
> > >         >         >         idmap config *:backend = tdb
> > >         >         >         idmap config *:range = 3000-4000
> > >         >         >         idmap config ATRON:backend = tdb
> > >         >         >         idmap config ATRON:range = 10000-20000
> > >         >         >         winbind use default domain = Yes
> > >         >         >         template shell  = /bin/bash
> > >         >         >
> > >         >         >         username map    = /etc/samba/smbusers
> > >         >         >
> > >         >         >
> > >         >         > Regards
> > >         >         > Thomas
> > >         >         >
> > >         >         >
> > >         >         So, you are connecting to an AD server and
> > >         >         presumably getting the users authentication from
> > >         >         said server, just where do think that you are
> > >         >         going to get the rest of the users info from?
> > >         >
> > >         >         Rowland
> > >         >
> > >         >
> > >         >
> > >         > Yes, what is the rest??? All necessary info should come
> > >         > frome winbind (winbindd_idmap.tdb).
> > >         >
> > >         > Before the update it was working correctly over years with
> > >         > that config:
> > >         >
> > >         >
> > >         > [global]
> > >         >
> > >         >
> > >         > workgroup  = ATRON
> > >         > realm = ATRON.LOCAL
> > >         > security = ADS
> > >         > preferred master = no
> > >         > server string  = %h
> > >         > log file  = /var/log/samba/smb.log.%m
> > >         > winbind enum users = Yes
> > >         > winbind enum groups = Yes
> > >         > winbind use default domain = Yes
> > >         > winbind separator = +
> > >         > idmap uid = 10000-20000
> > >         > idmap gid = 10000-20000
> > >         > template shell = /bin/bash
> > >         > username map = /etc/samba/smbusers
> > >         >
> > >         >
> > >         There have been massive changes between 3.0.33 and 3.6.6,
> > >         for instance 'idmap uid' is no longer used, you could, I
> > >         suppose, use 'backend = rid', but this has the problem
> > >         (against a Samba 4 AD server) of the user having different
> > >         'uidNumber' and 'gidNumber' on the client & the server.
> > >
> > >         My suggestion and I think everybody else's,  is to add all
> > >         the users RFC2307 info to the AD server and then use the
> > >         winbind ad backend or sssd or nslcd to pull the info from
> > >         AD.
> > >
> > >         Rowland
> > >
> > >
> > >
> > > I know the changes of 'idmap uid' and replaced the parameter as you
> > > see in the new config. But I don't find any information, that "tdb"
> > > is deprecated.
> >
> > I never said that 'tdb' was depreciated, it is just not used in the
> > way that you are trying to use it, I personally do not use winbind
> > because initially I had a problem getting it work easily, so I moved
> > to sssd. Shortly after starting to use sssd, I had another attempt at
> > getting at getting winbind to work and this time I succeeded, you need
> > something like this in smb.conf:
> >
> >         idmap config DOMAIN:schema_mode = rfc2307
> >         idmap config DOMAIN:range = 1100-50000
> >         idmap config DOMAIN:backend = ad
> >         idmap config * : range = 210000-3100000
> >         idmap config * : backend = tdb
> >
> > Notice that you use 'ad' as well as 'tdb', 'ad' is where to get the
> > users info from and 'tdb' is where to store the built-in users info (I
> > believe)
> >
> > >
> > >
> > > I tried "rid", but we have set acl access rights, which uses the UID
> > > as user or group name. So, no alternative solution.
> > >
> > >
> > This is the problem with the 'rid' backend, your Linux users are not
> > known on the AD server as linux users , microsoft went to a lot of
> > trouble to add the RFC2307 attributes to AD because of this problem.
> >
> > You need to store your users in one place and if the computer is
> > joined to a domain, that place is the domain AD server, this is also
> > the place to store your users RFC2307 info.
> >
> > What ever you use to get the users information, whether it is winbind,
> > sssd or nslcd, you need the info in AD.
> >
> > Rowland
>
> Hi everyone
>
> Just to try and put thinks into perspective. Rowland's advice for using
> AD to store everything is very sound. Taking uid:gid out into a
> different database just doesn't make much sense these days now tat we
> have AD. Rather than debug an upgrade, maybe the best way to go is to
> spend the debugging time on a new start. With rfc2307 in AD and e.g.
> sssd to  access it, uid mapping just works, because then it _can only_
> come from a single source. Just my €0.02.
> Cheers,
> Steve
>
>
>


More information about the samba mailing list