[Samba] idmap problems after update from 3.0.33 to 3.6.6
Rowland Penny
rowlandpenny at googlemail.com
Fri Nov 8 00:13:13 MST 2013
On 08/11/13 06:59, Thomas Attenberger wrote:
> Hi Steve,
>
> principially I agree. But what is then with our acl rights, which we
> set on the share? They are quite a lot of...
>
> Regards
> Thomas
>
>
> 2013/11/7 steve <steve at steve-ss.com <mailto:steve at steve-ss.com>>
>
> On Thu, 2013-11-07 at 16:16 +0000, Rowland Penny wrote:
> > On 07/11/13 15:32, Thomas Attenberger wrote:
> >
> > >
> > >
> > >
> > > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
> > > On 07/11/13 14:51, Thomas Attenberger wrote:
> > >
> > > >
> > > >
> > > > 2013/11/7 Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
> > > > On 07/11/13 13:24, Thomas Attenberger wrote:
> > > >
> > > > >
> > > > >
> > > > >
> > > > > 2013/11/7 Rowland Penny
> > > > > <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>
> > > > > On 07/11/13 12:04, Thomas Attenberger
> > > > > wrote:
> > > > > Hi again,
> > > > >
> > > > > we want to keep the tdb
> method.
> > > > > After many ours of reading and
> > > > > searching, I have still no idea
> > > > > what can be
> > > > > wrong.
> > > > > Actually I'm hanging here:
> > > > >
> > > > > wbinfo -n newuser (is
> > > > > working)
> > > > > wbinfo -s newusersid (is
> > > > > working)
> > > > > wbinfo -S newusersid
> > > > > failed to call wbcSidToUid:
> > > > > WBC_ERR_DOMAIN_NOT_FOUND
> > > > > Could not convert sid xxx
> to uid
> > > > >
> > > > > If I take a look in the
> > > > > winbindd_idmap.tdb the newuser
> > > > > is not listed.
> > > > >
> > > > > Has anyone some idea, what can
> > > > > be wrong?
> > > > >
> > > > > Regards
> > > > > Thomas
> > > > >
> > > > >
> > > > > 2013/10/23 steve
> > > > > <steve at steve-ss.com
> <mailto:steve at steve-ss.com>>
> > > > >
> > > > > On Wed, 2013-10-23 at
> > > > > 15:21 +0200, Thomas
> > > > > Attenberger wrote:
> > > > > Thanks for your
> > > > > help.
> > > > >
> > > > >
> > > > > How can I
> > > > > manually
> > > > > populate the
> > > > > rfc2307
> > > > > attributes?
> > > > >
> > > > >
> > > > > Before I tried
> > > > > it with "backend
> > > > > = ad", but then
> > > > > "wbinfo -u"
> > > > > lists only
> > > > > local users.
> > > > > Now it seems,
> > > > > there's no
> > > > > difference
> > > > > between using ad
> > > > > or tdb.
> > > > >
> > > > >
> > > > > Do I really need
> > > > > to use rfc2307
> > > > > mode? Before I
> > > > > was running
> > > > > samba 3.0
> > > > > without it...
> > > > >
> > > > >
> > > > > What can I do
> > > > > now?
> > > > > Hi
> > > > > I can't help with the
> > > > > tdb method but your
> > > > > smb.conf is good to go
> > > > > for the
> > > > > ad backend. To use it,
> > > > > you will have to add the
> > > > > rfc2307 attributes to
> > > > > the 2008 box somehow.
> > > > > You can add e.g.
> > > > > uidNumber number to
> > > > > users under
> > > > > the Unix tab on ADUC on
> > > > > your existing DC.
> > > > >
> > > > > Another good way to get
> > > > > the attributes would be
> > > > > to join a Samba4 machine
> > > > > to the domain as another
> > > > > DC. It's then a simple
> > > > > matter to wrap a script
> > > > > around ldbmodify to dump
> > > > > the attributes into AD
> > > > > from that box and let
> > > > > replication do the rest.
> > > > >
> > > > > Do you have a lot of
> > > > > users?
> > > > > Steve
> > > > >
> > > > >
> > > > >
> > > > > You are using RFC2307 on the clients,
> > > > > but do you have the users RFC2307 info
> > > > > in AD? (msSFU30NisDomain, msSFU30Name,
> > > > > uidNumber, gidNumber, loginShell,
> > > > > unixHomeDirectory, uid).
> > > > > If you want to get all the RFC2307
> info
> > > > > from AD using Samba, then the machine
> > > > > needs to joined to the domain (like a
> > > > > windows pc) and you need to use
> > > > > something to pull this info, with
> > > > > winbind this means 'backend =
> ad', but
> > > > > you can use sssd or nslcd.
> > > > >
> > > > > Rowland
> > > > >
> > > > >
> > > > > No, I don't use RFC2307. Here is my actual
> > > > > smb.conf:
> > > > >
> > > > >
> > > > > workgroup = ATRON
> > > > > realm = ATRON.LOCAL
> > > > > security = ADS
> > > > > ldap ssl = off
> > > > > preferred master = no
> > > > > server string = %h
> > > > > log file
> > > > > = /var/log/samba/smb.log.%m
> > > > > winbind enum users = Yes
> > > > > winbind enum groups = Yes
> > > > > winbind separator = +
> > > > > idmap config *:backend = tdb
> > > > > idmap config *:range = 3000-4000
> > > > > idmap config ATRON:backend = tdb
> > > > > idmap config ATRON:range = 10000-20000
> > > > > winbind use default domain = Yes
> > > > > template shell = /bin/bash
> > > > >
> > > > > username map = /etc/samba/smbusers
> > > > >
> > > > >
> > > > > Regards
> > > > > Thomas
> > > > >
> > > > >
> > > > So, you are connecting to an AD server and
> > > > presumably getting the users authentication from
> > > > said server, just where do think that you are
> > > > going to get the rest of the users info from?
> > > >
> > > > Rowland
> > > >
> > > >
> > > >
> > > > Yes, what is the rest??? All necessary info should come
> > > > frome winbind (winbindd_idmap.tdb).
> > > >
> > > > Before the update it was working correctly over
> years with
> > > > that config:
> > > >
> > > >
> > > > [global]
> > > >
> > > >
> > > > workgroup = ATRON
> > > > realm = ATRON.LOCAL
> > > > security = ADS
> > > > preferred master = no
> > > > server string = %h
> > > > log file = /var/log/samba/smb.log.%m
> > > > winbind enum users = Yes
> > > > winbind enum groups = Yes
> > > > winbind use default domain = Yes
> > > > winbind separator = +
> > > > idmap uid = 10000-20000
> > > > idmap gid = 10000-20000
> > > > template shell = /bin/bash
> > > > username map = /etc/samba/smbusers
> > > >
> > > >
> > > There have been massive changes between 3.0.33 and 3.6.6,
> > > for instance 'idmap uid' is no longer used, you could, I
> > > suppose, use 'backend = rid', but this has the problem
> > > (against a Samba 4 AD server) of the user having different
> > > 'uidNumber' and 'gidNumber' on the client & the server.
> > >
> > > My suggestion and I think everybody else's, is to add all
> > > the users RFC2307 info to the AD server and then use the
> > > winbind ad backend or sssd or nslcd to pull the info from
> > > AD.
> > >
> > > Rowland
> > >
> > >
> > >
> > > I know the changes of 'idmap uid' and replaced the parameter
> as you
> > > see in the new config. But I don't find any information, that
> "tdb"
> > > is deprecated.
> >
> > I never said that 'tdb' was depreciated, it is just not used in the
> > way that you are trying to use it, I personally do not use winbind
> > because initially I had a problem getting it work easily, so I moved
> > to sssd. Shortly after starting to use sssd, I had another
> attempt at
> > getting at getting winbind to work and this time I succeeded,
> you need
> > something like this in smb.conf:
> >
> > idmap config DOMAIN:schema_mode = rfc2307
> > idmap config DOMAIN:range = 1100-50000
> > idmap config DOMAIN:backend = ad
> > idmap config * : range = 210000-3100000
> > idmap config * : backend = tdb
> >
> > Notice that you use 'ad' as well as 'tdb', 'ad' is where to get the
> > users info from and 'tdb' is where to store the built-in users
> info (I
> > believe)
> >
> > >
> > >
> > > I tried "rid", but we have set acl access rights, which uses
> the UID
> > > as user or group name. So, no alternative solution.
> > >
> > >
> > This is the problem with the 'rid' backend, your Linux users are not
> > known on the AD server as linux users , microsoft went to a lot of
> > trouble to add the RFC2307 attributes to AD because of this problem.
> >
> > You need to store your users in one place and if the computer is
> > joined to a domain, that place is the domain AD server, this is also
> > the place to store your users RFC2307 info.
> >
> > What ever you use to get the users information, whether it is
> winbind,
> > sssd or nslcd, you need the info in AD.
> >
> > Rowland
>
> Hi everyone
>
> Just to try and put thinks into perspective. Rowland's advice for
> using
> AD to store everything is very sound. Taking uid:gid out into a
> different database just doesn't make much sense these days now tat we
> have AD. Rather than debug an upgrade, maybe the best way to go is to
> spend the debugging time on a new start. With rfc2307 in AD and e.g.
> sssd to access it, uid mapping just works, because then it _can only_
> come from a single source. Just my €0.02.
> Cheers,
> Steve
>
>
>
Install 'acl' & 'xattr' then either set them from a windows machine or
by using setfacl on a linux machine, the former is easier.
Rowland
More information about the samba
mailing list