[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client
Paul R. Ganci
ganci at nurdog.com
Tue Oct 22 20:39:23 MDT 2013
On 10/22/2013 02:24 AM, steve wrote:
> idmap_ldb:use rfc2307 = yes
> and you need a keytab, so add:
> kerberos method = system keytab
From Googling I found an example for a smb.conf for a domain member in
the SambaWiki (Samba4/Domain Member). That smb.conf does not show a
"kerberos method". However in the Sama 4 AD server smb.conf I do have
"kerberos method = secrets and keytab" (again found from a Google
search). That authentication works makes believe that kerberos method is
not actually needed for a domain member smb.conf but is for the AD
server smb.conf. Is that naive of me? Moreover should I consider
changing the "kerberos method" in the AD server smb.conf?
> before you do the rejoin below.
> The rid db is wrong after the upgrade. Leave the domain, then delete all
> the tdb's (I think they're in /var/lib/samba on CentOS). Then rejoin.
Yes, this makes sense. I will try doing this. Should have thought of
this myself :(
> I would _strongly_ advise switching to the ad backend and storing
> everything in the same place: AD. Problems like this then just go away.
The SambaWiki smb.conf example I mentioned showed using the AD backend.
I could never get it to work. However I believe the reason might be that
the UID/GID information was not in the correct place (i.e. not present
at all). I used the rid backend and tdb database because a Google search
showed me how I could use ldbedit on the idmap.ldb database to map the
AD user and group sids to UID/GID. What I found just worked and as this
is somewhat a science/learning experiment I was happy.
However, I understand where you are coming from. I am willing to switch,
but can you offer some explicit details of what information should go
where and how to get it there? I have found one or two scripts that add
users to the AD LDAP database but it is unclear what they actually do
(admittedly I have just given them a quick look and have not tried to
decipher them). There are only three users so I would just prefer to
hand edit the appropriate database. It just seems that the information
out on the web regarding these details is sketchy at best or maybe (more
probably) I am just not asking the proper question.
> If you really must use nfs then ignore the following:
> Now export using cifs:
> * -fstype=cifs,sec=krb5,multiuser,username=VMMACHINEKEY
> $ ://the.share.for.home/&
I do not have any great love for nfs. It just happens that it was the
devil I knew. From an academic standpoint can I ask what the
advantages/disadvantages of using cifs vs nfs?
Thank you so much for your response. I think I will start by deleting
the tdbs/re-joining the domain to start. Longer term I would like to
switch to the AD backend. For that I definitely would appreciate some
advice on how to proceed.
Finally I find Samba 4 to be a very nifty product ... my hat goes off to
the developers. Prior to switching I was using nis/nfs to handle the
Linux stuff and Samba 3 DC to handle the Windows stuff. The Samba 4 AD
is a much better solution albeit somewhat complex to setup especially
for those of not so familiar with the Microsoft way of doing things.
More information about the samba