[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client

Paul R. Ganci ganci at nurdog.com
Tue Oct 22 20:39:23 MDT 2013

On 10/22/2013 02:24 AM, steve wrote:
> smb.conf
> remove:
> idmap_ldb:use rfc2307 = yes
> and you need a keytab, so add:
> kerberos method = system keytab
 From Googling I found an example for a smb.conf for a domain member in 
the SambaWiki (Samba4/Domain Member). That smb.conf does not show a 
"kerberos method". However in the Sama 4 AD server smb.conf I do have 
"kerberos method = secrets and keytab" (again found from a Google 
search). That authentication works makes believe that kerberos method is 
not actually needed for a domain member smb.conf but is for the AD 
server smb.conf. Is that naive of me? Moreover should I consider 
changing the "kerberos method" in the AD server smb.conf?
> before you do the rejoin below.
> The rid db is wrong after the upgrade. Leave the domain, then delete all
> the tdb's (I think they're in /var/lib/samba on CentOS). Then rejoin.
Yes, this makes sense. I will try doing this. Should have thought of 
this myself :(
> I would _strongly_ advise switching to the ad backend and storing
> everything in the same place: AD. Problems like this then just go away.
The SambaWiki smb.conf example I mentioned showed using the AD backend. 
I could never get it to work. However I believe the reason might be that 
the UID/GID information was not in the correct place (i.e. not present 
at all). I used the rid backend and tdb database because a Google search 
showed me how I could use ldbedit on the idmap.ldb database to map the 
AD user and group sids to UID/GID. What I found just worked and as this 
is somewhat a science/learning experiment I was happy.

However, I understand where you are coming from. I am willing to switch, 
but can you offer some explicit details of what information should go 
where and how to get it there? I have found one or two scripts that add 
users to the AD LDAP database but it is unclear what they actually do 
(admittedly I have just given them a quick look and have not tried to 
decipher them). There are only three users so I would just prefer to 
hand edit the appropriate database. It just seems that the information 
out on the web regarding these details is sketchy at best or maybe (more 
probably)  I am just not asking the proper question.
> If you really must use nfs then ignore the following:
> Now export using cifs:
> auto.home
> * -fstype=cifs,sec=krb5,multiuser,username=VMMACHINEKEY
> $ ://the.share.for.home/&
I do not have any great love for nfs. It just happens that it was the 
devil I knew. From an academic standpoint can I ask what the 
advantages/disadvantages of using cifs vs nfs?

Thank you so much for your response. I think I will start by deleting 
the tdbs/re-joining  the domain to start. Longer term I would like to 
switch to the AD backend. For that I definitely would appreciate some 
advice on how to proceed.

Finally I find Samba 4 to be a very nifty product ... my hat goes off to 
the developers. Prior to switching I was using nis/nfs to handle the 
Linux stuff and Samba 3 DC to handle the Windows stuff. The Samba 4 AD 
is a much better solution albeit somewhat complex to setup especially 
for those of not so familiar with the Microsoft way of doing things.


More information about the samba mailing list