[Samba] winbind bug?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 7 09:44:27 MDT 2014 

On 07/04/14 16:22, Doug Tucker wrote:
> On 03/27/2014 04:45 PM, Rowland Penny wrote:
>> On 27/03/14 21:28, Doug Tucker wrote:
>>>
>>>>>
>>>> Do you have access to the Windows server ? if you do, give all your 
>>>> users and groups the required RFC2307 attributes. You can do this 
>>>> using ADUC provided that it is showing the UNIX Attributes tab for 
>>>> users & groups. You can then pull these attributes with winbind, 
>>>> nlscd or sssd on the linux machine, your problem will then go away.
>>>
>>> I'm a unix admin through and through, I know very little of AD. I 
>>> have access to change passwords...which I do from the command line, 
>>> haha.  I asked our windows admin and he said there is some other 
>>> thing with windows 2003 server you have to install to get that tab??
>>
>> Good, he knows about it then. As for being a Unix admin, I would 
>> suggest that you start learning about AD, now that Samba 4 can act as 
>> an ADDC, that is going to be the way forward.
>>
>>>>
>>>> If you don't have access to the windows server, get your windows 
>>>> admin to do it for you. \
>>> He's balking.  He says I need to fix my unix id over 11000 issue. 
>>> Which I could probably do.  I probably have enough open now from 
>>> deleting old accounts that I could script a mass uid change to 
>>> something smaller to make this problem go away.  I was just hoping 
>>> someone might have an idea why unix id > 11000 was an issue and a 
>>> way around it.
>>
>> Make him do it, if not go over his head, just tell your bosses that 
>> samba has changed that much over years that the only way to work 
>> correctly is to add the RFC2307 attributes to AD. This is the 
>> standard way of doing things.
>> If all else fails, setup up a Samba 4 AD DC server and join it to the 
>> domain and then use samba-tool to add the RFC attributes.
>>
>>
>>>>
>>>> This way of doing things is the standard windows way of doing 
>>>> things and has been for years, your way (as far as I can see) has 
>>>> never been standard, unless you can point me at just where it is 
>>>> published.
>>> I've had these running like this for 10 years or so.  Again, I just 
>>> used the samba wiki and a centos doc I found.  I wrote my own 
>>> "how-to" that I have and used as the starting point for most of this 
>>> server as well.  I can't say I've ever seen any how-to that claimed 
>>> there was a "standard", just steps to follow which I did. It wasn't 
>>> until just now with this 3.6.9 version that I ever ran into any 
>>> issue and it still is a very isolated issue.
>>
>> Exactly, 10 years ago, your way may have been the only, but it was 
>> really wrong even then, it is definitely wrong now.
>>
>>>>
>>>> The only other thing to say is, you should never try something new 
>>>> on a server running in production, you should do it on a test 
>>>> network, even if it means using VM's.
>>>>
>>>> Rowland
>>> I agree.  I had this in testing for 2 months before promoting to 
>>> production over the weekend.  My test userbase was up to 100 users 
>>> without a single issue.  Of course, not one of those had a unix id 
>>> over 11000 :(.  So far only 5 users have been affected, the other 
>>> couple of hundred are working away unaware that there is anything 
>>> going on.  I will probably change dns back on Friday and let the 
>>> users roll back to the 3.033 machine so I have more freedom to make 
>>> more drastic changes...not that I know what that is at this point. 
>>> Thanks for your time Rowland, and I apologize you got frustrated.
>>  I am not frustrated, I identified the problem but you did not want 
>> to hear the answer.
>>
>> You know what you need to do, now go and do it.
>>
>> Rowland
>
> I am still very lost on how to make this work.  Under the proper way 
> of doing things, I have to get the users from AD, what about the 
> groups?  Do the unix groups need to be in AD as well for group shares 
> to work or can they just be in /etc/group?  Currently in my improper 
> setup, all group shares work for the users regardless of client, etc, 
> but I'm now afraid of being bitten by some update that fixes something 
> that is currently broken that is allowing me to get away with this.  I 
> honestly can't remember something that has had me this stumped and 
> lost for a solution.  I can't even wrap my head around it frankly :(

I cannot believe that this has risen from the dead ;-)

If you were running a Unix domain, users & groups would have to be 
identified somehow, this is done by the users having a uid number and 
groups a gid number, with me so far???

Now it is no different with windows, only that windows treats users & 
groups the same (they are both objects) and the have RID's (the RID 
being the bit on the end of the SID)

So we have a problem, you cannot use Rid's with Unix and visa-versa, so 
enter the uidNumber & gidNumber attributes. Every group in AD that you 
want to use with a Unix client, must have a gidNumber, and every user 
must have a uidNumber and a gidNumber, the gidNumber being the number of 
whatever you want the users main Unix group to be.

I would suggest that you do a large amount of research on the internet, 
based around samba, active directory and Unix, it is clear that you do 
not know what you are doing.

Rowland

More information about the samba mailing list