[Samba] Winbind question

Bruno MACADRE bruno.macadre at univ-rouen.fr
Mon Aug 11 23:57:15 MDT 2014 

Hi,

Le 11/08/2014 21:49, Chang, Jason (IW) a écrit :
> few things I would like to point out
> 1) One thing about getent group returning 'WBC_ERR_DOMAIN_NOT_FOUND'
> is result of insufficient range for sid to gid mapping. increase the range.
In my case 'WBC_ERR_DOMAIN_NOT_FOUND'  seems that "AD" backend can't 
translate SID to UID.
> 2) For me, using "rid" as backend for consistent gid/uid mapping works
> across multiple samba. I wasn't able to get "ad" to work nicely.
That's right, RID backend is sufficient to get consistent gid/uid 
mapping... but I don't know if it works with other Unix attributes like 
unixHomeDirectory and loginShell.

After adding correct unix attributes to one of my users, it appears that 
AD backend works fine and transfert all unix attributes to winbind.

> 3) is to make sure TDB config range and IDMAP config range doesn't overlap.
> e.g
> idmap config *:range 70001-80000
> idmap config SAMDOM:range = 80001-160000
It sounds logic, but I've a question... Is it possible to disable all 
the 'idmap config *:' directives 'cause I don't want to fall in this 
case if my AD was unreachable (TDB would cause a lot of problems like 
inconsistency in that case) ?
> g'luck!
> -JGC
Thanks, you too !
Bruno
>
> On 08/11/2014 11:26 AM, Bruno MACADRE wrote:
>> Strange, since only users with uid are shown with getent password,
>> groups are shown only if others have gid.... I don't know if it can be
>> called a bug, but thanks for the tips, I'll try it tomorrow.
>>
>> Best regards,
>> Bruno
>>
>>
>> Le 11/08/2014 19:27, Rowland Penny a écrit :
>>> Known problem, not sure whether you can call it a bug. If you want
>>> 'getent
>>> group' to work like 'getent passwd', you seemingly have to give ALL your
>>> groups a gidNumber.
>>>
>>> Rowland
>>>
>>>
>>> On 11 August 2014 18:04, Bruno MACADRÉ <bruno.macadre at univ-rouen.fr>
>>> wrote:
>>>
>>>> Thanks for all answers,
>>>>
>>>> I've added unix attributes to user foo by usnig ldbmodify and it
>>>> appears
>>>> on getent passwd (with idmap backend = ad), I've done same with my
>>>> "domain
>>>> users" group (added only gidNumber attribute) but it don't appear with
>>>> getent group, but with 'getent group "domain users"' the group appears
>>>> fine.... may be a bug between getent, nss and winbind....
>>>>
>>>> At last.... it works (except 'getent group'... but chown, chgrp, ...
>>>> works) !
>>>>
>>>> Thanks all
>>>> Regards,
>>>> Bruno
>>>>
>>>> Le 11/08/2014 18:20, Rowland Penny a écrit :
>>>>
>>>>> Hi, glad to see that you have got it working and the answer to your
>>>>> question is YES.
>>>>>
>>>>> If you use ADUC to create users and then update them via the
>>>>> UNIX-Attributes, the first time you do this a couple of missing
>>>>> attributes
>>>>> get added:
>>>>> msSFU30MaxUidNumber and msSFU30MaxGidNumber
>>>>>
>>>>> Guess what they do ?
>>>>>
>>>>> Yes, that's right, they store the next uidNumber & gidNumber, so by
>>>>> using
>>>>> an ldif you can easily write a script around ldbmodify to add the
>>>>> required
>>>>> SFU attributes (you could easily done this even if you have 500 users)
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>> On 11 August 2014 16:49, Ryan Ashley <ryana at reachtechfp.com> wrote:
>>>>>
>>>>>    So you're saying that even though the ad backend is working,
>>>>> you'd still
>>>>>> have to do this manually? Mine all have ID's I entered manually,
>>>>>> but I do
>>>>>> not have that many users. Is there possibly a way to add a script
>>>>>> that
>>>>>> runs
>>>>>> on user creation that will find the first free ID in a range and
>>>>>> set it
>>>>>> for
>>>>>> that user's uidNumber and gidNumber?
>>>>>>
>>>>>> On 08/11/2014 11:47 AM, steve wrote:
>>>>>>
>>>>>>    On Mon, 2014-08-11 at 17:26 +0200, Bruno MACADRÉ wrote:
>>>>>>>     I can't specify all POSIX attributes with
>>>>>>>
>>>>>>>> ADUC over about 5000 users by hand....
>>>>>>>>
>>>>>>>>
>>>>>>>     I will fallback to rid idmap backend... it works fine
>>>>>>> Hi
>>>>>>> If you don't mind ids that differ between machines, then rid is
>>>>>>> the way
>>>>>>> to go. Otherwise, script from your working rid output using getent
>>>>>>> passwd, cut the (nice friendly colon delimited) id and then
>>>>>>> ldbmodify it
>>>>>>> into AD as uidNumber. Any new users, just remember to add the values
>>>>>>> when you create them.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>    --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>> -- 
>>>>
>>>> Bruno MACADRE
>>>> -------------------------------------------------------------------
>>>>    Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>>>>    Département Informatique         | Department of computer science
>>>>    Responsable Info SER             | SER IT Manager
>>>>    Université de Rouen              | University of Rouen
>>>> -------------------------------------------------------------------
>>>> Coordonnées / Contact :
>>>>           Université de Rouen
>>>>           Faculté des Sciences et Techniques - Madrillet
>>>>           Avenue de l'Université
>>>>           CS 70012
>>>>           76801 St Etienne du Rouvray CEDEX
>>>>           FRANCE
>>>>
>>>>           Tél : +33 (0)2-32-95-51-86
>>>>           Mob : +33 (0)6-74-71-45-64
>>>> -------------------------------------------------------------------
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list