[Samba] winbind on server have different UIDs on each Member Server
Rowland Penny
rowlandpenny at googlemail.com
Fri May 30 08:54:47 MDT 2014
On 30/05/14 15:15, William Antonin wrote:
>
> >OK, first the Server, to change '/bin/false' to '/bin/bash' , add
> 'template shell = /bin/bash' to smb.conf, you can also change the
> users home directory by adding 'template homedir' , for this see 'man
> smb.conf'
> >On the client, it is a bit different
> Why they are differente? I'm choqued by the winbind's comportement.
>
If you are running samba4 as a AD DC, you using the samba daemon and
winbind is built into this daemon, only problem is that it doesn't do as
much as the standalone winbind daemon you would run on a member server.
The main difference is that it only pulls the users uidNumber &
gidNumber from AD, it ignores the loginShell & unixHomeDirectory
attributes, this is why it is better at the present, to not use the AD
DC as a fileserver, you can use it, but you must work around the problems.
Rowland
>
> 2014-05-30 9:43 GMT+02:00 William Antonin <antonin at geovariances.com
> <mailto:antonin at geovariances.com>>:
>
> thank you for your help.
>
>
>
> 2014-05-23 16:44 GMT+02:00 Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>:
>
> On 23/05/14 15:12, William Antonin wrote:
>
> thank you for your reactivity.
> it's good, I change my smb.conf I use the ad backend and I
> put a large range and it'ok
> but I can't see the same gecos and shell on server and
> clients.
>
>
> I take it you mean that you altered the the smb.conf on the
> clients and added uidNumber & gidNumber attributes to your
> users and groups in AD, but now when you run 'getent passwd
> <username>' on the samba4 server, you get something similar to
> this:
>
> DOMAIN\testuser:*:10000:10000:Test
> User:/home/DOMAIN/testuser:/bin/false
>
> and if you run the same command on the client, you get
> something similar to this:
>
> testuser:*:10000:10000::/home/DOMAIN/testuser:/bin/bash
>
> OK, first the Server, to change '/bin/false' to '/bin/bash' ,
> add 'template shell = /bin/bash' to smb.conf, you can also
> change the users home directory by adding 'template homedir' ,
> for this see 'man smb.conf'
>
> On the client, it is a bit different, you need to add the
> following attributes to each user in AD:
>
> loginShell Containing the shell to use
> i.e. '/bin/bash'
> unixHomeDirectory Containing the path to the users
> home dir i.e. '/home/DOMAIN/testuser'
> gecos Containing the users full
> Name i.e. 'Test User'
>
> Hope this helps
>
> Rowland
>
>
>
>
> 2014-05-23 11:03 GMT+02:00 Rowland Penny
> <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>
> <mailto:rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>>>:
>
>
> On 23/05/14 09:56, William Antonin wrote:
>
> Hello
>
> I have a big problem.
>
> I'm in labs situation with 2 domain controllers
> DC1,DC2 samba
> 4 (Ubuntu
> 14.04) in different networks and each of them have
> a client
> (Ubuntu 12.04).
>
>
>
> When I want to get uid/gid, I use "wbinfo –i
> user" and I get
> the same
> results on each clients if they have the same
> configuration.
> It's ok for
> client.
>
>
>
> But when I install winbind on servers (Ubuntu
> 14.04), just to
> be able to
> use the wbinfo command, I can use "wbinfo –i name"
> but on my 2
> DCs I get a
> not expected result for the uid/gid. It seems that
> the idmap
> mapping is not
> interpreted.
>
>
>
> Here is my smb.conf excerpt and the results on a
> client and a
> server:
>
>
>
> Excerpt smb.conf of server
>
> Global parameters
>
> [global]
>
> workgroup = PREVERT
>
> realm = PREVERT.LAN
>
> netbios name = DCFR
>
> server role = active directory
> domain controller
>
> server services = s3fs, rpc, nbt,
> wrepl,
> ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>
> idmap_ldb:use rfc2307 = yes
>
> winbind nss info = rfc2307
>
>
>
> [netlogon]
>
> path =
> /var/lib/samba/sysvol/prevert.lan/scripts
>
> read only = No
>
>
>
> [sysvol]
>
> path = /var/lib/samba/sysvol
>
> read only = No
>
>
>
> Excerpt smb.conf of client
>
> [global]
>
> ; Basic server settings
>
> workgroup = PREVERT
>
> realm = PREVERT.LAN
>
> smb ports = 139
>
>
>
> log file = /var/log/samba/%m.log
>
> max log size = 1024
>
>
>
> ; security options
>
> ;hosts allow = 10.1.1. 127.0.0.1
>
> security = ADS
>
> null passwords = no
>
> password server = dcfr.prevert.lan
>
> encrypt passwords = yes
>
> guest ok = no
>
> invalid users = root bin daemon named sys tty
> disk mem kmem
> users sshd
>
>
>
> idmap config PREVERT:backend = rid
>
> idmap config PREVERT:schema_mode = rfc2307
>
> idmap config PREVERT:range = 10000-19999
>
> idmap config PREVERT:read only = yes
>
>
>
> winbind nss info = rfc2307
>
>
>
>
>
> winbind uid = 60000-70000
>
> winbind use default domain = Yes
>
> winbind enum users = Yes
>
> winbind enum groups = Yes
>
>
>
>
>
> wins server = dcfr.prevert.lan
>
>
>
>
>
> inherit acls = Yes
>
>
>
>
>
>
>
> template homedir = /home/%U
>
> template shell = /bin/false
>
>
>
>
>
>
>
>
>
>
>
>
>
> Wbinfo –I bob sur client
>
> bob:*:11106:10513:bob:/machine1/home/bob:/bin/sh
>
> Wbinfo –I guy sur server
>
>
> PREVERT\bob:*:10000:10000::/home/PREVERT/bob:/bin/false
>
>
> Someone can help me, please.
>
> The problem here is that the winbind on the server is
> not the same
> as the winbind on the clients, you are also using the
> rid backend
> on the clients. The only way to get consistent uid/gid's
> everywhere is to use the ad backend on the clients and
> give your
> users/groups uidNumber's &/or gidNumber's.
>
> Rowland
> -- To unsubscribe from this list go to the
> following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
More information about the samba
mailing list