[Samba] sssd on DC for fileserver

Jonathan Hunter jmhunter1 at gmail.com
Wed Jun 3 11:44:29 MDT 2015 

(meant to send this to the list this morning also)

Thanks buhorojo.

I was looking at the smb.conf man page at
https://www.samba.org/samba/docs/man/manpages/smb.conf.5.html for
inspiration, and only saw the 'winbind' option, not the 'winbindd'
option - looks like the man page isn't exhaustive on that (I would have
expected it to be.. oops)

Unfortunately I've tried changing this as above.. still no luck, it
doesn't work :(

I now have:
        server services = -dns +winbind -winbindd

which has actually broken authentication for me (at least,
radiusd/ntlm_auth doesn't work with smb.conf in that state) - so I've
since reverted that change.

I don't think 4.1 is an easy option for me as there are other fixes in
4.2 that I am using (I'm on 4.2.2 at the moment) - and is downgrading
a good idea?

At the moment I'm testing by editing smb.conf and restarting samba,
then creating a new directory in \\servername\users\myusername, and
checking with "ls -nld" to see what UID it has been created with. So
far, only the old UID (3000007) is used, not the new UID which I need.

Interestingly, despite having previously run 'net cache flush' and
restarted Samba, there were still many items in the cache ('net cache
list') when I checked just now. This time, I stopped Samba, *then* ran
'net cache flush' and that seems to have worked better, I now have an
empty cache.

It's still creating files with the old UID, though :(

Really, I want algorithmic RID mapping on my DC. That seems to not yet
be available, so I have tried sssd.. which seems to not work fully in
my scenario (see above), either.

I have a feeling that there is an open bug in the tracker that relates
to this - but I can't remember which one it is, unfortunately. Anyone
know (and is it due for resolution in 4.3??)

I would dearly love to help with this via code contributions, but I've
never worked on the samba codebase and it seems to be a bit of a big
nut to crack as a first attempt...

Just from general observations on the mailing list over the last few
weeks, I'm certainly not the only one who is hit by the different
behaviour of a DC vs a member server in terms of ID mapping :(

Cheers,

Jonathan

On 3 June 2015 at 06:30, buhorojo <buhorojo.lcb at gmail.com> wrote:
> On 03/06/15 01:37, Jonathan Hunter wrote:
>>
>>
>> I've restarted samba, I've run 'net cache flush', I've tried adding
>> "-winbind" to the 'server services'
>
>
> Either go back to the stable 4.1 series (recommended) or use:
>
>   server services = +winbind, -winbindd
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list