[Samba] idmap & migration to rfc2307
Rowland Penny
rowlandpenny at googlemail.com
Sat Jun 13 12:13:11 MDT 2015
On 13/06/15 16:33, Jonathan Hunter wrote:
> Hi buhorojo,
>
> I *think* I have a stable system for the moment... so thank you :-)
>
> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com> wrote:
>>> I now set in smb.conf:
>>>
>>> server services = -dns +winbind -winbindd
>>>
>>> I stopped samba, then removed databases:
>>>
>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>> /usr/local/samba/var/lock/gencache_notrans.tdb \
>> Restore this:
>>> /usr/local/samba/private/idmap.ldb
> I have the following in smb.conf:
> server services = -dns +winbind -winbindd
> idmap_ldb:use rfc2307 = yes
> and no 'winbind' lines anywhere.
>
> I removed /usr/local/samba/var/cache/gencache.tdb and
> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
> /usr/local/samba/private/idmap.ldb (copied from other DC)
>
> Now, when starting samba, I see stable connections using the correct
> UID, even after some time:
>
> # smbstatus
> [....]
> Locked files:
> Pid Uid DenyMode Access R/W Oplock
> SharePath Name Time
> --------------------------------------------------------------------------------------------------
> 14717 41000 DENY_NONE 0x100081 RDONLY NONE
> /data/sharename . Sat Jun 13 12:58:52 2015
> 14717 41000 DENY_NONE 0x100081 RDONLY NONE
> /home/auser Documents Sat Jun 13 15:44:42 2015
> 7330 41012 DENY_NONE 0x100081 RDONLY NONE
> /data/anothershare . Sat Jun 13 16:25:40 2015
> 22048 41001 DENY_ALL 0x100080 RDONLY NONE
> /home . Sat Jun 13 13:01:03 2015
>
> There is nothing shown at all in 'net cache list'; I guess this is
> fine (certainly, things seem to work at the moment)
>
> Looks like a working minimal configuration for file serving from a DC
> is the following, then:
> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
> kind of algorithmic mapping, ideally sssd's logic, but any really!)
> - use sssd with 'ldap_id_mapping = False', and specify 'sss' for
> passwd and group in /etc/nsswitch.conf
> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
> - Add '+winbind -winbindd' to 'server services =' in smb.conf
>
>
OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
These are running as a test domain with two DCs, both are using the
built-in dns server and winbindd.
If I check smb.conf on both DCs:
root at testdc1:~# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SAMBADOM
realm = SAMBADOM.EXAMPLE.COM
netbios name = TESTDC1
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/sambadom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
root at testdc2:~# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SAMBADOM
realm = SAMBADOM.EXAMPLE.COM
netbios name = TESTDC2
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[netlogon]
path = /var/lib/samba/sysvol/sambadom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
They are both Identical apart from the 'netbios name'
Checking 'server services' give this:
root at testdc1:~# samba-tool testparm -v | grep 'server services'
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
/etc/nsswitch.conf on both machines have these two lines:
passwd: compat winbind
group: compat winbind
If I check what is running:
root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
2446 ? Ss 0:00 /usr/sbin/samba -D
2637 ? S 0:00 /usr/sbin/samba -D
2638 ? S 0:02 /usr/sbin/samba -D
2639 ? Ss 0:00 /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
2640 ? S 0:00 /usr/sbin/samba -D
2641 ? S 0:00 /usr/sbin/samba -D
2642 ? S 0:00 /usr/sbin/samba -D
2643 ? S 0:00 /usr/sbin/samba -D
2644 ? S 0:00 /usr/sbin/samba -D
2645 ? S 0:02 /usr/sbin/samba -D
2646 ? S 0:00 /usr/sbin/samba -D
2647 ? S 0:00 /usr/sbin/samba -D
2648 ? S 0:00 /usr/sbin/samba -D
2649 ? S 0:00 /usr/sbin/samba -D
2650 ? S 0:00 /usr/sbin/samba -D
2651 ? Ss 0:00 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
2654 ? S 0:00 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
2755 ? S 0:00 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
If I check a couple of users, one with a uidNumber & gidNumber, the
other without:
root at testdc1:~# getent passwd user1
user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
root at testdc1:~# getent passwd user2
user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
Do the same on the other DC:
root at testdc2:~# getent passwd user1
user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# cat /etc/samba/smb.conf
As you can see, the one with the RFC2307 attributes gives the same
result on both machines, the other gives different uidNumbers.
If I now give the second user the required RFC2307 attributes:
root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
--login-shell=/bin/bash --unix-home=/home/user2
User 'user2' updated successfully
Try again:
root at testdc1:~# getent passwd user2
user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc1:~# net cache flush
root at testdc1:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
And on the other DC:
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# net cache flush
root at testdc2:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
This way of mapping hasn't changed with the replacement of the 'winbind'
built into the samba daemon with the separate 'winbindd' daemon.
Rowland
More information about the samba
mailing list