[Samba] idmap & migration to rfc2307
Jonathan Hunter
jmhunter1 at gmail.com
Sat Jun 13 20:20:03 MDT 2015
Thank you Rowland - really clear example and explanation.
>From your example, this is what I would see, once the RFC2307
attributes had been added:
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# net cache flush
root at testdc2:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
[ ... wait some period of time ... ]
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
I have now worked around this by not using winbindd at all ('server
services = -winbindd +winbind'), and by using sssd for the local
machine via NSS... but I have a feeling that this may actually be a
bug :-(
On 13 June 2015 at 19:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 13/06/15 16:33, Jonathan Hunter wrote:
>>
>> Hi buhorojo,
>>
>> I *think* I have a stable system for the moment... so thank you :-)
>>
>> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com> wrote:
>>>>
>>>> I now set in smb.conf:
>>>>
>>>> server services = -dns +winbind -winbindd
>>>>
>>>> I stopped samba, then removed databases:
>>>>
>>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>> /usr/local/samba/var/lock/gencache_notrans.tdb \
>>>
>>> Restore this:
>>>>
>>>> /usr/local/samba/private/idmap.ldb
>>
>> I have the following in smb.conf:
>> server services = -dns +winbind -winbindd
>> idmap_ldb:use rfc2307 = yes
>> and no 'winbind' lines anywhere.
>>
>> I removed /usr/local/samba/var/cache/gencache.tdb and
>> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
>> /usr/local/samba/private/idmap.ldb (copied from other DC)
>>
>> Now, when starting samba, I see stable connections using the correct
>> UID, even after some time:
>>
>> # smbstatus
>> [....]
>> Locked files:
>> Pid Uid DenyMode Access R/W Oplock
>> SharePath Name Time
>>
>> --------------------------------------------------------------------------------------------------
>> 14717 41000 DENY_NONE 0x100081 RDONLY NONE
>> /data/sharename . Sat Jun 13 12:58:52 2015
>> 14717 41000 DENY_NONE 0x100081 RDONLY NONE
>> /home/auser Documents Sat Jun 13 15:44:42 2015
>> 7330 41012 DENY_NONE 0x100081 RDONLY NONE
>> /data/anothershare . Sat Jun 13 16:25:40 2015
>> 22048 41001 DENY_ALL 0x100080 RDONLY NONE
>> /home . Sat Jun 13 13:01:03 2015
>>
>> There is nothing shown at all in 'net cache list'; I guess this is
>> fine (certainly, things seem to work at the moment)
>>
>> Looks like a working minimal configuration for file serving from a DC
>> is the following, then:
>> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
>> kind of algorithmic mapping, ideally sssd's logic, but any really!)
>> - use sssd with 'ldap_id_mapping = False', and specify 'sss' for
>> passwd and group in /etc/nsswitch.conf
>> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
>> - Add '+winbind -winbindd' to 'server services =' in smb.conf
>>
>>
>
> OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
>
> These are running as a test domain with two DCs, both are using the built-in
> dns server and winbindd.
>
> If I check smb.conf on both DCs:
>
> root at testdc1:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = SAMBADOM
> realm = SAMBADOM.EXAMPLE.COM
> netbios name = TESTDC1
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/sambadom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> root at testdc2:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = SAMBADOM
> realm = SAMBADOM.EXAMPLE.COM
> netbios name = TESTDC2
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/sambadom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> They are both Identical apart from the 'netbios name'
>
> Checking 'server services' give this:
>
> root at testdc1:~# samba-tool testparm -v | grep 'server services'
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate, dns
>
> /etc/nsswitch.conf on both machines have these two lines:
>
> passwd: compat winbind
> group: compat winbind
>
> If I check what is running:
>
> root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
> 2446 ? Ss 0:00 /usr/sbin/samba -D
> 2637 ? S 0:00 /usr/sbin/samba -D
> 2638 ? S 0:02 /usr/sbin/samba -D
> 2639 ? Ss 0:00 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> 2640 ? S 0:00 /usr/sbin/samba -D
> 2641 ? S 0:00 /usr/sbin/samba -D
> 2642 ? S 0:00 /usr/sbin/samba -D
> 2643 ? S 0:00 /usr/sbin/samba -D
> 2644 ? S 0:00 /usr/sbin/samba -D
> 2645 ? S 0:02 /usr/sbin/samba -D
> 2646 ? S 0:00 /usr/sbin/samba -D
> 2647 ? S 0:00 /usr/sbin/samba -D
> 2648 ? S 0:00 /usr/sbin/samba -D
> 2649 ? S 0:00 /usr/sbin/samba -D
> 2650 ? S 0:00 /usr/sbin/samba -D
> 2651 ? Ss 0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> 2654 ? S 0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> 2755 ? S 0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
> If I check a couple of users, one with a uidNumber & gidNumber, the other
> without:
>
> root at testdc1:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> Do the same on the other DC:
>
> root at testdc2:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# cat /etc/samba/smb.conf
>
> As you can see, the one with the RFC2307 attributes gives the same result on
> both machines, the other gives different uidNumbers.
>
> If I now give the second user the required RFC2307 attributes:
>
> root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
> --login-shell=/bin/bash --unix-home=/home/user2
> User 'user2' updated successfully
>
> Try again:
>
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc1:~# net cache flush
> root at testdc1:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> And on the other DC:
>
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# net cache flush
> root at testdc2:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> This way of mapping hasn't changed with the replacement of the 'winbind'
> built into the samba daemon with the separate 'winbindd' daemon.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
More information about the samba
mailing list