[Samba] idmap & migration to rfc2307

Jonathan Hunter jmhunter1 at gmail.com
Sat Jun 13 20:20:03 MDT 2015


Thank you Rowland - really clear example and explanation.

>From your example, this is what I would see, once the RFC2307
attributes had been added:

root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# net cache flush
root at testdc2:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
[ ... wait some period of time ... ]
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false

I have now worked around this by not using winbindd at all ('server
services = -winbindd +winbind'), and by using sssd for the local
machine via NSS... but I have a feeling that this may actually be a
bug :-(

On 13 June 2015 at 19:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 13/06/15 16:33, Jonathan Hunter wrote:
>>
>> Hi buhorojo,
>>
>> I *think* I have a stable system for the moment... so thank you :-)
>>
>> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com> wrote:
>>>>
>>>> I now set in smb.conf:
>>>>
>>>>           server services = -dns +winbind -winbindd
>>>>
>>>> I stopped samba, then removed databases:
>>>>
>>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>>     /usr/local/samba/var/lock/gencache_notrans.tdb \
>>>
>>> Restore this:
>>>>
>>>>     /usr/local/samba/private/idmap.ldb
>>
>> I have the following in smb.conf:
>>          server services = -dns +winbind -winbindd
>>          idmap_ldb:use rfc2307 = yes
>> and no 'winbind' lines anywhere.
>>
>> I removed /usr/local/samba/var/cache/gencache.tdb and
>> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
>> /usr/local/samba/private/idmap.ldb (copied from other DC)
>>
>> Now, when starting samba, I see stable connections using the correct
>> UID, even after some time:
>>
>> # smbstatus
>> [....]
>> Locked files:
>> Pid          Uid        DenyMode   Access      R/W        Oplock
>>      SharePath   Name   Time
>>
>> --------------------------------------------------------------------------------------------------
>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>      /data/sharename   .   Sat Jun 13 12:58:52 2015
>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>      /home/auser Documents   Sat Jun 13 15:44:42 2015
>> 7330         41012      DENY_NONE  0x100081    RDONLY     NONE
>>      /data/anothershare   .   Sat Jun 13 16:25:40 2015
>> 22048        41001      DENY_ALL   0x100080    RDONLY     NONE
>>      /home   .   Sat Jun 13 13:01:03 2015
>>
>> There is nothing shown at all in 'net cache list'; I guess this is
>> fine (certainly, things seem to work at the moment)
>>
>> Looks like a working minimal configuration for file serving from a DC
>> is the following, then:
>> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
>> kind of algorithmic mapping, ideally sssd's logic, but any really!)
>> - use sssd with 'ldap_id_mapping = False', and specify 'sss' for
>> passwd and group in /etc/nsswitch.conf
>> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
>> - Add '+winbind -winbindd' to 'server services =' in smb.conf
>>
>>
>
> OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
>
> These are running as a test domain with two DCs, both are using the built-in
> dns server and winbindd.
>
> If I check smb.conf on both DCs:
>
> root at testdc1:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     workgroup = SAMBADOM
>     realm = SAMBADOM.EXAMPLE.COM
>     netbios name = TESTDC1
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
> [netlogon]
>     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>     read only = No
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
> root at testdc2:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     workgroup = SAMBADOM
>     realm = SAMBADOM.EXAMPLE.COM
>     netbios name = TESTDC2
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
> [netlogon]
>     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>     read only = No
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
> They are both Identical apart from the 'netbios name'
>
> Checking 'server services' give this:
>
> root at testdc1:~# samba-tool testparm -v | grep 'server services'
>
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate, dns
>
> /etc/nsswitch.conf on both machines have these two lines:
>
> passwd:         compat winbind
> group:          compat winbind
>
> If I check what is running:
>
> root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
>  2446 ?        Ss     0:00 /usr/sbin/samba -D
>  2637 ?        S      0:00 /usr/sbin/samba -D
>  2638 ?        S      0:02 /usr/sbin/samba -D
>  2639 ?        Ss     0:00 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>  2640 ?        S      0:00 /usr/sbin/samba -D
>  2641 ?        S      0:00 /usr/sbin/samba -D
>  2642 ?        S      0:00 /usr/sbin/samba -D
>  2643 ?        S      0:00 /usr/sbin/samba -D
>  2644 ?        S      0:00 /usr/sbin/samba -D
>  2645 ?        S      0:02 /usr/sbin/samba -D
>  2646 ?        S      0:00 /usr/sbin/samba -D
>  2647 ?        S      0:00 /usr/sbin/samba -D
>  2648 ?        S      0:00 /usr/sbin/samba -D
>  2649 ?        S      0:00 /usr/sbin/samba -D
>  2650 ?        S      0:00 /usr/sbin/samba -D
>  2651 ?        Ss     0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>  2654 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>  2755 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
> If I check a couple of users, one with a uidNumber & gidNumber, the other
> without:
>
> root at testdc1:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> Do the same on the other DC:
>
> root at testdc2:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# cat /etc/samba/smb.conf
>
> As you can see, the one with the RFC2307 attributes gives the same result on
> both machines, the other gives different uidNumbers.
>
> If I now give the second user the required RFC2307 attributes:
>
> root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
> --login-shell=/bin/bash --unix-home=/home/user2
> User 'user2' updated successfully
>
> Try again:
>
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc1:~# net cache flush
> root at testdc1:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> And on the other DC:
>
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# net cache flush
> root at testdc2:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> This way of mapping hasn't changed with the replacement of the 'winbind'
> built into the samba daemon with the separate 'winbindd' daemon.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein


More information about the samba mailing list