[Samba] idmap & migration to rfc2307

Rowland Penny rowlandpenny at googlemail.com
Sun Jun 14 02:22:20 MDT 2015 

On 14/06/15 03:20, Jonathan Hunter wrote:
> Thank you Rowland - really clear example and explanation.
>
>  From your example, this is what I would see, once the RFC2307
> attributes had been added:
>
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# net cache flush
> root at testdc2:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> [ ... wait some period of time ... ]
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> I have now worked around this by not using winbindd at all ('server
> services = -winbindd +winbind'), and by using sssd for the local
> machine via NSS... but I have a feeling that this may actually be a
> bug :-(
>
> On 13 June 2015 at 19:13, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 13/06/15 16:33, Jonathan Hunter wrote:
>>> Hi buhorojo,
>>>
>>> I *think* I have a stable system for the moment... so thank you :-)
>>>
>>> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com> wrote:
>>>>> I now set in smb.conf:
>>>>>
>>>>>            server services = -dns +winbind -winbindd
>>>>>
>>>>> I stopped samba, then removed databases:
>>>>>
>>>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>>>      /usr/local/samba/var/lock/gencache_notrans.tdb \
>>>> Restore this:
>>>>>      /usr/local/samba/private/idmap.ldb
>>> I have the following in smb.conf:
>>>           server services = -dns +winbind -winbindd
>>>           idmap_ldb:use rfc2307 = yes
>>> and no 'winbind' lines anywhere.
>>>
>>> I removed /usr/local/samba/var/cache/gencache.tdb and
>>> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
>>> /usr/local/samba/private/idmap.ldb (copied from other DC)
>>>
>>> Now, when starting samba, I see stable connections using the correct
>>> UID, even after some time:
>>>
>>> # smbstatus
>>> [....]
>>> Locked files:
>>> Pid          Uid        DenyMode   Access      R/W        Oplock
>>>       SharePath   Name   Time
>>>
>>> --------------------------------------------------------------------------------------------------
>>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>>       /data/sharename   .   Sat Jun 13 12:58:52 2015
>>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>>       /home/auser Documents   Sat Jun 13 15:44:42 2015
>>> 7330         41012      DENY_NONE  0x100081    RDONLY     NONE
>>>       /data/anothershare   .   Sat Jun 13 16:25:40 2015
>>> 22048        41001      DENY_ALL   0x100080    RDONLY     NONE
>>>       /home   .   Sat Jun 13 13:01:03 2015
>>>
>>> There is nothing shown at all in 'net cache list'; I guess this is
>>> fine (certainly, things seem to work at the moment)
>>>
>>> Looks like a working minimal configuration for file serving from a DC
>>> is the following, then:
>>> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
>>> kind of algorithmic mapping, ideally sssd's logic, but any really!)
>>> - use sssd with 'ldap_id_mapping = False', and specify 'sss' for
>>> passwd and group in /etc/nsswitch.conf
>>> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
>>> - Add '+winbind -winbindd' to 'server services =' in smb.conf
>>>
>>>
>> OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
>>
>> These are running as a test domain with two DCs, both are using the built-in
>> dns server and winbindd.
>>
>> If I check smb.conf on both DCs:
>>
>> root at testdc1:~# cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>      workgroup = SAMBADOM
>>      realm = SAMBADOM.EXAMPLE.COM
>>      netbios name = TESTDC1
>>      server role = active directory domain controller
>>      dns forwarder = 8.8.8.8
>>      idmap_ldb:use rfc2307 = yes
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>>
>> root at testdc2:~# cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>      workgroup = SAMBADOM
>>      realm = SAMBADOM.EXAMPLE.COM
>>      netbios name = TESTDC2
>>      server role = active directory domain controller
>>      dns forwarder = 8.8.8.8
>>      idmap_ldb:use rfc2307 = yes
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>>
>> They are both Identical apart from the 'netbios name'
>>
>> Checking 'server services' give this:
>>
>> root at testdc1:~# samba-tool testparm -v | grep 'server services'
>>
>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate, dns
>>
>> /etc/nsswitch.conf on both machines have these two lines:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> If I check what is running:
>>
>> root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
>>   2446 ?        Ss     0:00 /usr/sbin/samba -D
>>   2637 ?        S      0:00 /usr/sbin/samba -D
>>   2638 ?        S      0:02 /usr/sbin/samba -D
>>   2639 ?        Ss     0:00 /usr/sbin/smbd -D --option=server role
>> check:inhibit=yes --foreground
>>   2640 ?        S      0:00 /usr/sbin/samba -D
>>   2641 ?        S      0:00 /usr/sbin/samba -D
>>   2642 ?        S      0:00 /usr/sbin/samba -D
>>   2643 ?        S      0:00 /usr/sbin/samba -D
>>   2644 ?        S      0:00 /usr/sbin/samba -D
>>   2645 ?        S      0:02 /usr/sbin/samba -D
>>   2646 ?        S      0:00 /usr/sbin/samba -D
>>   2647 ?        S      0:00 /usr/sbin/samba -D
>>   2648 ?        S      0:00 /usr/sbin/samba -D
>>   2649 ?        S      0:00 /usr/sbin/samba -D
>>   2650 ?        S      0:00 /usr/sbin/samba -D
>>   2651 ?        Ss     0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>   2654 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>   2755 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>
>> If I check a couple of users, one with a uidNumber & gidNumber, the other
>> without:
>>
>> root at testdc1:~# getent passwd user1
>> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
>> root at testdc1:~# getent passwd user2
>> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> Do the same on the other DC:
>>
>> root at testdc2:~# getent passwd user1
>> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
>> root at testdc2:~# getent passwd user2
>> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc2:~# cat /etc/samba/smb.conf
>>
>> As you can see, the one with the RFC2307 attributes gives the same result on
>> both machines, the other gives different uidNumbers.
>>
>> If I now give the second user the required RFC2307 attributes:
>>
>> root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
>> --login-shell=/bin/bash --unix-home=/home/user2
>> User 'user2' updated successfully
>>
>> Try again:
>>
>> root at testdc1:~# getent passwd user2
>> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc1:~# net cache flush
>> root at testdc1:~# getent passwd user2
>> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> And on the other DC:
>>
>> root at testdc2:~# getent passwd user2
>> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc2:~# net cache flush
>> root at testdc2:~# getent passwd user2
>> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> This way of mapping hasn't changed with the replacement of the 'winbind'
>> built into the samba daemon with the separate 'winbindd' daemon.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

I was trying to show that you do not need sssd to get consistent IDs, 
you just need to use the RFC2307 attributes. In fact you can use one or 
the other, you just shouldn't use both.
sssd, as you have found, uses a long number to identify a domain object 
when in 'rid' mode, unlike samba that uses 'DOMAIN\IDNUMBER', it 
shouldn't matter which you use as long as you stick to just one.

Samba tries to discourage the use of a DC as a fileserver, one of the 
reasons being the problems you are having, you would not have these 
problems if you added a member server and used this for serving files. I 
also understand that this is easier said than done, in which case, you 
will have to work around any problems, as and when they occur.

It would seem that something is re-writing your winbind cache and this 
could be hard to track down. The first thing I would do is to turn off 
selinux, just in case this is the problem, though this usually manifests 
itself in not being allowed to do something, rather than doing 
something. I would then investigate if replication is working correctly, 
is AD the same on both DCs (you can use ldapcmp to do this). You should 
be aware that unless your users log into a DC, it doesn't really matter 
what ID number they have on that DC.

Rowland

More information about the samba mailing list