[Samba] Samba4 Domain Member Server "Getent show diferents UID"
Rowland penny
rpenny at samba.org
Tue Jun 14 15:40:59 UTC 2016
On 14/06/16 16:16, Juan Ignacio wrote:
> Sorry, this is the Domain Member smb.con
> Im using Debian last version.
> Samba compiled from the sources.
>
> [global]
> netbios name = XXXXX
> security = ADS
> workgroup = XXXXXX
> realm = XXXXXXX
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # idmap config used for your domain.
> # Click on the following links for more information
> # on the available winbind idmap backends,
> # Choose the one that fits your requirements
> # then add the corresponding configuration.
>
> # Just adding the following three lines is not enough!!
> # - idmap config ad
> # - idmap config rid
> # - idmap_config_autorid
>
> idmap config * : backend = tdb
> idmap config * : range = 100000-299999
> idmap config XXXXXX : schema_mode = rfc2307
> idmap config XXXXXX : backend = rid
> idmap config XXXXXX : range = 10000-99999
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
>
>
> [test]
> read only = no
> path = /testSamba
>
>
> Analista Inf.
> Juan Ignacio Pazos
> <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>
> 2016-06-14 12:07 GMT-03:00 Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>>:
>
> On 14/06/16 15:36, Juan Ignacio wrote:
>
> I go to answer all, here I go.
>
> Have you given your users a uidNumber attribute ?
>
> Not all, but im set it in my user and not work.
>
> Have you given 'Domain Users' (at least) a gidNumber attribute ?
>
> Not all, but im set it in my user and not work.
>
> If you have done the above, have you run 'net cache flush' on
> the DC ?
>
> Yes :-(
>
> Is PAM set up correctly on the DC and domain member ?
> Yes.
>
> The smb.conf on the DC.
>
> [global]
> netbios name = XXXXXX
> security = ADS
> workgroup = XXXXXXX
> realm = XXXXXXX
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # idmap config used for your domain.
> # Click on the following links for more information
> # on the available winbind idmap backends,
> # Choose the one that fits your requirements
> # then add the corresponding configuration.
>
> # Just adding the following three lines is not enough!!
> # - idmap config ad
> # - idmap config rid
> # - idmap_config_autorid
>
> idmap config * : backend = tdb
> idmap config * : range = 100000-299999
> idmap config TEST : backend = rid
> idmap config TEST : range = 10000-99999
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
>
>
> [test]
> read only = no
> path = /testSamba
> ~
>
> The smb.conf in the AD DC.
>
> Global parameters
> [global]
> workgroup = XXXXX
> realm = XXXXXXXX
> netbios name = XXXXXXX
> server role = active directory domain controller
> dns forwarder = xxx.xx.xxx.xxx
> allow dns updates = nonsecure and secure
> #server services = rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
> samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
> browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,winbind, ntp_signd, kcc, dnsupdate, dns
> idmap_ldb:use rfc2307 = yes
> #winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> #winbind nested groups = yes
> log level = 3
> log file = /var/log/samba/samba.log
> # unix charset = ISO8859-1
>
> #[netlogon antes]
> #path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
> #read only = No
>
>
>
>
> Analista Inf.
> Juan Ignacio Pazos
> <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>
> 2016-06-13 16:22 GMT-03:00 Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
> <mailto:rpenny at samba.org>>>:
>
>
> On 13/06/16 20:14, Rowland penny wrote:
>
> On 13/06/16 19:37, Juan Ignacio wrote:
>
> Rowland:
>
> I'll use this email from now, the other does not
> work well.
>
> A few years ago around 2.
>
> We did everything that could be used for NIX and
> it worked.
> The main DC_AD had been provisioned without
> rfc2307 and we
> did later.
>
> The problem is that at that time by not having
> infrastructure had to be used as fileserver and
> this was a
> problem because all directories are UID of 3000000
> onwards.
>
> Now I installed a new server following the
> procedure here:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> All seems to work well but UIDs are different when for
> example I run
> wbinfo --user-info = uanaco
>
> Primary AD-DC
> ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home /
> ADDC1 /
> uanaco: / bin / false
>
> member Server
> uanaco: *: 100642: 100008: uanaco: / home / ADDC1 /
> uanaco: / bin / false
>
> This is a problem because my intention is to use
> this file
> server and testify pass all directories Primary
> AD-DC to
> Member Server.
>
> Is there any way the member server read the same
> UID as
> the primary-
>
> Thank Rowland.
>
>
> Yes, but what does 'getent passwd ADDC1\uanaco' on the
> DC show ???
> if it shows '3000783' as the users UID, then, unless
> you have
> set the users uidNumber attribute to 3000783, you are not
> using RFC2307 attributes. This is further backed up by the
> fact that the same user may get '100642' as its UID on the
> domain member.
>
> Few questions:
> Have you given your users a uidNumber attribute ?
> Have you given 'Domain Users' (at least) a gidNumber
> attribute ?
> If you have done the above, have you run 'net cache
> flush' on
> the DC ?
> Is PAM set up correctly on the DC and domain member ?
>
> Rowland
>
>
> Also can you post (as I asked) the smb.conf from the
> domain member.
>
>
> Rowland
>
>
> -- To unsubscribe from this list go to the following
> URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> For the third time, will you please post the smb.conf from your
> domain member, not the one from your DC.
>
> What OS are you using ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
OK, you are using the winbind 'rid' backend on the domain member, this
means your users will get a UID based on their 'RID' using this algorithm:
ID = RID - BASE_RID + LOW_RANGE_ID
The BASE_RID is usually '0' unless you explicitly set it in smb.conf
you have set the LOW_RANGE_ID to '10000'
So the algorithm becomes this:
ID = RID - 0 + 10000
If your users RID is 1002, the users UID will be calculated from this:
ID = 1002 -0 + 10000
ID = 11002
The problem is that a Samba 4 AD DC uses something similar, but a
different method is used to allocate the UID, this is done by starting
the range from 3000000 and they seem to be allocated on a first come
basis (this is the reason why sysvol can have different numbers on each DC)
So, if you use 'rid' on domain members and idmap.ldb on DCs, you cannot
get the same UIDs & GIDs everywhere, the only way is to use RFC2307
attributes and set the domain members & DCs to use them.
Rowland
More information about the samba
mailing list