[Samba] Problem with one User after upgrade to 4.5.0

Rowland Penny rpenny at samba.org
Sun Oct 9 18:14:52 UTC 2016 

On Sun, 9 Oct 2016 11:50:42 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> On 10/09/2016 02:51 AM, Rowland Penny via samba wrote:
> > Have you by any chance got another 3001108 'xidNumber' in
> > idmap.ldb ? If you give a user a 'uidNumber' attribute, the
> > contents of this will be used instead of the 'xidNumber' in
> > idmap.ldb, hence you do not need to (and probably shouldn't) use
> > numbers in the '3000000' range.
> I managed to make this right at least for the DC, two Windows 7 
> Professional boxes, and two CentOS 6 systems. I have one CentOS 6 VM 
> that doesn't work but it would seem that has to be specific to the
> VM. In order to fix the problem I had "accidentally" removed this line
> 
> idmap_ldb:use rfc2307 = yes
> 
> from the DC /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>          server string = Example Active Directory Server
>          workgroup = SAMDOM
>          realm = SAMDOM.EXAMPLE.COM
>          netbios name = DC_EXAMPLE
>          server role = active directory domain controller
>          server services = -dns
>          bind interfaces only = yes
>          interfaces = br0 lo
>          encrypt passwords = true
>          kerberos method = secrets and keytab
>          winbind use default domain = yes
>          winbind offline logon = false
>          winbind enum groups = yes
>          winbind enum users = yes
> #        winbind separator = +
>          winbind nss info = rfc2307
>          map untrusted to domain = no
>          template homedir = /home/%U
>          template shell = /bin/bash
>          idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [Profiles]
>          path = /home/Profiles/
>          read only = No
> 
> [home]
>          path = /home
>          read only = No
> 
> After I added back the missing line everything seemed to work again.
> The history to all this is that I am running the sernet-samba
> packages on a CentOS 6 system which seem to be not very compatible
> with sssd. Therefore I just want winbindd  which is adequate for my
> purposes. To that end I tried to follow these wiki pages:
> 
> https://wiki.samba.org/index.php/Idmap_config_ad
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> When I provisioned I had done so with rfc2307. So all the NIS 
> extrensions are there.
> 
> So this gets me to the problem at hand. First, there is actually no 
> 3001108 xidNumber in the idmap.ldb. The xidNumber for this particular 
> user is actually 3000062. For a user that works it turns out I 
> apparently gave uidNumber = xidNumber = 3001107. I only have two
> users. I'm an unclear on what the correct thing to do in this case.
> Are you saying that since the xidNumbers are in the "3000000" I
> should not use uidNumbers in the same range? How should I "pick" the
> idmap ranges, the uidNumbers, etc.? Wouldn't the uidNumbers be
> independent from the xidNumbers which is why the addition of the
> "idmap_ldb:use rfc2307 = yes" in the DC smb.conf fixes the issue?
> 
> Also on the member server side I have been using this smb.conf
> 
> [global]
>     workgroup = SAMDOM
>     realm = SAMDOM.EXAMPLE.COM
>     server string = Example Samba Server Version %v
>     netbios name = EXAMPLE
>     security = ads
>     bind interfaces only = yes
>     interfaces = br0
>     kerberos method = system keytab
>     idmap config *:backend = tdb
>     idmap config *:range = 1000000-2999999
>     idmap config SAMDOM:backend = ad
>     idmap config SAMDOM:schema_mode = rfc2307
>     idmap config SAMDOM:range = 3000000-40000000
>     winbind nss info = rfc2307
>     winbind use default domain = true
>     winbind offline logon = false
>     winbind enum groups = yes
>     winbind enum users = yes
> 
> So what should I do at this point? Does it make sense to change the 
> uidNumbers (possibly the gidNumbers too)? I really would like to make 
> this right before I try to move the DC to other hardware.

OK, what I was trying to get at, if you use 'uidNumbers' starting at
'3000000' and have problems, you have no real way of knowing if it is
an idmap problem or a problem with Samba. Using a different range makes
it easier to tell.

As for the uidNumbers being independent of the the xidNumbers, this is
not a problem, this is my info from AD via getent:

root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

How did you change to using winbind instead of the internal DNS server,
did you follow the Samba wiki ?

I wouldn't bother changing your uidNumber attributes, now you have it
working.

I would like to take you to task over 'winbindd  which is adequate for
my purposes'. Anything that sssd can do, winbind can do, in fact sssd
uses some of the code from winbind.

Rowland

More information about the samba mailing list