[Samba] Problem with one User after upgrade to 4.5.0
Paul R. Ganci
ganci at nurdog.com
Sun Oct 9 18:55:55 UTC 2016
On 10/09/2016 12:14 PM, Rowland Penny via samba wrote:
> OK, what I was trying to get at, if you use 'uidNumbers' starting at
> '3000000' and have problems, you have no real way of knowing if it is
> an idmap problem or a problem with Samba. Using a different range makes
> it easier to tell.
> As for the uidNumbers being independent of the the xidNumbers, this is
> not a problem, this is my info from AD via getent:
> root at dc1:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Yes I understand. When I setup the Samba DC on 4.0 I had all kinds of
issues with the mapping. I had started with RID and then you convinced
me to go to the AD backend several years ago (2013). Why I picked the
numbers I did... well it seemed like a good idea at the time. More
recently I found from the wiki that ADUC can be used to set the UNIX
attributes which will start in the range you show. If I wanted to change
is it not as simple as using ldbedit -H /var/lib/samba/private/sam.ldb
and changing the values and then using chown to make the directories
owned by the proper uid?
> How did you change to using winbind instead of the internal DNS server,
> did you follow the Samba wiki ?
I never was using the internal DNS server. I provisioned using BIND_DLZ
back when I created the DC on 4.0.x. I never had a problem until more
recently when the DNS didn't update after making changes using
samba-tool. That is where I found the wiki
https://wiki.samba.org/index.php/Changing_the_DNS_backend and followed
the instructions there. The missing element I think is
server services -dns
I have always been using the AD backend with winbind from day one to get
the UNIX attributes. It has worked just fine.
> I wouldn't bother changing your uidNumber attributes, now you have it
> I would like to take you to task over 'winbindd which is adequate for
> my purposes'. Anything that sssd can do, winbind can do, in fact sssd
> uses some of the code from winbind.
I am sorry but on this point I will disagree mostly because I have
chosen to use CentOS 6 (moving to 7) and the sernet-samba packages.
There have been several threads which indicate that there are problems
using sssd working with sernet-samba. For example I just ran into the
one described in this thread
[Samba]sssd-ad cannot be installed with sernet samba. Moreover I spent
several weeks trying to get this to work back in november 2013. See
thread [Samba]User home directory UID:GID incorrect on VM Samba 4 AD
client. I think some of the issue is that the CentOS sssd is old. Some
of the problem is that the sernet-samba packages put stuff in unexpected
places. Some of the install can be worked out with manually creating
links. But ultimately I could never get sssd to pull out the 4 things...
user shell, home directory and proper uid & gid necessary to work with
linux. FWIW I have always found winbind just to work albeit it there are
limitations compared to a working sssd.
Paul (ganci at nurdog.com)
More information about the samba