[Samba] member server idmap config (auto)rid

Lange Norbert norbert.lange at andritz.com
Tue Aug 8 13:24:06 UTC 2017


Hi,

sorry, I responded to the wrong thread.
Please ignore my posts here, my issue is different and the last post is here: https://lists.samba.org/archive/samba/2017-August/210156.html

 >-----Original Message-----
 >From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van
 >Belle via samba
 >Sent: Dienstag, 08. August 2017 14:19
 >To: samba at lists.samba.org
 >Subject: Re: [Samba] member server idmap config (auto)rid
 >
 >EMAIL from a NON-ANDRITZ SOURCE: as a security measure, please exercise
 >caution with email content and any links or attachments.
 >
 >
 >Ok debian stretch..
 >
 >Go here.
 >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862580#39
 >Review all steps there. ( message 39, Date: Mon, 22 May 2017 10:21:18 +0200
 >)
 >
 >And if you change something, mark it so you can find it back, but that config
 >works.
 >If it fails, post you smb.conf and post where you see errors based on the steps
 >of above link.
 >
 >Without smb.conf is a guessing game.
 >
 >
 >Greetz,
 >
 >Louis
 >
 >
 >
 >> -----Oorspronkelijk bericht-----
 >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
 >> Lange Norbert via samba
 >> Verzonden: dinsdag 8 augustus 2017 13:30
 >> Aan: samba at lists.samba.org
 >> Onderwerp: [Samba] member server idmap config (auto)rid
 >>
 >> (forwarding as I forgot to reply-all)
 >>
 >> -----Original Message-----
 >> From: Lange Norbert
 >> Sent: Dienstag, 08. August 2017 12:26
 >> To: 'mathias dufresne'
 >> Subject: RE: [Samba] member server idmap config (auto)rid
 >>
 >> >Did you install libpam-winbind? libpam-krb5?
 >>
 >> Nope, I did try installing them now, made no difference.
 >> I have backup-scripts running on the server for months, and
 >> it worked before.
 >>
 >> Can`t get wbinfo to report anything but errors, I am using
 >> user/domain/pass file with smbclient, There is no
 >> sophisticated authentication AFAIK, and the issue just seems
 >> that samba sends data in bigger chunks than the server
 >> accepts, the patch limits this. This does not seem anything
 >> related to login/auth.
 >>
 >> Kind regards,
 >> Norbert
 >>
 >>  >-----Original Message-----
 >>  >From: samba [mailto:samba-bounces at lists.samba.org] On
 >> Behalf Of mathias  >dufresne via samba
 >>  >Sent: Dienstag, 08. August 2017 12:05
 >>  >Cc: samba
 >>  >Subject: Re: [Samba] member server idmap config (auto)rid
 >> >  >EMAIL from a NON-ANDRITZ SOURCE: as a security measure,
 >> please exercise  >caution with email content and any links or
 >> attachments.
 >>  >
 >>  >
 >>  >Hi,
 >>  >
 >>  >Could you post the whole smb.conf? That should help...
 >>  >
 >>  >Did you install libpam-winbind? libpam-krb5?
 >>  >
 >>  >Kerberos is working? It should as you mentioned join was ok.
 >>  >
 >>  >Anyway and in short, to help we need information.
 >>  >
 >>  >And playing with wbinfo could help to understand what you
 >> missed (wbinfo -n  >username; wbinfo -S userSID; wbnifo -i
 >> username; for a start)  >
 >>  >2017-08-07 16:44 GMT+02:00 Neil Price via samba
 >> <samba at lists.samba.org>:
 >>  >
 >>  >> I've joined a samba 4.48 (debian stretch) to a Windows
 >> 2008R2 AD domain  >> according to
 >> >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
 >>  >> n_Member
 >>  >>
 >>  >> It joins OK but I cannot get idmap rid (or autorid) to work  >>
 >>  >>    idmap config * : backend = autorid
 >>  >>    idmap config * : range = 1000000-1199999
 >>  >>
 >>  >
 >>  >Using only these two lines AD users and groups could become
 >> Linux users and  >groups but their UID/GID will be randomly
 >> generated, which is certinaly not  >what you want (at least
 >> in future that's you should regret)  >  >  >>  >> Nothing is
 >> returned for getent "SAMDOM\user"
 >>  >>
 >>  >> log.winbindd shows:
 >>  >>
 >>  >> [2017/08/07 15:44:08.377559,  3]
 >> ../source3/winbindd/winbindd_g  >>
 >> etpwnam.c:56(winbindd_getpwnam_send)
 >>  >>   getpwnam SAMDOM\user
 >>  >> [2017/08/07 15:45:12.561500,  5]
 >> ../source3/winbindd/winbindd.c  >> :1139(remove_timed_out_clients)
 >>  >>   Client request timed out, shutting down sock 26, pid 639
 >>  >>
 >>  >> (libnss_winbind is installed and nsswitcy.conf modified
 >> as per wiki)  >>  >> If however I use  >>
 >>  >>        idmap config * : backend = tdb
 >>  >>        idmap config * : range = 3000-7999
 >>  >>
 >>  >>    idmap config SAMDOM : backend = rid
 >>  >>    idmap config SAMDOM : range = 1000000-1199999
 >>  >>
 >>  >
 >>  >Using these 4 lines is the right thing to do: idmap-rid
 >> will generate  >UID/GID using LDAP object's RID + 1000000
 >> (according to what you wrote) and  >as UID/GID are now based
 >> on RID which is stable your UID/GID will be stable  >too (not
 >> randomly generated)  >  >  >>  >> Then getent "SAMDOM\user"
 >> works but the uid is taken from the * range, not  >> SAMDOM.
 >>  >>
 >>  >> What am I doing wrong?
 >>  >>
 >>  >>
 >>  >>
 >>  >>
 >>  >> --
 >>  >> To unsubscribe from this list go to the following URL and
 >> read the  >> instructions:
 >> https://lists.samba.org/mailman/options/samba
 >>  >--
 >>  >To unsubscribe from this list go to the following URL and read the
 >>  >instructions:  https://lists.samba.org/mailman/options/samba
 >>
 >>
 >> ##############################################################
 >> #######################
 >>
 >> This message and any attachments are solely for the use of
 >> the intended recipients. They may contain privileged and/or
 >> confidential information or other information protected from
 >> disclosure. If you are not an intended recipient, you are
 >> hereby notified that you received this email in error and
 >> that any review, dissemination, distribution or copying of
 >> this email and any attachment is strictly prohibited. If you
 >> have received this email in error, please contact the sender
 >> and delete the message and any attachment from your system.
 >>
 >> Thank You.
 >>
 >> ##############################################################
 >> #######################
 >>
 >> --
 >> To unsubscribe from this list go to the following URL and read the
 >> instructions:  https://lists.samba.org/mailman/options/samba
 >>
 >
 >
 >--
 >To unsubscribe from this list go to the following URL and read the
 >instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list