[Samba] member server idmap config (auto)rid

L.P.H. van Belle belle at bazuin.nl
Tue Aug 8 15:03:59 UTC 2017


If you use the debian package 4.5.8 is can suggest you upgrade to 4.6.5 from buster or use my 4.6.6 

Go through this changelog.
http://metadata.ftp-master.debian.org/changelogs/main/s/samba/samba_4.6.5+dfsg-8_changelog 
My 4.6.6 is based on 4.6.5+dfsg-6

But i cant tell much jet about clustering setups. 
Except this page: 
https://wiki.samba.org/index.php/Clustered_Samba 
And
https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba 


Greetz, 

Louis

 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Neil 
> Price via samba
> Verzonden: dinsdag 8 augustus 2017 16:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] member server idmap config (auto)rid
> 
> On 08/08/2017 12:04, mathias dufresne via samba wrote:
> > Could you post the whole smb.conf? That should help...
> The server is maybe not normal as its a high availability 
> cluster, so the netbios name is not the same as the linux 
> hostname. Hope that makes sense and is not a problem..
> 
> 
> [global]
>      interfaces = 127.0.0.0/8 eth0:0       <== This is a 
> drbd/pacemaker 
> cluster
>      netbios name = PTA-CLUSTER         <-----Ditto
>      realm = AD.GIBB.CO.ZA
>      workgroup = GIBB
>      log file = /var/log/samba/log.%m
>      max log size = 1000
>      syslog = 0
>      panic action = /usr/share/samba/panic-action %d
>      map to guest = Bad User
>      security = ADS
>      server role = member server
>      username map = /etc/samba/user.map
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      dns proxy = No
>      wins server = 192.168.112.94 192.168.104.65
>      idmap config GIBB : range = 1000000-1199999
>      idmap config GIBB : backend = rid
>      idmap config * : range = 3000-7999
>      idmap config * : backend = tdb
> 
> 
> > Did you install libpam-winbind? libpam-krb5?
> Yes
> > Kerberos is working? It should as you mentioned join was ok.
> Yes it works but seems very slow. kinit followed by klist.
> 
> I'm getting inconsistent results. Now it works, now it 
> doesn't. I'm looking at the possibility that one of the many 
> Windows AD servers is at fault and samba is occasionally 
> choosing that one. It looks like using "password server" is 
> not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
> 
> 
> > Anyway and in short, to help we need information.
> >
> > And playing with wbinfo could help to understand what you missed 
> > (wbinfo -n username; wbinfo -S userSID; wbnifo -i username; for a 
> > start)
> >
> > 2017-08-07 16:44 GMT+02:00 Neil Price via samba 
> <samba at lists.samba.org>:
> >
> >> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD 
> >> domain according to 
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> >> n_Member
> >>
> >> It joins OK but I cannot get idmap rid (or autorid) to work
> >>
> >>     idmap config * : backend = autorid
> >>     idmap config * : range = 1000000-1199999
> >>
> > Using only these two lines AD users and groups could become Linux 
> > users and groups but their UID/GID will be randomly 
> generated, which 
> > is certinaly not what you want (at least in future that's 
> you should 
> > regret)
> >
> >
> >> Nothing is returned for getent "SAMDOM\user"
> >>
> >> log.winbindd shows:
> >>
> >> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
> >> etpwnam.c:56(winbindd_getpwnam_send)
> >>    getpwnam SAMDOM\user
> >> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
> >> :1139(remove_timed_out_clients)
> >>    Client request timed out, shutting down sock 26, pid 639
> >>
> >> (libnss_winbind is installed and nsswitcy.conf modified as 
> per wiki)
> >>
> >> If however I use
> >>
> >>         idmap config * : backend = tdb
> >>         idmap config * : range = 3000-7999
> >>
> >>     idmap config SAMDOM : backend = rid
> >>     idmap config SAMDOM : range = 1000000-1199999
> >>
> > Using these 4 lines is the right thing to do: idmap-rid 
> will generate 
> > UID/GID using LDAP object's RID + 1000000 (according to what you
> > wrote) and
> > as UID/GID are now based on RID which is stable your 
> UID/GID will be 
> > stable too (not randomly generated)
> >
> >
> >> Then getent "SAMDOM\user" works but the uid is taken from the * 
> >> range, not
> >> SAMDOM.
> >>
> >> What am I doing wrong?
> >>
> >>
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list