[Samba] member server idmap config (auto)rid
mathias dufresne
infractory at gmail.com
Wed Aug 9 10:19:50 UTC 2017
Hi Niel,
First I've no knowledge about clustering Samba. I'll read what gave Louis
but for now, I didn't.
Anyway, several suggestions:
About hostname, if it is really an issue, you should be able to cheat using
/etc/hosts and configuring /etc/nsswitch with:
"hosts: files dns myhostname"
or
"hosts: files dns"
as I'm not sure what really means this myhostname. I expect it means
running hostname command or the equivalent system function (something like
gethostname(), no idea, I'm not a dev ;)
Now regarding smb.conf:
First I expect your workgroup is not correct. For me, workgroup is first
part(s) of full domain name. So I would try with AD.GIBB rather than on
GIBB.
here is the one I prepared for my client:
[global]
workgroup = SAMDOM
realm = SAMDOM.DOMAIN.TLD
# We use it because few DCs are accessible from this Samba server
# and for now I have no idea how AD Sites are configured
password server = dcXY.samdom.domain.tld
security = ads
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
# These two lines are to be removed once it works
# to limit excessive requests to AD DCs
winbind enum users = yes
winbind enum groups = yes
## map ids outside of domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 1200-1999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : schema_mode = template
idmap config SAMDOM : range = 100000-999999
# idmap config line once 4.6.x and more is deployed
# as long as 4.6.x are not installed we have to use winbind nss info
;idmap config SAMDOM : unix_nss_info = yes
winbind nss info = template
# As we are using idmap-rid, we need template to fill shell and homedir
template shell = /bin/bash
template homedir = /home/SAMDOM/%U
So the differences:
The addition of both template lines
template shell = /bin/bash
template homedir = /home/SAMDOM/%U
Addition of line to tell winbind to use templates
winbind nss info = template
/!\ remember to change that line once you've upgraded you Samba version.
This line to tell winbind what idamp module you really want.
This line is for idmap-rid module which will create UID/GID
using LDAP object's RID + low number of SAMDOM : range
idmap config SAMDOM : backend = rid
The workgroup which seems strange to me.
Then I would first remove everything which is not part of authentication:
panic action = /usr/share/samba/panic-action %d
map to guest = Bad User
server role = member server
dns proxy = No
wins server = 192.168.112.94 192.168.104.65
Perhaps the panic-action if related to cluster, in that case keep it of
course ;)
"map to guest" could also be kept
"server role" I would remove it as it is not necessary and because I don't
know all role and their exact meaning
dns proxy + wins stuffs: if it is really AD domain, you should rely on DNS.
It's a Microsoft choice to remove WINS... I'll remove it at least for
testing as AD is supposed to rely on DNS and I don't know how your
infrastructure.
2017-08-08 16:52 GMT+02:00 Neil Price <nprice at gibb.co.za>:
> On 08/08/2017 12:04, mathias dufresne via samba wrote:
>
>> Could you post the whole smb.conf? That should help...
>>
> The server is maybe not normal as its a high availability cluster, so the
> netbios name is not the same as the linux hostname. Hope that makes sense
> and is not a problem..
>
>
> [global]
> interfaces = 127.0.0.0/8 eth0:0 <== This is a drbd/pacemaker
> cluster
> netbios name = PTA-CLUSTER <-----Ditto
> realm = AD.GIBB.CO.ZA
> workgroup = GIBB
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> map to guest = Bad User
> security = ADS
> server role = member server
> username map = /etc/samba/user.map
> winbind enum groups = Yes
> winbind enum users = Yes
> dns proxy = No
> wins server = 192.168.112.94 192.168.104.65
> idmap config GIBB : range = 1000000-1199999
> idmap config GIBB : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
>
>
> Did you install libpam-winbind? libpam-krb5?
>>
> Yes
>
>> Kerberos is working? It should as you mentioned join was ok.
>>
> Yes it works but seems very slow. kinit followed by klist.
>
> I'm getting inconsistent results. Now it works, now it doesn't. I'm
> looking at the possibility that one of the many Windows AD servers is at
> fault and samba is occasionally choosing that one. It looks like using
> "password server" is not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
>
>
>
> Anyway and in short, to help we need information.
>>
>> And playing with wbinfo could help to understand what you missed (wbinfo
>> -n
>> username; wbinfo -S userSID; wbnifo -i username; for a start)
>>
>> 2017-08-07 16:44 GMT+02:00 Neil Price via samba <samba at lists.samba.org>:
>>
>> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
>>> according to https://wiki.samba.org/index.p
>>> hp/Setting_up_Samba_as_a_Domai
>>> n_Member
>>>
>>> It joins OK but I cannot get idmap rid (or autorid) to work
>>>
>>> idmap config * : backend = autorid
>>> idmap config * : range = 1000000-1199999
>>>
>>> Using only these two lines AD users and groups could become Linux users
>> and
>> groups but their UID/GID will be randomly generated, which is certinaly
>> not
>> what you want (at least in future that's you should regret)
>>
>>
>> Nothing is returned for getent "SAMDOM\user"
>>>
>>> log.winbindd shows:
>>>
>>> [2017/08/07 15:44:08.377559, 3] ../source3/winbindd/winbindd_g
>>> etpwnam.c:56(winbindd_getpwnam_send)
>>> getpwnam SAMDOM\user
>>> [2017/08/07 15:45:12.561500, 5] ../source3/winbindd/winbindd.c
>>> :1139(remove_timed_out_clients)
>>> Client request timed out, shutting down sock 26, pid 639
>>>
>>> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
>>>
>>> If however I use
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 3000-7999
>>>
>>> idmap config SAMDOM : backend = rid
>>> idmap config SAMDOM : range = 1000000-1199999
>>>
>>> Using these 4 lines is the right thing to do: idmap-rid will generate
>> UID/GID using LDAP object's RID + 1000000 (according to what you wrote)
>> and
>> as UID/GID are now based on RID which is stable your UID/GID will be
>> stable
>> too (not randomly generated)
>>
>>
>> Then getent "SAMDOM\user" works but the uid is taken from the * range, not
>>> SAMDOM.
>>>
>>> What am I doing wrong?
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>
More information about the samba
mailing list