[Samba] member server idmap config (auto)rid

mathias dufresne infractory at gmail.com
Wed Aug 9 10:19:50 UTC 2017 

Hi Niel,

First I've no knowledge about clustering Samba. I'll read what gave Louis
but for now, I didn't.

Anyway, several suggestions:
About hostname, if it is really an issue, you should be able to cheat using
/etc/hosts and configuring /etc/nsswitch with:
"hosts:      files dns myhostname"
or
"hosts:      files dns"
as I'm not sure what really means this myhostname. I expect it means
running hostname command or the equivalent system function (something like
gethostname(), no idea, I'm not a dev ;)

Now regarding smb.conf:

First I expect your workgroup is not correct. For me, workgroup is first
part(s) of full domain name. So I would try with AD.GIBB rather than on
GIBB.

here is the one I prepared for my client:
[global]
   workgroup = SAMDOM
   realm = SAMDOM.DOMAIN.TLD
   # We use it because few DCs are accessible from this Samba server
   # and for now I have no idea how AD Sites are configured
   password server = dcXY.samdom.domain.tld

   security = ads

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    # These two lines are to be removed once it works
    # to limit excessive requests to AD DCs
    winbind enum users = yes
    winbind enum groups = yes

    ## map ids outside of domain to tdb files.
    idmap config * : backend = tdb
    idmap config * : range = 1200-1999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : schema_mode = template
    idmap config SAMDOM : range = 100000-999999
    # idmap config line once 4.6.x and more is deployed
    # as long as 4.6.x are not installed we have to use winbind nss info
    ;idmap config SAMDOM : unix_nss_info = yes
    winbind nss info = template
    # As we are using idmap-rid, we need template to fill shell and homedir
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

So the differences:
The addition of both template lines
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

Addition of line to tell winbind to use templates
    winbind nss info = template
/!\ remember to change that line once you've upgraded you Samba version.

This line to tell winbind what idamp module you really want.
This line is for idmap-rid module which will create UID/GID
 using LDAP object's RID + low number of SAMDOM : range
    idmap config SAMDOM : backend = rid

The workgroup which seems strange to me.

Then I would first remove everything which is not part of authentication:
    panic action = /usr/share/samba/panic-action %d
    map to guest = Bad User
    server role = member server
    dns proxy = No
    wins server = 192.168.112.94 192.168.104.65

Perhaps the panic-action if related to cluster, in that case keep it of
course ;)
"map to guest" could also be kept
"server role" I would remove it as it is not necessary and because I don't
know all role and their exact meaning
dns proxy + wins stuffs: if it is really AD domain, you should rely on DNS.
It's a Microsoft choice to remove WINS... I'll remove it at least for
testing as AD is supposed to rely on DNS and I don't know how your
infrastructure.



2017-08-08 16:52 GMT+02:00 Neil Price <nprice at gibb.co.za>:

> On 08/08/2017 12:04, mathias dufresne via samba wrote:
>
>> Could you post the whole smb.conf? That should help...
>>
> The server is maybe not normal as its a high availability cluster, so the
> netbios name is not the same as the linux hostname. Hope that makes sense
> and is not a problem..
>
>
> [global]
>     interfaces = 127.0.0.0/8 eth0:0       <== This is a drbd/pacemaker
> cluster
>     netbios name = PTA-CLUSTER         <-----Ditto
>     realm = AD.GIBB.CO.ZA
>     workgroup = GIBB
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     map to guest = Bad User
>     security = ADS
>     server role = member server
>     username map = /etc/samba/user.map
>     winbind enum groups = Yes
>     winbind enum users = Yes
>     dns proxy = No
>     wins server = 192.168.112.94 192.168.104.65
>     idmap config GIBB : range = 1000000-1199999
>     idmap config GIBB : backend = rid
>     idmap config * : range = 3000-7999
>     idmap config * : backend = tdb
>
>
> Did you install libpam-winbind? libpam-krb5?
>>
> Yes
>
>> Kerberos is working? It should as you mentioned join was ok.
>>
> Yes it works but seems very slow. kinit followed by klist.
>
> I'm getting inconsistent results. Now it works, now it doesn't. I'm
> looking at the possibility that one of the many Windows AD servers is at
> fault and samba is occasionally choosing that one.  It looks like using
> "password server" is not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
>
>
>
> Anyway and in short, to help we need information.
>>
>> And playing with wbinfo could help to understand what you missed (wbinfo
>> -n
>> username; wbinfo -S userSID; wbnifo -i username; for a start)
>>
>> 2017-08-07 16:44 GMT+02:00 Neil Price via samba <samba at lists.samba.org>:
>>
>> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
>>> according to https://wiki.samba.org/index.p
>>> hp/Setting_up_Samba_as_a_Domai
>>> n_Member
>>>
>>> It joins OK but I cannot get idmap rid (or autorid) to work
>>>
>>>     idmap config * : backend = autorid
>>>     idmap config * : range = 1000000-1199999
>>>
>>> Using only these two lines AD users and groups could become Linux users
>> and
>> groups but their UID/GID will be randomly generated, which is certinaly
>> not
>> what you want (at least in future that's you should regret)
>>
>>
>> Nothing is returned for getent "SAMDOM\user"
>>>
>>> log.winbindd shows:
>>>
>>> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
>>> etpwnam.c:56(winbindd_getpwnam_send)
>>>    getpwnam SAMDOM\user
>>> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
>>> :1139(remove_timed_out_clients)
>>>    Client request timed out, shutting down sock 26, pid 639
>>>
>>> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
>>>
>>> If however I use
>>>
>>>         idmap config * : backend = tdb
>>>         idmap config * : range = 3000-7999
>>>
>>>     idmap config SAMDOM : backend = rid
>>>     idmap config SAMDOM : range = 1000000-1199999
>>>
>>> Using these 4 lines is the right thing to do: idmap-rid will generate
>> UID/GID using LDAP object's RID + 1000000 (according to what you wrote)
>> and
>> as UID/GID are now based on RID which is stable your UID/GID will be
>> stable
>> too (not randomly generated)
>>
>>
>> Then getent "SAMDOM\user" works but the uid is taken from the * range, not
>>> SAMDOM.
>>>
>>> What am I doing wrong?
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>

More information about the samba mailing list