[Samba] idmap limit?

Andreas Hauffe andreas.hauffe at tu-dresden.de
Fri Jan 19 11:40:00 UTC 2018 

Hi,

yes, there are some things. But I have not found a nice complete 
documentation.

One main point is the domain name as prefix of the username of the 
parent domain, e.g. "DOM\user1", you have to use. I was not able to get 
rid of it, as the client is member of the subdomain which is the 
default. So you can't use the "default domain" option in smb.conf. The 
backslash in the user name is a problem for some software, but other 
signs can be also a problem for other software.

In krb5.conf you need a [realm] section, with rewrites (auth_to_local) 
rule for the principal names to local user names. All is quite simple, 
if you know the fact. Only with that you get kerberized services running.

On Debian 9 file server (member server of the domain) I was not able to 
get NFS4 with Kerberos working until I changed from the default 
rpc.svcgssd to gssproxy for the NFS service. The first was working for 
subdomain user, but in case of parent domain user the rpc.svcgssd 
process got to 100% CPU load and a soft lockup of the kernel. With 
gsproxy and no other changes all is fine.

These few things took me a lot of time.

Andreas


Am 19.01.2018 um 11:50 schrieb insrc via samba:
> Hi Andreas,
>
> i'm sorry to jump on your thread as i can't really help you here.
> But as i have to setup an AD subdomain of a parent domain with the same
> requirements as yours apparently (aka parent domain managed by Windows
> server holds users/groups accounts on a distant location but the compute
> ressources and the GPO will be managed locally under a subdomain), i'm just
> wondering if you find any good documentation to help you setup your AD
> subdomain and if there's any gotcha to be aware of please :-) ?
>
> I'm new to this and it seems that the official wiki don't have a lot
> information on the current state of the "trust relationship" support on
> Samba 4 or on how to setup a subdomain of a parent domain
>
> Thanks a lot
> Regards,
>
>
>
> On Tue, Jan 16, 2018 at 5:49 PM, Andreas Hauffe via samba <
> samba at lists.samba.org> wrote:
>
>>
>> Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:
>>
>>> On Tue, 16 Jan 2018 16:54:17 +0100
>>> Andreas Hauffe via samba <samba at lists.samba.org> wrote:
>>>
>>> Ok, you are completely right. Here are the real numbers with changed
>>>> user names:
>>>>
>>>> drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
>>>> user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
>>>> 08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
>>>> 16 08:39 user3 drwx------   3        133265        DOM\domain-user
>>>> 4096 Sep  7 2015 user4 drwx------   7        470055
>>>> DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
>>>>          DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
>>>> DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
>>>> drwx------   2          95092        DOM\domain-user   4096 Jul 1
>>>> 2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
>>>> Jun  8 2015 user9 ....
>>>> drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
>>>> user200
>>>>
>>>>     > wbinfo --uid-info=133265
>>>> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not get info for uid 133265
>>>>
>>>>     > wbinfo -i DOM\\user4
>>>> DOM\user4:*:133265:10513::/home/user4:/bin/bash
>>>>
>>>> After the last command (wbinfo -i DOM\\user4) also "wbinfo
>>>> --uid-info=133265" shows the correct result and the "ls -l" list also
>>>> list the user name instead of the uid.
>>>>
>>>>
>>>> One thing I have spotted:
>>> /etc/krb5.conf should be:
>>>
>>> [libdefaults]
>>>        default_realm = DOM2.DOM.TU-DRESDEN.DE
>>>        dns_lookup_realm = false
>>>        dns_lookup_kdc = true
>>>
>>> What is 'DOM2' ?
>>> Is it a trusted domain ?
>>>
>>> As I said, you are using the 'rid' backend and adding users to AD
>>> shouldn't affect how winbind works. Your user 'user4' must have the RID
>>> '123265' and so should be available as a Unix user.
>>>
>>> I take it that the Unix domain member is using the DC as its dnd
>>> nameserver.
>>>
>>> Rowland
>>>
>>> Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain
>> (DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust).
>> At our university we have a parent domain "DOM.EXAMPLE.DE" were all the
>> user accounts are hold/administered. Every department have a subdomain for
>> their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and
>> so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the
>> users are from "DOM.EXAMPLE.DE".
>>
>> And I checked, the RID of the user4 is 123265.
>>
>> Yes, the DC (actually both DCs) is the dns of the unix member server.
>>
>>
>> --
>> Viele Grüße
>> Andreas Hauffe
>> Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"
>>
>> ------------------------------------------------------------
>> ----------------------------------------
>> Technische Universität Dresden
>> Institut für Luft- und Raumfahrttechnik / Institute of Aerospace
>> Engineering
>> Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering
>>
>> D-01062 Dresden
>> Germany
>>
>> phone : +49 (351) 463 38496
>> fax :  +49 (351) 463 37263
>> mail : andreas.hauffe at tu-dresden.de
>> Website : http://tu-dresden.de/mw/ilr/lft
>> ------------------------------------------------------------
>> ----------------------------------------
>> Do you know our free laminate analysis code eLamX²? If not, please visit
>> the following web address:
>> http://www.elamx.de
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

-- 
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe at tu-dresden.de
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de

More information about the samba mailing list