[Samba] rid backed not working
Leszek Gubernat
leszek.gubernat at mp.pl
Wed Oct 30 10:29:18 UTC 2019
Hi Rowland,
thank you for your informative answer. I applied the remarks. Alhough
'rid' still doesn't work, the 'ad' backed does and this is what I need.
Best regards,
Leszek
W dniu 23.10.2019 o 18:23, Rowland penny via samba pisze:
> On 23/10/2019 16:49, Leszek Gubernat via samba wrote:
>> Hi All,
>> I'd like start using 'rid' idmap backed rather than 'tdb' on my
>> member servers to keep gidNumbers in sync across the realm INCLUDING
>> the DC.
>
> You cannot, A DC uses idmap.ldb to store xidNumbers (which are in the
> 3000000 range), you cannot use the 'rid' or 'ad' backend on a DC.
>
> On a Unix domain member the 'rid' backend calculates the user or group
> ID from the objects RID and the DOMAIN low range.
>
> If you want the same IDs everywhere you must add uidNumber & gidNumber
> attributes to AD and use the 'ad' backend on all Unix domain members.
>
>> Problem is when I execute
>> member1# getent group "MPD1\group1"
>> I get no output. The gidNumbers fall within the range of 30000-60000.
>> pestparm passes nicely. No erros logged whilst executing getent.
>> Could anyone point me in the right direction? Thank you.
> This is strange, from your smb.conf below, you are using the 'rid'
> backend, so it should work.
>>
>>
>> ADDC:
>> Gentoo hardened; kernel 4.9
>> Samba 4.5.15 (installed from the distribution)
>>
>> addc /etc/samba/smb.conf
>> # Global parameters
>> [global]
>> server role check:inhibit=yes
>> dsdb:schema update allowed = yes
>> netbios name = ACDC
>> realm = SOME.REA.LM
>> workgroup = DOMAIN
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = no
>> unix extensions = no
>> security = user
> Remove the 'security' line
>> dns forwarder = 1.2.3.4
>> allow dns updates = nonsecure
>> log level = 1
>> log file = /var/log/samba/log.%m
>> ntp signd socket directory = /var/lib/samba/ntp_signd
>> time server = yes
> Of course it's a time server, it is a DC
>>
>>
>>
>>
>> member1:
>> Gentoo hardened 2018; kernel 4.17
>> Samba 4.11.0 compiled:
>> ./configure --prefix=/usr/local/samba --disable-cups --disable-iprint
>> --without-ad-dc
>>
>>
>>
>> memeber1 /etc/samba/smb.conf
>> [global]
>> netbios name = member1
>> realm = SOME.REA.LM
>> workgroup = DOMAIN
>> security = ADS
>> log level = 2
>> max log size = 50000
>> log file = /var/log/samba/log.%m
>> idmap config * : backend = tdb
>> idmap config * : range = 20000-25000
>> idmap config MPD1 : backend = rid
>> idmap config MPD1 : range = 30000-60000
>>
> I take it that 'DOMAIN' is actually 'MPD1'
>>
>>
>>
>> member1 /etc/nsswitch.conf
>> passwd: compat files winbind
>> shadow: compat files
>> group: compat files winbind
> 'compat' and 'files' are the same thing
>>
>> hosts: files dns
>> networks: files dns
>>
>> services: db files
>> protocols: db files
>> rpc: db files
>> ethers: db files
>> netmasks: files
>> netgroup: files
>> bootparams: files
>>
>> automount: files
>> aliases: files
>>
>>
>> lrwxrwxrwx 1 root root 26 Oct 10 14:33 /lib64/libnss_winbind.so ->
>> /lib64/libnss_winbind.so.2
>> lrwxrwxrwx 1 root root 40 Oct 10 14:32 /lib64/libnss_winbind.so.2 ->
>> /usr/local/samba/lib/libnss_winbind.so.2
>>
>>
> Is PAM installed ? (I am not a gentoo user)
>
> Rowland
>
>
--
Medycyna Praktyczna - Dział IT
tel: 124465379, kom: 663430379
Cholerzyn 445, 32-060 Liszki
More information about the samba
mailing list