Web lists-archives.com

Re: [Samba] member server idmap config (auto)rid




On 08/08/2017 12:04, mathias dufresne via samba wrote:
Could you post the whole smb.conf? That should help...
The server is maybe not normal as its a high availability cluster, so the netbios name is not the same as the linux hostname. Hope that makes sense and is not a problem..


[global]
interfaces = 127.0.0.0/8 eth0:0 <== This is a drbd/pacemaker cluster
    netbios name = PTA-CLUSTER         <-----Ditto
    realm = AD.GIBB.CO.ZA
    workgroup = GIBB
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    map to guest = Bad User
    security = ADS
    server role = member server
    username map = /etc/samba/user.map
    winbind enum groups = Yes
    winbind enum users = Yes
    dns proxy = No
    wins server = 192.168.112.94 192.168.104.65
    idmap config GIBB : range = 1000000-1199999
    idmap config GIBB : backend = rid
    idmap config * : range = 3000-7999
    idmap config * : backend = tdb


Did you install libpam-winbind? libpam-krb5?
Yes
Kerberos is working? It should as you mentioned join was ok.
Yes it works but seems very slow. kinit followed by klist.

I'm getting inconsistent results. Now it works, now it doesn't. I'm looking at the possibility that one of the many Windows AD servers is at fault and samba is occasionally choosing that one. It looks like using "password server" is not recommended and it fact it it did not help.
I still need to to work through Louis' helpful post.


Anyway and in short, to help we need information.

And playing with wbinfo could help to understand what you missed (wbinfo -n
username; wbinfo -S userSID; wbnifo -i username; for a start)

2017-08-07 16:44 GMT+02:00 Neil Price via samba <samba@xxxxxxxxxxxxxxx>:

I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
according to https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
n_Member

It joins OK but I cannot get idmap rid (or autorid) to work

    idmap config * : backend = autorid
    idmap config * : range = 1000000-1199999

Using only these two lines AD users and groups could become Linux users and groups but their UID/GID will be randomly generated, which is certinaly not
what you want (at least in future that's you should regret)


Nothing is returned for getent "SAMDOM\user"

log.winbindd shows:

[2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
etpwnam.c:56(winbindd_getpwnam_send)
   getpwnam SAMDOM\user
[2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
:1139(remove_timed_out_clients)
   Client request timed out, shutting down sock 26, pid 639

(libnss_winbind is installed and nsswitcy.conf modified as per wiki)

If however I use

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 1000000-1199999

Using these 4 lines is the right thing to do: idmap-rid will generate
UID/GID using LDAP object's RID + 1000000 (according to what you wrote) and as UID/GID are now based on RID which is stable your UID/GID will be stable
too (not randomly generated)


Then getent "SAMDOM\user" works but the uid is taken from the * range, not
SAMDOM.

What am I doing wrong?




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba