Re: [Samba] member server idmap config (auto)rid
- Date: Tue, 8 Aug 2017 17:03:59 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] member server idmap config (auto)rid
If you use the debian package 4.5.8 is can suggest you upgrade to 4.6.5 from buster or use my 4.6.6
Go through this changelog.
My 4.6.6 is based on 4.6.5+dfsg-6
But i cant tell much jet about clustering setups.
Except this page:
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Neil
> Price via samba
> Verzonden: dinsdag 8 augustus 2017 16:54
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] member server idmap config (auto)rid
> On 08/08/2017 12:04, mathias dufresne via samba wrote:
> > Could you post the whole smb.conf? That should help...
> The server is maybe not normal as its a high availability
> cluster, so the netbios name is not the same as the linux
> hostname. Hope that makes sense and is not a problem..
> interfaces = 127.0.0.0/8 eth0:0 <== This is a
> netbios name = PTA-CLUSTER <-----Ditto
> realm = AD.GIBB.CO.ZA
> workgroup = GIBB
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> map to guest = Bad User
> security = ADS
> server role = member server
> username map = /etc/samba/user.map
> winbind enum groups = Yes
> winbind enum users = Yes
> dns proxy = No
> wins server = 192.168.112.94 192.168.104.65
> idmap config GIBB : range = 1000000-1199999
> idmap config GIBB : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> > Did you install libpam-winbind? libpam-krb5?
> > Kerberos is working? It should as you mentioned join was ok.
> Yes it works but seems very slow. kinit followed by klist.
> I'm getting inconsistent results. Now it works, now it
> doesn't. I'm looking at the possibility that one of the many
> Windows AD servers is at fault and samba is occasionally
> choosing that one. It looks like using "password server" is
> not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
> > Anyway and in short, to help we need information.
> > And playing with wbinfo could help to understand what you missed
> > (wbinfo -n username; wbinfo -S userSID; wbnifo -i username; for a
> > start)
> > 2017-08-07 16:44 GMT+02:00 Neil Price via samba
> >> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD
> >> domain according to
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> >> n_Member
> >> It joins OK but I cannot get idmap rid (or autorid) to work
> >> idmap config * : backend = autorid
> >> idmap config * : range = 1000000-1199999
> > Using only these two lines AD users and groups could become Linux
> > users and groups but their UID/GID will be randomly
> generated, which
> > is certinaly not what you want (at least in future that's
> you should
> > regret)
> >> Nothing is returned for getent "SAMDOM\user"
> >> log.winbindd shows:
> >> [2017/08/07 15:44:08.377559, 3] ../source3/winbindd/winbindd_g
> >> etpwnam.c:56(winbindd_getpwnam_send)
> >> getpwnam SAMDOM\user
> >> [2017/08/07 15:45:12.561500, 5] ../source3/winbindd/winbindd.c
> >> :1139(remove_timed_out_clients)
> >> Client request timed out, shutting down sock 26, pid 639
> >> (libnss_winbind is installed and nsswitcy.conf modified as
> per wiki)
> >> If however I use
> >> idmap config * : backend = tdb
> >> idmap config * : range = 3000-7999
> >> idmap config SAMDOM : backend = rid
> >> idmap config SAMDOM : range = 1000000-1199999
> > Using these 4 lines is the right thing to do: idmap-rid
> will generate
> > UID/GID using LDAP object's RID + 1000000 (according to what you
> > wrote) and
> > as UID/GID are now based on RID which is stable your
> UID/GID will be
> > stable too (not randomly generated)
> >> Then getent "SAMDOM\user" works but the uid is taken from the *
> >> range, not
> >> SAMDOM.
> >> What am I doing wrong?
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the