Web lists-archives.com

Re: [Samba] idmap limit?




Hi,

yes, there are some things. But I have not found a nice complete documentation.

One main point is the domain name as prefix of the username of the parent domain, e.g. "DOM\user1", you have to use. I was not able to get rid of it, as the client is member of the subdomain which is the default. So you can't use the "default domain" option in smb.conf. The backslash in the user name is a problem for some software, but other signs can be also a problem for other software.

In krb5.conf you need a [realm] section, with rewrites (auth_to_local) rule for the principal names to local user names. All is quite simple, if you know the fact. Only with that you get kerberized services running.

On Debian 9 file server (member server of the domain) I was not able to get NFS4 with Kerberos working until I changed from the default rpc.svcgssd to gssproxy for the NFS service. The first was working for subdomain user, but in case of parent domain user the rpc.svcgssd process got to 100% CPU load and a soft lockup of the kernel. With gsproxy and no other changes all is fine.

These few things took me a lot of time.

Andreas


Am 19.01.2018 um 11:50 schrieb insrc via samba:
Hi Andreas,

i'm sorry to jump on your thread as i can't really help you here.
But as i have to setup an AD subdomain of a parent domain with the same
requirements as yours apparently (aka parent domain managed by Windows
server holds users/groups accounts on a distant location but the compute
ressources and the GPO will be managed locally under a subdomain), i'm just
wondering if you find any good documentation to help you setup your AD
subdomain and if there's any gotcha to be aware of please :-) ?

I'm new to this and it seems that the official wiki don't have a lot
information on the current state of the "trust relationship" support on
Samba 4 or on how to setup a subdomain of a parent domain

Thanks a lot
Regards,



On Tue, Jan 16, 2018 at 5:49 PM, Andreas Hauffe via samba <
samba@xxxxxxxxxxxxxxx> wrote:


Am 16.01.2018 um 17:26 schrieb Rowland Penny via samba:

On Tue, 16 Jan 2018 16:54:17 +0100
Andreas Hauffe via samba <samba@xxxxxxxxxxxxxxx> wrote:

Ok, you are completely right. Here are the real numbers with changed
user names:

drwx------ 43 DOM\user1        DOM\domain-user  4096 Jan 10 08:00
user1 drwx------   5 DOM\user2        DOM\domain-user  4096 Jan 11
08:13 user2 drwx------ 92 DOM\user3        DOM\domain-user   4096 Jan
16 08:39 user3 drwx------   3        133265        DOM\domain-user
4096 Sep  7 2015 user4 drwx------   7        470055
DOM\domain-user   4096 Apr 30 2013 user5 drwx------ 12 DOM\user6
         DOM\domain-user   4096 Jan  4 12:46 user6 drwx------ 51
DOM\user7        DOM\domain-user   4096 Jan 15 23:01 user7
drwx------   2          95092        DOM\domain-user   4096 Jul 1
2015 user8 drwx------  3 DOM\user9         DOM\domain-user   4096
Jun  8 2015 user9 ....
drwx------  7 DOM\user200    DOM\domain-user   4096 Nov  6  2012
user200

    > wbinfo --uid-info=133265
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 133265

    > wbinfo -i DOM\\user4
DOM\user4:*:133265:10513::/home/user4:/bin/bash

After the last command (wbinfo -i DOM\\user4) also "wbinfo
--uid-info=133265" shows the correct result and the "ls -l" list also
list the user name instead of the uid.


One thing I have spotted:
/etc/krb5.conf should be:

[libdefaults]
       default_realm = DOM2.DOM.TU-DRESDEN.DE
       dns_lookup_realm = false
       dns_lookup_kdc = true

What is 'DOM2' ?
Is it a trusted domain ?

As I said, you are using the 'rid' backend and adding users to AD
shouldn't affect how winbind works. Your user 'user4' must have the RID
'123265' and so should be available as a Unix user.

I take it that the Unix domain member is using the DC as its dnd
nameserver.

Rowland

Actually, it should be and is "DOM2.DOM.EXAMPLE.DE". And this domain
(DOM2) is a subdomain of DOM.EXAMPLE.DE (bidirectional transitiv trust).
At our university we have a parent domain "DOM.EXAMPLE.DE" were all the
user accounts are hold/administered. Every department have a subdomain for
their services. In our example case "DOM2.DOM.EXAMPLE.DE". The client and
so the member server are member of "DOM2.DOM.EXAMPLE.DE". But most of the
users are from "DOM.EXAMPLE.DE".

And I checked, the RID of the user4 is 123265.

Yes, the DC (actually both DCs) is the dns of the unix member server.


--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

------------------------------------------------------------
----------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace
Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
------------------------------------------------------------
----------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit
the following web address:
http://www.elamx.de



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
Viele Grüße
Andreas Hauffe
Leiter des Forschungsfeldes "Auslegungsmethoden für Luftfahrzeuge"

----------------------------------------------------------------------------------------------------
Technische Universität Dresden
Institut für Luft- und Raumfahrttechnik / Institute of Aerospace Engineering
Lehrstuhl für Luftfahrzeugtechnik / Chair of Aircraft Engineering

D-01062 Dresden
Germany

phone : +49 (351) 463 38496
fax :  +49 (351) 463 37263
mail : andreas.hauffe@xxxxxxxxxxxxx
Website : http://tu-dresden.de/mw/ilr/lft
----------------------------------------------------------------------------------------------------
Do you know our free laminate analysis code eLamX²? If not, please visit the following web address:
http://www.elamx.de


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba