Hi, I am hoping someone can point out what I am doing wrong, I am upgrading samba from 3.0.37 to 3.5.6 and running into trouble with idmapping using ADS security. I have multiple linux boxes running 3.0.37 and when I execute getent passwd I get: # getent passwd DOMAIN+gregorcy gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash on all the boxes running 3.0.37. On my new box running 3.5.6 I get: # getent passwd DOMAIN+gregorcy gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash Which is not what I had hoped for. Both machines are joined to my domain and allow me to ssh into them using my AD cred, just the uid & gid are not lining up. My 3.0.37 smb.conf> [global] > workgroup = DOMAIN > netbios name = harley > realm = DOMAIN.UTAH.EDU > server string = harley > security = ADS > preferred master = no > client use spnego = yes > server signing = auto > encrypt passwords = yes > nt acl support = yes > acl map full control = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > template shell = /bin/false > password server = * > log level = 3 > log file = /var/log/samba/%m > max log size = 100 > preferred master = No > dns proxy = No > wins server = 192.168.1.100 192.168.1.101 > winbind cache time = 0 > winbind nested groups = yes > allow trusted domains = No > idmap backend = rid:KPAK=500-100000000 > idmap uid = 500-100000000 > idmap gid = 500-100000000 > template shell = /bin/bash > winbind use default domain = Yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > obey pam restrictions = yesMy 3.5.6 smb.conf> [global] > workgroup = DOMAIN > netbios name = vwww3 > realm = DOMAIN.UTAH.EDU > server string = web3 > security = ADS > preferred master = no > client use spnego = yes > server signing = auto > encrypt passwords = yes > nt acl support = yes > acl map full control = yes > wide links = no > password server = * > log level = 3 > log file = /var/log/samba/%m > max log size = 100 > wins server = 192.168.1.100 192.168.1.101 > winbind offline logon = yes > idmap domains = default, domain.utah.edu > idmap config default: default = yes > idmap config domain.utah.edu: range = 500-100000000 > idmap config domain.utah.edu: backend = ad > idmap alloc backend = tdb > idmap uid = 500-100000000 > idmap gid = 500-100000000 > winbind separator = + > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind nested groups = yes > client ntlmv2 auth = yes > encrypt passwords = yes > template shell = /bin/bash > allow trusted domains = yesThanks for any help, Brian Gregorcy
Hi Brian, the id mapping configuration hat changed (again) between 3.2 and 3.3. The "idmap domains" setting has vanished. Could you try and use the id mapping config from your 3.0 setup, i.e. simply this> > idmap backend = rid:KPAK=500-100000000 > > idmap uid = 500-100000000 > > idmap gid = 500-100000000instead of this:> > idmap domains = default, domain.utah.edu > > idmap config default: default = yes > > idmap config domain.utah.edu: range = 500-100000000 > > idmap config domain.utah.edu: backend = ad > > idmap alloc backend = tdb > > idmap uid = 500-100000000 > > idmap gid = 500-100000000Er, btw, can it be that "KPAK" should actually read "DOMAIN" in the first section? ;-) Then, for debugging, please paste the output of "wbinfo -n DOMAIN+gregorcy" I should list the sid of gegorcy. I expect the rid to be 2433. What I think happened is that your 3.5 config fell back to tdb id mapping because the domain "DOMAIN" did not match the domain name "domain.utah.edu" that you gave in the idmap config... The recommended setting would be to have a tdb backend default idmap range and explicit and disjoint ranges with rid backend vor various domains like this: idmap backend = tdb idmap uid = 100000-199999 idmap gid = 100000-199999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 200000-299999 (see man idmap_rid) But you should not change your config in that way if you are updating a production server, since it would change the uids/gids that users are accessing the disk with, and so, permissions and ownerships would be broken. Hope this helps, Michael gregorcy wrote:> Hi, > > I am hoping someone can point out what I am doing wrong, I am upgrading samba from 3.0.37 to 3.5.6 and running into > trouble with idmapping using ADS security. I have multiple linux boxes running 3.0.37 and when I execute getent passwd > I get: > > # getent passwd DOMAIN+gregorcy > gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash > > on all the boxes running 3.0.37. > > On my new box running 3.5.6 I get: > > # getent passwd DOMAIN+gregorcy > gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash > > > Which is not what I had hoped for. Both machines are joined to my domain and allow me to ssh into them using my AD > cred, just the uid & gid are not lining up. > > My 3.0.37 smb.conf > > > [global] > > workgroup = DOMAIN > > netbios name = harley > > realm = DOMAIN.UTAH.EDU > > server string = harley > > security = ADS > > preferred master = no > > client use spnego = yes > > server signing = auto > > encrypt passwords = yes > > nt acl support = yes > > acl map full control = yes > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > template shell = /bin/false > > password server = * > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 100 > > preferred master = No > > dns proxy = No > > wins server = 192.168.1.100 192.168.1.101 > > winbind cache time = 0 > > winbind nested groups = yes > > allow trusted domains = No > > idmap backend = rid:KPAK=500-100000000 > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 > > template shell = /bin/bash > > winbind use default domain = Yes > > winbind separator = + > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > obey pam restrictions = yes > > > > My 3.5.6 smb.conf > > > > [global] > > workgroup = DOMAIN > > netbios name = vwww3 > > realm = DOMAIN.UTAH.EDU > > server string = web3 > > security = ADS > > preferred master = no > > client use spnego = yes > > server signing = auto > > encrypt passwords = yes > > nt acl support = yes > > acl map full control = yes > > wide links = no > > password server = * > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 100 > > wins server = 192.168.1.100 192.168.1.101 > > winbind offline logon = yes > > idmap domains = default, domain.utah.edu > > idmap config default: default = yes > > idmap config domain.utah.edu: range = 500-100000000 > > idmap config domain.utah.edu: backend = ad > > idmap alloc backend = tdb > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 > > winbind separator = + > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > winbind nested groups = yes > > client ntlmv2 auth = yes > > encrypt passwords = yes > > template shell = /bin/bash > > allow trusted domains = yes > > > > > Thanks for any help, > > Brian Gregorcy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20101110/7f4565d7/attachment.pgp>
That fixed it thanks,>> Er, btw, can it be that "KPAK" should actually read "DOMAIN" in >> the first section? ;-)Yep typo on my part I was trying different configs and made that error. 3.5> wbinfo -n DOMAIN+gregorcy > S-1-5-21-3579845861-693198353-1953747050-2433 SID_USER (1)3.0.37> wbinfo -n CHEMENG+gregorcy > S-1-5-21-3579845861-693198353-1953747050-2433 User (1)Works :) Thanks for the help, --Brian On 11/10/10 14:38, Michael Adam wrote:> Hi Brian, > > the id mapping configuration hat changed (again) between 3.2 and > 3.3. The "idmap domains" setting has vanished. > > Could you try and use the id mapping config from your 3.0 setup, > i.e. simply this > >>> idmap backend = rid:KPAK=500-100000000 >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 > > instead of this: > >>> idmap domains = default, domain.utah.edu >>> idmap config default: default = yes >>> idmap config domain.utah.edu: range = 500-100000000 >>> idmap config domain.utah.edu: backend = ad >>> idmap alloc backend = tdb >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 > > Er, btw, can it be that "KPAK" should actually read "DOMAIN" in > the first section? ;-) > > Then, for debugging, please paste the output of > "wbinfo -n DOMAIN+gregorcy" > I should list the sid of gegorcy. I expect the rid to be 2433. > > What I think happened is that your 3.5 config fell back to > tdb id mapping because the domain "DOMAIN" did not match the > domain name "domain.utah.edu" that you gave in the idmap config... > > The recommended setting would be to have a tdb backend default > idmap range and explicit and disjoint ranges with rid backend vor various > domains like this: > > idmap backend = tdb > idmap uid = 100000-199999 > idmap gid = 100000-199999 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 200000-299999 > > (see man idmap_rid) > > But you should not change your config in that way > if you are updating a production server, since it > would change the uids/gids that users are accessing the > disk with, and so, permissions and ownerships would be broken. > > Hope this helps, > > Michael > > gregorcy wrote: >> Hi, >> >> I am hoping someone can point out what I am doing wrong, I am upgrading samba from 3.0.37 to 3.5.6 and running into >> trouble with idmapping using ADS security. I have multiple linux boxes running 3.0.37 and when I execute getent passwd >> I get: >> >> # getent passwd DOMAIN+gregorcy >> gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash >> >> on all the boxes running 3.0.37. >> >> On my new box running 3.5.6 I get: >> >> # getent passwd DOMAIN+gregorcy >> gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash >> >> >> Which is not what I had hoped for. Both machines are joined to my domain and allow me to ssh into them using my AD >> cred, just the uid & gid are not lining up. >> >> My 3.0.37 smb.conf >> >>> [global] >>> workgroup = DOMAIN >>> netbios name = harley >>> realm = DOMAIN.UTAH.EDU >>> server string = harley >>> security = ADS >>> preferred master = no >>> client use spnego = yes >>> server signing = auto >>> encrypt passwords = yes >>> nt acl support = yes >>> acl map full control = yes >>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> template shell = /bin/false >>> password server = * >>> log level = 3 >>> log file = /var/log/samba/%m >>> max log size = 100 >>> preferred master = No >>> dns proxy = No >>> wins server = 192.168.1.100 192.168.1.101 >>> winbind cache time = 0 >>> winbind nested groups = yes >>> allow trusted domains = No >>> idmap backend = rid:KPAK=500-100000000 >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 >>> template shell = /bin/bash >>> winbind use default domain = Yes >>> winbind separator = + >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> obey pam restrictions = yes >> >> >> >> My 3.5.6 smb.conf >> >> >>> [global] >>> workgroup = DOMAIN >>> netbios name = vwww3 >>> realm = DOMAIN.UTAH.EDU >>> server string = web3 >>> security = ADS >>> preferred master = no >>> client use spnego = yes >>> server signing = auto >>> encrypt passwords = yes >>> nt acl support = yes >>> acl map full control = yes >>> wide links = no >>> password server = * >>> log level = 3 >>> log file = /var/log/samba/%m >>> max log size = 100 >>> wins server = 192.168.1.100 192.168.1.101 >>> winbind offline logon = yes >>> idmap domains = default, domain.utah.edu >>> idmap config default: default = yes >>> idmap config domain.utah.edu: range = 500-100000000 >>> idmap config domain.utah.edu: backend = ad >>> idmap alloc backend = tdb >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 >>> winbind separator = + >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = yes >>> winbind nested groups = yes >>> client ntlmv2 auth = yes >>> encrypt passwords = yes >>> template shell = /bin/bash >>> allow trusted domains = yes >> >> >> >> >> Thanks for any help, >> >> Brian Gregorcy >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba