On 12 June 2015 at 08:55, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:> Thanks buhorojo. The sssd list came up trumps here. When changing ID
> mappings, the sssd database must be manually removed (rm
> /var/lib/sss/db/*). I now have sssd working again :)
>
> I shall keep an eye on the mappings during the day today..
Sadly, even though sssd is now running and I'm no longer reliant on
winbind, the rest of samba doesn't seem to be taking notice of these
mappings - again, only after a period of time (it's OK at first, but
then switches to the wrong mappings).
Output from 'smbstatus' might be more illustrative here. Earlier on
(after 'net flush cache' and samba restart) we can see that the UID
mapping is correct:
Locked files:
Pid Uid DenyMode Access R/W Oplock
SharePath Name Time
--------------------------------------------------------------------------------------------------
24497 41000 DENY_ALL 0x100080 RDONLY NONE
/share/path . Fri Jun 12 18:43:54 2015
but now (after it has been running some time) I get this for the same user:
Locked files:
Pid Uid DenyMode Access R/W Oplock
SharePath Name Time
--------------------------------------------------------------------------------------------------
22340 3000007 DENY_NONE 0x100081 RDONLY NONE
/share/path . Fri Jun 12 21:46:11 2015
I have just restarted the server, just in case there was some old
process using winbind rather than sssd (in nsswitch.conf I have 'files
sss' for both passwd and group) - unfortunately no change. This is the
same user, as shown by the SID ending -1234 here:
[root at dc1 ~]# net cache list | grep -e -1234
Key: IDMAP/SID2XID/S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Timeout: Fri Jun 19 21:52:23 2015 Value: 3000007:B
Key: IDMAP/GID2SID/3000007 Timeout: Fri Jun 19 21:52:23 2015
Value: S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/41000 Timeout: Fri Jun 19 21:52:23 2015
Value: S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Key: IDMAP/UID2SID/3000007 Timeout: Fri Jun 19 21:52:23 2015
Value: S-1-5-21-xxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234
Perhaps it's better to post the complete output from 'testparm',
rather than my smb.conf itself, as this will show default values as
well as those set in smb.conf (in smb.conf I just have 'idmap_ldb:use
rfc2307', no other idmap or winbind lines)
[root at dc1 ~]# testparm
[...]
[global]
workgroup = MYDOMAIN
realm = mydomain.my.tld
interfaces = eth0 lo
bind interfaces only = Yes
server role = active directory domain controller
passdb backend = samba_dsdb
log file = /usr/local/samba/var/log.%I
template shell = /bin/bash
# dns is taken out via "-dns" in smb.conf as I use BIND
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
# the next two lines are set in smb.conf
idmap_ldb:use rfc2307 = yes
dsdb:schema update allowed = true
#
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
include = /usr/local/samba/etc/smb.conf-0.0.0.0
vfs objects = dfs_samba4 acl_xattr
Share configurations are no more complex than:
[sharename]
comment = A share name
path = /path/to/files
read only = No
create mask = 0664
directory mask = 02775
browseable = No
in fact, one of the shares in question is precisely this:
[users]
path = /home
read only = no
And samba is
[root at dc1 ~]# smbd -V
Version 4.2.2
built from source with nothing fancier than "./configure ; make ; make
install"
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein