I'm coming from a Debian system so my system accounts are below 1000, regular accounts start at 1000. For some historical reason somebody gave our main group id 500 so therefor I want my usable range to start at 500. Do I need both idmap config *:range and idmap config SAMDOM:range? I also tried with only 'idmap config *:range' but that didn't seem to help. I'll try again tomorrow. I also noticed that my second AD didn't have rfc2307 enabled so that may also have introduced some issues. @Stefan Kania, thanks for the 'net cache flush', I didn't know that. Nico On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org> wrote:> On 07/12/15 12:52, Nico De Ranter wrote: > >> Hello again, >> >> I'm getting close to a working setup but still run into glitches here and >> there. >> >> I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with >> winbind configured. I've setup a number of accounts with Unix >> properties. I've been primarily testing with my own account which works >> just fine. I've now assigned Unix properties to another account. When I >> run 'wbinfo -i' on the AD server I see the correct info: >> >> root at dc1:~# wbinfo -i test >> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false >> >> When I try the same thing on the client I get: >> >> root at testpc2:~# wbinfo -i test >> test:*:4294967295:4294967295::/home/test:/bin/bash >> >> I also tried some other accounts and got the same result. The only >> account >> that seems to work fine is my own account (and no it is not in /etc/passwd >> :-) >> >> Any idea what might be wrong? >> >> smb.conf on the client: >> >> [global] >> security = ADS >> workgroup = OFFICE >> realm = WIN.OFFICE >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind offline logon = yes >> >> client signing = yes >> client use spnego = yes >> >> idmap config = ad >> winbind nss info = rfc2307 >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap backend = tdb >> idmap range = 100-499 >> >> # idmap config for domain OFFICE >> idmap config OFFICE : backend = ad >> idmap config OFFICE : schema_mode = rfc2307 >> idmap config OFFICE : range = 500-29999 >> > > Your 'idmap config' block really should look like this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > Also why are you using such strange ID numbers? > > Rowland > > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, >> 9999, 10000 >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 <http://www.esaturnus.com> <http://www.esaturnus.com> <http://www.esaturnus.com/company/news/313> <http://www.esaturnus.com/>
On 07/12/15 16:08, Nico De Ranter wrote:> > I'm coming from a Debian system so my system accounts are below 1000, > regular accounts start at 1000. For some historical reason somebody > gave our main group id 500 so therefor I want my usable range to start > at 500.Bad idea, you will probably need at least one local Unix user, where are you going to put it. My advice would be to follow the Samba wiki and use the numbers you will find there.> > Do I need both idmap config *:range and idmap config SAMDOM:range? I > also tried with only 'idmap config *:range' but that didn't seem to > help. I'll try again tomorrow.Yes you do, the first is for the builtin user & group mappings and the second is for your AD users & groups.> > I also noticed that my second AD didn't have rfc2307 enabled so that > may also have introduced some issues.Not really, all the info should be in AD, you probably just need to add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. Rowland> > @Stefan Kania, thanks for the 'net cache flush', I didn't know that. > > Nico > > > On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 07/12/15 12:52, Nico De Ranter wrote: > > Hello again, > > I'm getting close to a working setup but still run into > glitches here and > there. > > I have 2 Ubuntu servers working as AD server, one Ubuntu > desktop with > winbind configured. I've setup a number of accounts with Unix > properties. I've been primarily testing with my own account > which works > just fine. I've now assigned Unix properties to another > account. When I > run 'wbinfo -i' on the AD server I see the correct info: > > root at dc1:~# wbinfo -i test > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > When I try the same thing on the client I get: > > root at testpc2:~# wbinfo -i test > test:*:4294967295:4294967295::/home/test:/bin/bash > > I also tried some other accounts and got the same result. The > only account > that seems to work fine is my own account (and no it is not in > /etc/passwd > :-) > > Any idea what might be wrong? > > smb.conf on the client: > > [global] > security = ADS > workgroup = OFFICE > realm = WIN.OFFICE > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind refresh tickets = yes > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = yes > > client signing = yes > client use spnego = yes > > idmap config = ad > winbind nss info = rfc2307 > > # Default idmap config used for BUILTIN and local > accounts/groups > idmap backend = tdb > idmap range = 100-499 > > # idmap config for domain OFFICE > idmap config OFFICE : backend = ad > idmap config OFFICE : schema_mode = rfc2307 > idmap config OFFICE : range = 500-29999 > > > Your 'idmap config' block really should look like this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > Also why are you using such strange ID numbers? > > Rowland > > It worked for the user with uid 1048, it doesn't work for uid > 1059, 1000, > 9999, 10000 > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > <http://www.esaturnus.com> > > > > <http://www.esaturnus.com> > > > > > ** > > * > * <http://www.esaturnus.com/company/news/313> > > > <http://www.esaturnus.com/>
I always wondered why to reserve 8000 IDs for built-in accounts. I see ~40 built-in groups in ADUC and 2 such users (Administrator and Guest)... Ole Am 07.12.2015 um 17:27 schrieb Rowland penny:> On 07/12/15 16:08, Nico De Ranter wrote: >> >> I'm coming from a Debian system so my system accounts are below 1000, >> regular accounts start at 1000. For some historical reason somebody >> gave our main group id 500 so therefor I want my usable range to >> start at 500. > > Bad idea, you will probably need at least one local Unix user, where > are you going to put it. My advice would be to follow the Samba wiki > and use the numbers you will find there. > >> >> Do I need both idmap config *:range and idmap config SAMDOM:range? >> I also tried with only 'idmap config *:range' but that didn't seem to >> help. I'll try again tomorrow. > > Yes you do, the first is for the builtin user & group mappings and the > second is for your AD users & groups. > >> >> I also noticed that my second AD didn't have rfc2307 enabled so that >> may also have introduced some issues. > > Not really, all the info should be in AD, you probably just need to > add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. > > Rowland > >> >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that. >> >> Nico >> >> >> On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org >> <mailto:rpenny at samba.org>> wrote: >> >> On 07/12/15 12:52, Nico De Ranter wrote: >> >> Hello again, >> >> I'm getting close to a working setup but still run into >> glitches here and >> there. >> >> I have 2 Ubuntu servers working as AD server, one Ubuntu >> desktop with >> winbind configured. I've setup a number of accounts with Unix >> properties. I've been primarily testing with my own account >> which works >> just fine. I've now assigned Unix properties to another >> account. When I >> run 'wbinfo -i' on the AD server I see the correct info: >> >> root at dc1:~# wbinfo -i test >> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false >> >> When I try the same thing on the client I get: >> >> root at testpc2:~# wbinfo -i test >> test:*:4294967295:4294967295::/home/test:/bin/bash >> >> I also tried some other accounts and got the same result. The >> only account >> that seems to work fine is my own account (and no it is not in >> /etc/passwd >> :-) >> >> Any idea what might be wrong? >> >> smb.conf on the client: >> >> [global] >> security = ADS >> workgroup = OFFICE >> realm = WIN.OFFICE >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind offline logon = yes >> >> client signing = yes >> client use spnego = yes >> >> idmap config = ad >> winbind nss info = rfc2307 >> >> # Default idmap config used for BUILTIN and local >> accounts/groups >> idmap backend = tdb >> idmap range = 100-499 >> >> # idmap config for domain OFFICE >> idmap config OFFICE : backend = ad >> idmap config OFFICE : schema_mode = rfc2307 >> idmap config OFFICE : range = 500-29999 >> >> >> Your 'idmap config' block really should look like this: >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 10000-99999 >> >> Also why are you using such strange ID numbers? >> >> Rowland >> >> It worked for the user with uid 1048, it doesn't work for uid >> 1059, 1000, >> 9999, 10000 >> >> >> >> -- To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> >> -- >> Nico De Ranter >> >> Operations Engineer >> >> T. +32 16 40 12 82 >> >> M. +32 497 91 53 78 >> >> >> <http://www.esaturnus.com> >> >> >> >> <http://www.esaturnus.com> >> >> >> >> >> ** >> >> * >> * <http://www.esaturnus.com/company/news/313> >> >> >> <http://www.esaturnus.com/> >
On Mon, Dec 7, 2015 at 5:27 PM, Rowland penny <rpenny at samba.org> wrote:> On 07/12/15 16:08, Nico De Ranter wrote: > >> >> I'm coming from a Debian system so my system accounts are below 1000, >> regular accounts start at 1000. For some historical reason somebody gave >> our main group id 500 so therefor I want my usable range to start at 500. >> > > Bad idea, you will probably need at least one local Unix user, where are > you going to put it. My advice would be to follow the Samba wiki and use > the numbers you will find there. >It may be a bad idea but it is the reality I need to live with. I'm adding an AD domain to an existing Linux network. Renumbering my existing Linux users (and therefor ownership of all files on all linux systems) is simply out of the question. However I intend to assign unix properties to all my users and groups in AD hand picking the ID's to match the existing ones anyway. Any new user will get an id above 10000.> > >> Do I need both idmap config *:range and idmap config SAMDOM:range? I >> also tried with only 'idmap config *:range' but that didn't seem to help. >> I'll try again tomorrow. >> > > Yes you do, the first is for the builtin user & group mappings and the > second is for your AD users & groups. > > >> I also noticed that my second AD didn't have rfc2307 enabled so that may >> also have introduced some issues. >> > > Not really, all the info should be in AD, you probably just need to add > 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. > > Rowland > > >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that. >> >> Nico >> >>Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 <http://www.esaturnus.com> <http://www.esaturnus.com> <http://www.esaturnus.com/company/news/313> <http://www.esaturnus.com/>
Hai Nico,
You can change de defaults in samba, but read the whole e-mail first.
Look here. http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
Per default Active Directory starts assigning UIDs/GIDs both at 10000
Adapt the following two attributes to your needs and save the changes.
msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000
If you run the following, you can change the UID/GID.
Be take notice of the following.
Debian PAM had settings with minimum uid=1000 so change then also if needed.
There may be more thens to adjust to uid 500+.
############ copy past this. ( 6 lines, beware for line breaks. )
# works if you dns domain has 2 dots like internal.domain.tld
#
NETBIOSNAME=$(samba-tool domain info `hostname -f` | grep Netbios | cut
-d":" -f2 | cut -c2-100)
FOREST_DC=$(samba-tool domain info `hostname -f` | grep Forest | cut
-d":" -f2)
FOREST_SUB_DC1=$(echo $FOREST_DC | cut -d"." -f1| cut -c1-100)
FOREST_SUB_DC2=$(echo $FOREST_DC | cut -d"." -f2| cut -c1-100)
FOREST_SUB_DC3=$(echo $FOREST_DC | cut -d"." -f3)
#
ldbedit -H /var/lib/samba/private/sam.ldb -s base -b
CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB_DC1},DC=${FOREST_SUB_DC2},DC=${FOREST_SUB_DC3}
############ copy past this.
BUT !
What i would do in you case.
Export the current users to csv from the old domain.
Import the user with the correct uid and same for the groups.
Leave the samba defaults uid/gid at 10000.
So for every new you start of 10000, this way you can slowly move away from the
low uid/gids.
I have a csv setup like this.
Department;First_Letter_of_firstname.;Surename;Firstname_full;loginname;phone-nr;emailadres;
And i import like this ;
cat /home/samba/backup/users.csv | awk -F ";"
'{system("/usr/bin/samba-tool user create "$5"
--mail-address="$7" \
--given-name="$2" --surname=\""$3"\"
--telephone-number="$6" --department="$1"
--description=\""$1"\" \
--random-password --userou=ou=Company ")}';
For you just add things from below:
--rfc2307-from-nss Copy Unix user attributes from NSS (will be overridden
by explicit UID/GID/GECOS/shell)
--nis-domain=NIS_DOMAIN
User's Unix/RFC2307 NIS domain
--unix-home=UNIX_HOME
User's Unix/RFC2307 home directory
--uid=UID User's Unix/RFC2307 username
--uid-number=UID_NUMBER
User's Unix/RFC2307 numeric UID
--gid-number=GID_NUMBER
User's Unix/RFC2307 primary GID number
--gecos=GECOS User's Unix/RFC2307 GECOS field
--login-shell=LOGIN_SHELL
User's Unix/RFC2307 login shell
So a few suggestions which you can adapt to you environment.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De Ranter
> Verzonden: dinsdag 8 december 2015 9:52
> Aan: Rowland penny
> CC: samba
> Onderwerp: Re: [Samba] userid shows 4294967295
>
> On Mon, Dec 7, 2015 at 5:27 PM, Rowland penny <rpenny at samba.org>
wrote:
>
> > On 07/12/15 16:08, Nico De Ranter wrote:
> >
> >>
> >> I'm coming from a Debian system so my system accounts are
below 1000,
> >> regular accounts start at 1000. For some historical reason
somebody
> gave
> >> our main group id 500 so therefor I want my usable range to start
at
> 500.
> >>
> >
> > Bad idea, you will probably need at least one local Unix user, where
are
> > you going to put it. My advice would be to follow the Samba wiki and
use
> > the numbers you will find there.
> >
>
> It may be a bad idea but it is the reality I need to live with. I'm
> adding
> an AD domain to an existing Linux network. Renumbering my existing Linux
> users (and therefor ownership of all files on all linux systems) is simply
> out of the question.
>
> However I intend to assign unix properties to all my users and groups in
> AD
> hand picking the ID's to match the existing ones anyway. Any new user
> will
> get an id above 10000.
>
>
> >
> >
> >> Do I need both idmap config *:range and idmap config
SAMDOM:range? I
> >> also tried with only 'idmap config *:range' but that
didn't seem to
> help.
> >> I'll try again tomorrow.
> >>
> >
> > Yes you do, the first is for the builtin user & group mappings and
the
> > second is for your AD users & groups.
> >
> >
> >> I also noticed that my second AD didn't have rfc2307 enabled
so that
> may
> >> also have introduced some issues.
> >>
> >
> > Not really, all the info should be in AD, you probably just need to
add
> > 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC.
> >
> > Rowland
> >
> >
> >> @Stefan Kania, thanks for the 'net cache flush', I
didn't know that.
> >>
> >> Nico
> >>
> >>
> Nico
>
>
> --
> Nico De Ranter
>
> Operations Engineer
>
> T. +32 16 40 12 82
>
> M. +32 497 91 53 78
>
>
> <http://www.esaturnus.com>
>
>
>
> <http://www.esaturnus.com>
>
>
>
>
> <http://www.esaturnus.com/company/news/313>
>
>
>
> <http://www.esaturnus.com/>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba