Thank you Rowland for looking into this!>> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups >> on the domain member (PARTIALLY DEPENDING if I have the lines with >> "idmap config *:..." or not ??? - see below) > « [hide part of quote] > > Have you added uidNumber & gidNumber attributes to the user & > groupobjects in AD ?Not myself, I simply provisioned with --use-rfc2307> I take it you are using bind9 as the nameserver and you have set it up > correctly ? > In which case you will have a line similar to this in > named.conf.options: > forwarders { 8.8.8.8; 8.8.4.4; }; > > So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't recognise > it, so I suppose Samba won't either, there is the setting 'dns > forwarder' but this is only used with the internal DNS server and you > wouldn't use '127.0.0.1'Well, I simplified the tale: I wanted to have only one domain for all, samba and the rest. Not a subdomain for samba. I have all in bind9 and dhcp. So I looked samba's dnsupdates the first time, took the dns records and put them fixed in bind9. All the rest records of the clients will be generated (included list) from a script. In DHCP I have mostly static assignments. Then I deleted dnsupdate from samba's roles. It works good, forward and reverse.> > # [netlogon] is on the member server and defined in the user's object > > I suggest you put it backI will. In my eyes is netlogon a share, like each other and the DC shouldn't share files. I thought, it would have been enough to have the netlogon pointer to the file server - in the user's LDAP object.>> objectClass: posixAccount > « [hide part of quote] > > You do not need and should not add the POSIX objectclassesI didn't. I used samba-tool to add the user and the group. And I tried to use the most of the parameters of "user add", to learn and see what happens. So samba-tool did it.> Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?No, Domain Users has no GID. Until now it was unimportant to me. All my users are in the group "hg_allg" with GID 5001. As primary group in unix passwd in the old NT domain. Oh, I remember something awkward... Till couple of days ago, I got the users UID but NOT THE GROUP's GID. THIS ALWAYS without the lines "idmap config *:..." I could login from a joined Windows 8.1, I got the logon script running (from the domain member), but the home was not bound to the HOMEDIR. This could happen, because at that time the UID came correctly and matched the old UID of the user. I got today a kernel update.... and the situation changed, like I said... Now I get GID but no UID. Somehow spooky... rawi -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706560.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2016-Aug-12 17:04 UTC
[Samba] WINBIND: UID and GID false mappings on domain member
On Fri, 12 Aug 2016 09:41:19 -0700 (PDT) rawi via samba <samba at lists.samba.org> wrote:> Thank you Rowland for looking into this! > >> > Have you added uidNumber & gidNumber attributes to the user & > > groupobjects in AD ? > > Not myself, I simply provisioned with --use-rfc2307Just provisioning with --rfc2307 isn't enough, you personally need to add any required RFC2307 attributes.> > > > I take it you are using bind9 as the nameserver and you have set it > > up correctly ? > > In which case you will have a line similar to this in > > named.conf.options: > > forwarders { 8.8.8.8; 8.8.4.4; }; > > > > So remove 'dns-nameservers 127.0.0.1' from smb.conf, I don't > > recognise it, so I suppose Samba won't either, there is the setting > > 'dns forwarder' but this is only used with the internal DNS server > > and you wouldn't use '127.0.0.1' > > Well, I simplified the tale: > I wanted to have only one domain for all, samba and the rest. Not a > subdomain for samba. > I have all in bind9 and dhcp. So I looked samba's dnsupdates the > first time, took the dns records and put them fixed in bind9. All the > rest records of the clients will be generated (included list) from a > script. In DHCP I have mostly static assignments. > Then I deleted dnsupdate from samba's roles. It works good, forward > and reverse.Can I suggest you put dnsupdate back and then setup bind9 on the DC correctly. you can if you wish run DHCP elsewhere, but you can also it on the DC, I can supply instructions if required.> > > > > # [netlogon] is on the member server and defined in the user's > > > object > > > > I suggest you put it back > > I will. In my eyes is netlogon a share, like each other and the DC > shouldn't share files. > I thought, it would have been enough to have the netlogon pointer to > the file server - in the user's LDAP object. > > > >> objectClass: posixAccount > > « [hide part of quote] > > > > You do not need and should not add the POSIX objectclasses > > I didn't. I used samba-tool to add the user and the group. And I > tried to use the most of the parameters of "user add", to learn and > see what happens. So samba-tool did it.You must be using an old version of samba-tool, it doesn't do that now.> > > > Have you given 'Domain Users' a gidNumber inside the range > > 5000-30000 ? > > No, Domain Users has no GID. > Until now it was unimportant to me. All my users are in the group > "hg_allg" with GID 5001. As primary group in unix passwd in the old > NT domain.No they are not: dn: CN=test,CN=Users,DC=humgen,DC=0zone ...... primaryGroupID: 513 This makes the users primary group 'Domain Users' and as such, the primary group must have a gidNumber, or all your users will be ignored by winbind. Do not think of changing the users primaryGroupID, windows expects all users to be members of 'Domain Users'> > Oh, I remember something awkward... > > Till couple of days ago, I got the users UID but NOT THE GROUP's GID. > THIS ALWAYS without the lines "idmap config *:..." > I could login from a joined Windows 8.1, I got the logon script > running (from the domain member), but the home was not bound to the > HOMEDIR. This could happen, because at that time the UID came > correctly and matched the old UID of the user. > > I got today a kernel update.... and the situation changed, like I > said... Now I get GID but no UID. > > Somehow spooky... >No, just that you have set up Samba incorrectly, you are trying to use AD like you used your old NT4-style domain. Can I suggest that you go and read the Samba wiki: https://wiki.samba.org/index.php/Main_Page Rowland
> Just provisioning with --rfc2307 isn't enough, you personally need to > add any required RFC2307 attributes.But you see my test user has his attributes. From samba-tool. Do you mean the basic objects, the templates for the user and group? If yes, how to do it?> Can I suggest you put dnsupdate back and then setup bind9 on the DC > correctly.I will...> You must be using an old version of samba-tool, it doesn't do that now.Version 4.3.9 from the last fresh ubuntu LTS. And I asked on FreeNode, they would not upgrade to the 4.4. branch if 4.3 hasn't bugs...> No they are not: > > dn: CN=test,CN=Users,DC=humgen,DC=0zone > ...... > primaryGroupID: 513Oh, I hoped winbind would give me: uidNumber: 9439 gidNumber: 5001 ... from the posix attributes> This makes the users primary group 'Domain Users' and as such, the > primary group must have a gidNumber, or all your users will be ignored > by winbind. Do not think of changing the users primaryGroupID, windows > expects all users to be members of 'Domain Users'I'll remember this How would behave a group mapping of "domain users" on my group 5001 (hg_allg) ?> No, just that you have set up Samba incorrectly, you are trying to use > AD like you used your old NT4-style domain. > > Can I suggest that you go and read the Samba wiki:OK, I'll set dnsupdate back and all the rest new. I tryed to find my way around the problem with the data's posix rights. Would be sssd a better fit for this? Can you think of a work around, to transfer the current data with the old unix UID/GID, so that the users will see it the same? How should I define the new created users for this? Thank you Rowland! -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706568.html Sent from the Samba - General mailing list archive at Nabble.com.
Reasonably Related Threads
- SOLVED: WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- SOLVED: WINBIND: UID and GID false mappings on domain member