> Just provisioning with --rfc2307 isn't enough, you personally need to > add any required RFC2307 attributes.But you see my test user has his attributes. From samba-tool. Do you mean the basic objects, the templates for the user and group? If yes, how to do it?> Can I suggest you put dnsupdate back and then setup bind9 on the DC > correctly.I will...> You must be using an old version of samba-tool, it doesn't do that now.Version 4.3.9 from the last fresh ubuntu LTS. And I asked on FreeNode, they would not upgrade to the 4.4. branch if 4.3 hasn't bugs...> No they are not: > > dn: CN=test,CN=Users,DC=humgen,DC=0zone > ...... > primaryGroupID: 513Oh, I hoped winbind would give me: uidNumber: 9439 gidNumber: 5001 ... from the posix attributes> This makes the users primary group 'Domain Users' and as such, the > primary group must have a gidNumber, or all your users will be ignored > by winbind. Do not think of changing the users primaryGroupID, windows > expects all users to be members of 'Domain Users'I'll remember this How would behave a group mapping of "domain users" on my group 5001 (hg_allg) ?> No, just that you have set up Samba incorrectly, you are trying to use > AD like you used your old NT4-style domain. > > Can I suggest that you go and read the Samba wiki:OK, I'll set dnsupdate back and all the rest new. I tryed to find my way around the problem with the data's posix rights. Would be sssd a better fit for this? Can you think of a work around, to transfer the current data with the old unix UID/GID, so that the users will see it the same? How should I define the new created users for this? Thank you Rowland! -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706568.html Sent from the Samba - General mailing list archive at Nabble.com.
Rowland Penny
2016-Aug-12 18:22 UTC
[Samba] WINBIND: UID and GID false mappings on domain member
On Fri, 12 Aug 2016 10:42:54 -0700 (PDT) rawi via samba <samba at lists.samba.org> wrote:> > > Just provisioning with --rfc2307 isn't enough, you personally need > > to add any required RFC2307 attributes. > > But you see my test user has his attributes. From samba-tool. Do you > mean the basic objects, the templates for the user and group? If yes, > how to do it?OOPS, red face time, you are correct, they are there.> > > > Can I suggest you put dnsupdate back and then setup bind9 on the DC > > correctly. > > I will... > > > > You must be using an old version of samba-tool, it doesn't do that > > now. > > Version 4.3.9 from the last fresh ubuntu LTS. > And I asked on FreeNode, they would not upgrade to the 4.4. branch if > 4.3 hasn't bugs...Ubuntu will not want to materially change an LTS version and Samba changes so fast, in fact version 4.5.0 is slated for release in min September.> > > > No they are not: > > > > dn: CN=test,CN=Users,DC=humgen,DC=0zone > > ...... > > primaryGroupID: 513 > > Oh, I hoped winbind would give me: > uidNumber: 9439 > gidNumber: 5001 > ... from the posix attributes >Well, it will use the uidNumber as the users Unix UID, but winbind will use the gidNumber attribute from 'Domain Users' and if it isn't found, all users will be ignored. The gidNumber attribute will be used as another group for the user.> > > This makes the users primary group 'Domain Users' and as such, the > > primary group must have a gidNumber, or all your users will be > > ignored by winbind. Do not think of changing the users > > primaryGroupID, windows expects all users to be members of 'Domain > > Users' > > I'll remember this > How would behave a group mapping of "domain users" on my group 5001 > (hg_allg) ?You don't map groups anymore> > > > No, just that you have set up Samba incorrectly, you are trying to > > use AD like you used your old NT4-style domain. > > > > Can I suggest that you go and read the Samba wiki: > > OK, I'll set dnsupdate back and all the rest new. > I tryed to find my way around the problem with the data's posix > rights. > > Would be sssd a better fit for this?No, because it works pretty much like winbind.> > Can you think of a work around, to transfer the current data with the > old unix UID/GID, so that the users will see it the same? > How should I define the new created users for this?Well, you could try creating the users as you have done, but without the gidNumber. Now create (or extend) your group with a gidNumber, Now add your users to the group, now provide you copy the data over and set the permissions correctly, I think it should work. Rowland
rawi
2016-Aug-17 11:54 UTC
[Samba] SOLVED: WINBIND: UID and GID false mappings on domain member
I bump this only to say SOLVED and many thanks to Rowland. Lessons learned: 1. Indeed, my problems where related to not having a gidNumber for "Domain Users". After adding it I got real wbinfo --user-info on the domain member (file server). My test user could log in in his old home from the NT domain preserving the old UID and GID. 2. (question = why?) And login.bat was called at login time _only_ after moving the [netlogon] share from the domain member to the ad-dc. Why on earth it could not be called from the file server remains a mystery to me. The LDAP field scriptPath was configured: \\member_server\netlogon\login.bat. 3. To bind the homeDrive I had to put a colon (:) after the drive letter. 4. (question = how changing/correct surname, givenName?) wbinfo output is slightly different on ad-dc and domain member with regard to the Geckos On the ad-dc: HUMGEN\test:*:9439:5000: WT. Test --given-name=Want To:/home/HUMGEN/test:/bin/false The Geckos on ad-dc are composed from initials + surname + givenName. On the domain member (real Geckos field or may be description) : test:*:9439:5000:Want to Test://hg004.humgen.0zone/test/linhome:/bin/bash The Geckos from the ad-dc will be sent as FullName to a joined Windows 8.1 computer. The fields (I gave them to samba-tool by creating the test user) surname and givenName are not visible in the output of ldbsearch. So, how would one modify the surname after a women married and changed it? 5. (bug?) Adding "hosts allow =" on the ad-dc breaks everything. wbinfo will give no output on the ad-dc and an error on the domain member. 6. After spying what dnsupdate does (rndc dumpdb -zones) I could take out the server service dnsupdate from smb.conf and insert the records statically in bind9. So I have all my subnet uniformly in one place (dhcp+bind, forward+reverse) regardless if the computer or printer is in the domain or not. 7. The share [homes] (on the domain member) will generate after a generic path=/path/to/homes a share like \\file-server\test and inside this is again a directory test. So to have the home directory content directly inside the homeDrive one has to declare the path=/path/to/homes/%S. 8. With a combination of chmod g+s on a directory and "inherit permissions" in the smb.conf I can avoid a lot of the acl default hassle and administer the file system like in the old linux times, acl remaining a possibility. 9. Given the developments it's pity that Ubuntu Xenial LTS won't upgrade to the last branch. If I move now my NT domain to 4.3 I'll stay so for the next 10 years - for fear to break something. All the above is for all of you common knowledge. This were now discoveries for me after sleeping the last 12 years behind an old samba NT domain :) Thanks to all samba team and forum helpers for making it happen again and again. rawi -- View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706722.html Sent from the Samba - General mailing list archive at Nabble.com.
Possibly Parallel Threads
- WINBIND: UID and GID false mappings on domain member
- SOLVED: WINBIND: UID and GID false mappings on domain member
- WINBIND: UID and GID false mappings on domain member
- Difficulties with Windows XP: failed to find cifs/fileserver.y.z@Y.Z in keytab (arcfour-hmac-md5)
- WINBIND: UID and GID false mappings on domain member