On 27 May 2017 12:45: On Sat, 27 May 2017 11:02:36 +0000 Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:> The other lines never did anything on a DC.Thank you, I've removed them now..> Unless you manually add uidNumber attributes to users and gidNumber > attributes to groups, id mapping on a DC is done in idmap.ldb and > results in ID numbers in the 3000000 range.My add_user script keeps track of uidNumber's and makes sure they're unique.> If you rely on idmap.ldb for your ID mappings, you will need to keep > idmap.ldb in sync on both DCs, otherwise you are very likely to get > different user & group IDs on each DC. This is only a concern if you > use the DCs as a fileserver.I do use the DCs as fileservers using glusterfs, but I only map one DC's share keeping the other as a cold-spare. I'd like to improve that so that I can hot-swap the logon scripts to make users map shares on different servers. This is the last piece now - gettting the uid's showing up on the file system so I can use usernames instead of uidNumbers. I can add idmap.ldb syncing into my add_user script, but at the moment the filesystem is showing uid's from uidNumber, not the xidNumber in idmap.ldb. Which way is correct?> You also mentioned [homes], this does not work on a DC, see here:Thank you - I missed that. I've now got my 'users' share working and I can see my files!> When you upgraded Samba, did libnss_winbind.so get upgraded as well ?Yes, I believe it did. I've done the 'ldconfig -v | grep winbind' and then checked the timestamp of libnss_winbind.so and it's recent. Thank you very much for your input, Tim
On Sat, 27 May 2017 12:15:46 +0000 Tim ODriscoll via samba <samba at lists.samba.org> wrote:> On 27 May 2017 12:45: > On Sat, 27 May 2017 11:02:36 +0000 > Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote: > > The other lines never did anything on a DC. > Thank you, I've removed them now.. > > > Unless you manually add uidNumber attributes to users and gidNumber > > attributes to groups, id mapping on a DC is done in idmap.ldb and > > results in ID numbers in the 3000000 range. > My add_user script keeps track of uidNumber's and makes sure they're > unique.There are a couple of attributes in AD that you can use to do this.> > > > If you rely on idmap.ldb for your ID mappings, you will need to keep > > idmap.ldb in sync on both DCs, otherwise you are very likely to get > > different user & group IDs on each DC. This is only a concern if you > > use the DCs as a fileserver. > I do use the DCs as fileservers using glusterfs, but I only map one > DC's share keeping the other as a cold-spare. I'd like to improve > that so that I can hot-swap the logon scripts to make users map > shares on different servers.OK, you only need to keep idmap.ldb in sync if you use both DCs as fileservers or if you are using GPOs.> > This is the last piece now - gettting the uid's showing up on the > file system so I can use usernames instead of uidNumbers. I can add > idmap.ldb syncing into my add_user script, but at the moment the > filesystem is showing uid's from uidNumber, not the xidNumber in > idmap.ldb. Which way is correct?The xidNumber attributes in idmap.ldb are created automatically, but if the user is given a uidNumber attribute, this will always be used instead. Rowland
On 27 May 2017 13:38> There are a couple of attributes in AD that you can use to do this.I've got uidNumber and gidNumber set properly, so I think I've got that covered...> OK, you only need to keep idmap.ldb in sync if you use both DCs as > fileservers or if you are using GPOs.Great - I can do that.> The xidNumber attributes in idmap.ldb are created automatically, but if > the user is given a uidNumber attribute, this will always be used > instead.Right, so my uidNumber and gidNumber attributes are working fine it seems, but they're not mapping at the filesystem level. I've got winbind in my nsswitch.conf. I don't want to grant user access to the servers via ssh or anything, so I don't need pam_winbind, right? What does the mapping of uidNumber to username on the filesystem so I can use chown etc? Many thanks again, Tim
On Sat, 27 May 2017 12:53:16 +0000 Tim ODriscoll via samba <samba at lists.samba.org> wrote:> I've got winbind in my nsswitch.conf. I don't want to grant user > access to the servers via ssh or anything, so I don't need > pam_winbind, right? > > What does the mapping of uidNumber to username on the filesystem so I > can use chown etc?Er the same thing as the thing that would allow ssh to work ;-) Unless you set a template shell in smb.conf your users will get '/bin/false' and so will not be able to login locally Rowland