samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

On Tue, 11 Jul 2017 12:22:36 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 12:16 schrieb Rowland Penny:
> 
> > Try running this:
> > 
> > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
> > "(&(objectclass=user)(uidnumber=11029))"
> > 
> > This will check if it is a user.
> 
> Did so, no entry returned.
> 
> --
> 
> plus: please note that yesterday all users could work normally ....
> 
> > Can you post the smb.conf from the DM (and the DC)
> 
> DC:
> 
> root at pre01svdeb02:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> 	workgroup = BUERO
> 	realm = secret.AT
> 	netbios name = DC
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
> 	load printers = No
> 	printcap name = /dev/null
> 	log level = 2
> 	dns forwarder = 192.168.16.111
> 
> 	# lph
> 	template shell = /bin/bash
> 	sdb:schema update allowed = no
> 	time server = yes
> 	usershare path > 
> [netlogon]
> 	path = /var/lib/samba/sysvol/secret.at/scripts
> 	read only = No
> 	acl_xattr:ignore system acls = Yes
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 	acl_xattr:ignore system acls = Yes
> 
> 
> ----
> 
> 
> DM:
> 
> 
> root at pre01svdeb01:~# cat /etc/samba/smb.conf
> # This file is managed remotely, all changes will be lost
> 
> [global]
> workgroup = BUERO
> realm = secret.AT
> netbios name = SERVER
> 
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/smbusers
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> winbind trusted domains only = no
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> 
> winbind nss info = template
> template shell = /usr/sbin/nologin
> 
> map untrusted to domain = Yes
> 
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> 
> # idmap config for domain BUERO
> idmap config BUERO:backend = rid
> idmap config BUERO:range = 10000-99999
> idmap config BUERO:schema_mode = rfc2307
Well, that explains where '11029' is coming from, you are using the
'rid' backend. The users (or group) ID will be calculated using this
formula:

ID = RID - BASE_RID + LOW_RANGE_ID

BASE_RID is by default '0', so it becomes:

ID = RID + LOW_RANGE_ID

So, in your case it becomes

11029 = 1029 + 10000

Of course, using the 'rid' backend means that you do not need to add
anything to AD and you do not need this line in smb.conf:

  idmap config BUERO:schema_mode = rfc2307

Or you could just change 'idmap config BUERO:backend = rid' to
'idmap
config BUERO:backend = ad' and use the rfc2307 attributes in AD.

Rowland

Am 2017-07-11 um 12:51 schrieb Rowland Penny:
> Well, that explains where '11029' is coming from, you are using the
> 'rid' backend. The users (or group) ID will be calculated using
this
> formula:
> 
> ID = RID - BASE_RID + LOW_RANGE_ID
> 
> BASE_RID is by default '0', so it becomes:
> 
> ID = RID + LOW_RANGE_ID
> 
> So, in your case it becomes
> 
> 11029 = 1029 + 10000
wow

Does that explain in some way why some users work and others not?
And why that worked yesterday?
> Of course, using the 'rid' backend means that you do not need to
add
> anything to AD and you do not need this line in smb.conf:
> 
>   idmap config BUERO:schema_mode = rfc2307
> 
> Or you could just change 'idmap config BUERO:backend = rid' to
'idmap
> config BUERO:backend = ad' and use the rfc2307 attributes in AD.
I would prefer not to have to decide this. You understand? ;-)

What's the recommendation here, I don't have a clue, I would just like
to be able to change this to a working config without doing damage to
active sessions, if possible. This is productive environment right now.

To me it sounds preferable to have everything in AD, right? At least
that is what I expect from having all that: all in one place somehow

-

Can't remember exactly where rid comes from, I think it was a
recommendation by Louis for my test VM (which then was migrated to this DC).

Pls also advise if there are any additional steps needed for any of
these solutions. I always feel unsure if and if not to add some ids and
mappings somewhere ....

Thanks a lot, Stefan

On Tue, 11 Jul 2017 12:58:14 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 12:51 schrieb Rowland Penny:
> 
> > Well, that explains where '11029' is coming from, you are
using the
> > 'rid' backend. The users (or group) ID will be calculated
using this
> > formula:
> > 
> > ID = RID - BASE_RID + LOW_RANGE_ID
> > 
> > BASE_RID is by default '0', so it becomes:
> > 
> > ID = RID + LOW_RANGE_ID
> > 
> > So, in your case it becomes
> > 
> > 11029 = 1029 + 10000
> 
> wow
> 
> Does that explain in some way why some users work and others not?
> And why that worked yesterday?
Could be.
> 
> > Of course, using the 'rid' backend means that you do not need
to add
> > anything to AD and you do not need this line in smb.conf:
> > 
> >   idmap config BUERO:schema_mode = rfc2307
> > 
> > Or you could just change 'idmap config BUERO:backend = rid' to
> > 'idmap config BUERO:backend = ad' and use the rfc2307
attributes in
> > AD.
> 
> I would prefer not to have to decide this. You understand? ;-)
I think the decision has been made for you, if anything has been stored
on the DM, it will belong to the IDs that the 'rid' backend has
created/allocated to your users & groups.
> 
> What's the recommendation here, I don't have a clue, I would just
like
> to be able to change this to a working config without doing damage to
> active sessions, if possible. This is productive environment right
> now.
If you want to use the 'ad' backend, you are going to have to do some
work. You will have to find out what is stored on the DM and who owns
it. You will then have to find (from AD) the correct ID number. Stop
Samba, change smb.conf, restart Samba then change the ownership of the
files etc.
> 
> To me it sounds preferable to have everything in AD, right? At least
> that is what I expect from having all that: all in one place somehow
Having everything in AD, gives you the possibility of using different
Unix home dirs etc per person.
> 
> -
> 
> Can't remember exactly where rid comes from, I think it was a
> recommendation by Louis for my test VM (which then was migrated to
> this DC).
It should work, but only if the users or groups RID + 10000 is inside
the range you have set in smb.conf (in your case 10000-99999)

You can change the upper number in the range to a higher number without
affecting anything else, but you will need to reload or restart Samba
> 
> Pls also advise if there are any additional steps needed for any of
> these solutions. I always feel unsure if and if not to add some ids
> and mappings somewhere ....
> 
You could ensure that winbind is installed and running (I know it
probably is, but...)

Rowland