Norman Gaywood
2018-Mar-02 03:32 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On 1 March 2018 at 18:49, Rowland Penny <rpenny at samba.org> wrote:> > > idmap range not specified for domain '*' > > ERROR: Invalid idmap range for domain *! > > > > You haven't set the 'idmap config' lines correctly, which may mean you > are using sssd instead. If this is the case, then you are asking in the > wrong place, you need to ask on the sssd-users mailing list. >After reading a lot about idmap conf and idmap backends, I'm thinking that what I've been doing is not expressible with idmap. What I need is what is described, much better than I did, here: https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP That is: Samba will authenticate against AD, and then utilize the normal 'getent' system calls to gather the uid/gid numbers, and those will come from OpenLDAP, and/or the local system files as configured within the nsswitch.conf file. Is this type of setup still possible? -- Norman Gaywood, Computer Systems Officer School of Science and Technology University of New England Armidale NSW 2351, Australia ngaywood at une.edu.au http://turing.une.edu.au/~ngaywood Phone: +61 (0)2 6773 2412 Mobile: +61 (0)4 7862 0062 Please avoid sending me Word or Power Point attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Rowland Penny
2018-Mar-02 09:37 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On Fri, 2 Mar 2018 14:32:15 +1100 Norman Gaywood <ngaywood at une.edu.au> wrote:> On 1 March 2018 at 18:49, Rowland Penny <rpenny at samba.org> wrote: > > > > > > idmap range not specified for domain '*' > > > ERROR: Invalid idmap range for domain *! > > > > > > > You haven't set the 'idmap config' lines correctly, which may mean > > you are using sssd instead. If this is the case, then you are > > asking in the wrong place, you need to ask on the sssd-users > > mailing list. > > > > After reading a lot about idmap conf and idmap backends, I'm thinking > that what I've been doing is not expressible with idmap. > > What I need is what is described, much better than I did, here: > > https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP > > That is: > > Samba will authenticate against AD, and then utilize the normal > 'getent' system calls to gather the uid/gid numbers, and those will > come from OpenLDAP, and/or the local system files as configured > within the nsswitch.conf file. > > Is this type of setup still possible? > >Your Samba machine can be a Unix active directory domain member or it can be a member of an NT4-style domain that uses ldap, it cannot be both. It can also authenticate from an ldap server on another machine, in this case, it wouldn't be a domain member. It should be possible to authenticate to the ldap server (or AD), but you are getting into a bit of a mess here. Your users will need to exist (separately) everywhere. I think you should consider just joining the Samba machine to the AD domain and use the 'rid' backend. This way, your users & groups are only stored in one place and you do not need to add anything to AD. Rowland
Norman Gaywood
2018-Mar-03 06:27 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On 2 March 2018 at 20:37, Rowland Penny via samba <samba at lists.samba.org> wrote:> > Your Samba machine can be a Unix active directory domain member or it > can be a member of an NT4-style domain that uses ldap, it cannot be > both. > It can also authenticate from an ldap server on another machine, in > this case, it wouldn't be a domain member. > It should be possible to authenticate to the ldap server (or AD), but > you are getting into a bit of a mess here. Your users will need to > exist (separately) everywhere. >The users do exist separately everywhere (openldap and AD). Both openldap and AD are provisioning targets from the identity management system, so they both contain the users. AD does not have uid/gid information.> I think you should consider just joining the Samba machine to the AD > domain and use the 'rid' backend. This way, your users & groups are > only stored in one place and you do not need to add anything to AD. >So the way I understand this, my samba server is joined to the AD domain. I think I know this because I can retrieve usernames and SID info from wbinfo. Also, reading the idmap_rid man page, unix uid/gid numbers are determined algorithmically from the SID. But that would be wrong would it not? The uid/gid numbers are already defined on the unix system. So idmap_rid would not use the correct uid/gid numbers. Or am I missing something? I'm thinking perhaps I should implement an idmap_script backend that does something similar to idmap_nis.sh https://searchcode.com/codesearch/view/29414590/ But, instead of using ypmatch (as in idmap_nis.sh) I would use "getent passwd" calls instead to map between uid/gid and the SID number from wbinfo. Thanks for listening and helping :-) -- Norman Gaywood, Computer Systems Officer School of Science and Technology University of New England Armidale NSW 2351, Australia ngaywood at une.edu.au http://turing.une.edu.au/~ngaywood Phone: +61 (0)2 6773 2412 Mobile: +61 (0)4 7862 0062 Please avoid sending me Word or Power Point attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Possibly Parallel Threads
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares