Andrea Cucciarrè
2018-Jun-19 14:10 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
Hello, I'm trying to setup an omnios system as a Samba DC member, and I need AD backend for consistent IDs on all Samba clients. The AD join is successful, the wbinfo shows the AD users # /opt/samba/bin/wbinfo -n andrea S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1) however, " getent passwd ..." returns nothing for the user (all the AD user) I have enabled debugging and I can see the following relevant error: [2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies [2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username) resolve_alias_to_username: backend query returned NT_STATUS_OBJECT_NAME_NOT_FOUND ... [2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED Also the command wbinfo fails to convert the SID to UID # /opt/samba/bin/wbinfo -S S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-2680195940-2267646359-3814218302-1109 to uid This is the relevant smb.conf: ==============================[global] log file = /opt/samba/log/%m.log log level = 10 workgroup = HYPERFILE security = ADS realm = HYPERFILE.NET dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Data %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind normalize names = Yes idmap config * : backend = tdb idmap config * : range = 1000000-2000000 idmap config * : schema_mode = rfc2307 idmap config HYPERFILE:backend = ad idmap config HYPERFILE:schema_mode = rfc2307 idmap config HYPERFILE:range = 1000-9999 idmap config HYPERFILE:unix_primary_group = yes username map = /opt/samba/etc/user.map client ldap sasl wrapping = plain os level = 20 map to guest = bad user host msdfs = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes load printers = no ==================== If I remove in the smb.conf the entries "idmap config HYPERFILE ...", it works. Any help would be appreciated. Regards Andrea -- Gestione problematica Andrea Cucciarrè Technical Support Engineer | EMEA acucciarre at cloudian.com
Rowland Penny
2018-Jun-19 15:52 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
On Tue, 19 Jun 2018 16:10:33 +0200 Andrea Cucciarrè via samba <samba at lists.samba.org> wrote:> Hello, > > I'm trying to setup an omnios system as a Samba DC member, and I need > AD backend for consistent IDs on all Samba clients. > The AD join is successful, the wbinfo shows the AD users > > # /opt/samba/bin/wbinfo -n andrea > S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1) > > however, " getent passwd ..." returns nothing for the user (all the > AD user) > > I have enabled debugging and I can see the following relevant error: > > [2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0, > 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) > Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies > [2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username) > resolve_alias_to_username: backend query returned > NT_STATUS_OBJECT_NAME_NOT_FOUND > ... > [2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0, > 0), class=winbind] > ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid > S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED > > Also the command wbinfo fails to convert the SID to UID > > # /opt/samba/bin/wbinfo -S > S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call > wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid > S-1-5-21-2680195940-2267646359-3814218302-1109 to uid > > This is the relevant smb.conf: > > ==============================> [global] > log file = /opt/samba/log/%m.log > log level = 10 > workgroup = HYPERFILE > security = ADS > realm = HYPERFILE.NET > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Data %h > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind normalize names = Yes > > idmap config * : backend = tdb > idmap config * : range = 1000000-2000000 > idmap config * : schema_mode = rfc2307Hmm, the range is slightly excessive. The '*' domain is for the 'Well Known SIDs' (and there are less than 200 of these) and anything outside the domain, do you really expect around '999,800' users & groups from outside the domain to connect to the domain ? You also do not use 'idmap config * : schema_mode = rfc2307' with the '*' domain.> > idmap config HYPERFILE:backend = ad > idmap config HYPERFILE:schema_mode = rfc2307 > idmap config HYPERFILE:range = 1000-9999 > idmap config HYPERFILE:unix_primary_group = yesHave you really only have 8,999 users ? Do they have a uidNumber inside the '1000-9999' range Does 'Domain Users' have a gidNumber inside the same range ? Neither the uidNumber or gidNumber attributes are added automatically, you must add them manually. And on the subject of the '1000-9999' range, do you not have any Unix users other than the system users ? Rowland
Andrea Cucciarrè
2018-Jun-20 07:15 UTC
[Samba] Samba 4.5: trying to setup an omnios system as a DC member
Hello Rowland, thanks, configuring the uidNumber and gidNumber on the AD fixed the issue, now getent passwd works. I just have one remaining issue, it seems the ACL doesn't work. As an example when I set ACL with full permission for user andrea: # /usr/bin/ls -ldV /cache/testsamba/ d---------+ 3 root root 5 Jun 19 19:40 /cache/testsamba/ user:andrea:rwxpdDaARWcCos:fd-----:allow the user andrea can't mount the share. I have added the following entry in smb.conf for ACL: vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes and the directory is shared as follow: [testsamba] available = yes browsable = yes path = /cache/testsamba read only = no am I missing something? Thanks in advance Andrea Il 6/19/2018 5:52 PM, Rowland Penny via samba ha scritto:> On Tue, 19 Jun 2018 16:10:33 +0200 > Andrea Cucciarrè via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I'm trying to setup an omnios system as a Samba DC member, and I need >> AD backend for consistent IDs on all Samba clients. >> The AD join is successful, the wbinfo shows the AD users >> >> # /opt/samba/bin/wbinfo -n andrea >> S-1-5-21-2680195940-2267646359-3814218302-1109 SID_USER (1) >> >> however, " getent passwd ..." returns nothing for the user (all the >> AD user) >> >> I have enabled debugging and I can see the following relevant error: >> >> [2018/06/19 15:53:54.302030, 5, pid=638, effective(0, 0), real(0, >> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) >> Search for (uid=andrea) in <dc=HYPERFILE,dc=NET> gave 0 replies >> [2018/06/19 15:53:54.302082, 5, pid=638, effective(0, 0), real(0, >> 0), class=winbind] >> ../source3/winbindd/winbindd_cache.c:1276(resolve_alias_to_username) >> resolve_alias_to_username: backend query returned >> NT_STATUS_OBJECT_NAME_NOT_FOUND >> ... >> [2018/06/19 15:53:54.309621, 5, pid=638, effective(0, 0), real(0, >> 0), class=winbind] >> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid >> S-1-5-21-2680195940-2267646359-3814218302-1109: NT_STATUS_NONE_MAPPED >> >> Also the command wbinfo fails to convert the SID to UID >> >> # /opt/samba/bin/wbinfo -S >> S-1-5-21-2680195940-2267646359-3814218302-1109 failed to call >> wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid >> S-1-5-21-2680195940-2267646359-3814218302-1109 to uid >> >> This is the relevant smb.conf: >> >> ==============================>> [global] >> log file = /opt/samba/log/%m.log >> log level = 10 >> workgroup = HYPERFILE >> security = ADS >> realm = HYPERFILE.NET >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Data %h >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind normalize names = Yes >> >> idmap config * : backend = tdb >> idmap config * : range = 1000000-2000000 >> idmap config * : schema_mode = rfc2307 > Hmm, the range is slightly excessive. The '*' domain is for the 'Well > Known SIDs' (and there are less than 200 of these) and anything outside > the domain, do you really expect around '999,800' users & groups from > outside the domain to connect to the domain ? > You also do not use 'idmap config * : schema_mode = rfc2307' with the > '*' domain. > >> idmap config HYPERFILE:backend = ad >> idmap config HYPERFILE:schema_mode = rfc2307 >> idmap config HYPERFILE:range = 1000-9999 >> idmap config HYPERFILE:unix_primary_group = yes > Have you really only have 8,999 users ? > Do they have a uidNumber inside the '1000-9999' range > Does 'Domain Users' have a gidNumber inside the same range ? > Neither the uidNumber or gidNumber attributes are added automatically, > you must add them manually. > And on the subject of the '1000-9999' range, do you not have any Unix > users other than the system users ? > > Rowland > >-- Gestione problematica Andrea Cucciarrè Technical Support Engineer | EMEA acucciarre at cloudian.com