On Mon, 23 Jul 2018 14:48:00 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>: > > 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba > > <samba at lists.samba.org>: > >> > >> Please see inline comments. > >> > >> On Thu, 19 Jul 2018 23:44:48 +0800 > >> d tbsky <tbskyd at gmail.com> wrote: > >> > >>> thanks a lot for the quick help. I remember in old days it > >>> happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x > >>> to 4.7.1) and samba DC 4.7/4.8 it now happens every time. > >>> below is the smb.conf configuration from member server > >>> > >>> [global] > >>> workgroup = SAMDOM > >>> netbios name = backup > >>> realm = AD.SAMDOM.EXAMPLE.COM > >>> security = ads > >>> > >>> idmap backend = tdb > >> > >> Remove the above line > >> > >>> idmap config *:backend = tdb > >>> idmap config *:range = 1000000-1999999 > >>> > >>> idmap config SAMDOM:backend = ad > >>> idmap config SAMDOM:default = yes > >> > >> You do not need the above line. > >> > >>> idmap config SAMDOM:range = 1000-999999 > >>> idmap config SAMDOM:schema_mode = rfc2307 > >>> > >>> winbind enum users = yes > >>> winbind enum groups = yes > >>> winbind nested groups = no > >>> winbind use default domain = yes > >>> winbind offline logon = no > >> > >> You do not need the above line. > >> > >> I know you said in your other email that you are using samba-tool > >> to create the users, but how, please provide an example. > >> > > > > Hi: > > sorry for the late reply. I was busy downgrade/upgrade samba > > versions of dc and member servers. try to tune the configuration and > > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and > > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are > > working fine. > > > > so there are some problems with recent RHEL samba packages, > > although they work fine years ago. maybe mit kerberos or some other > > issue I don't know(is samba file server without ad-dc also infected > > by kerberos type?). I will try to report to RedHat bugzilla. > > > > thanks a lot for your help! > > Hi: > after more testing, my previous conclusion is wrong. it's not RHEL > package problem, but a samba bug/feature. I have tried samba 4.7.1 and > 4.7.8. > with configuration below(which is a new config option after samba > 4.6), then everything is fine. without the configuration, samba > 4.6/4.7 seems can not find primary group id, although they are already > set and shows correctly if the user try to authenticate. > > idmap config SAMDOM:unix_primary_group = yesThat isn't a bug, it is a feature ;-) Before 4.6.0 everyone got 'Domain Users' as their primary Unix group, but from 4.6.0, you can give users a gidNumber attribute and, with the line above, this will be used for the users primary Unix group. Whatever gidNumber is used, this must point to a group i.e. the group must have the same gidNumber. If the line doesn't exist, it falls back to using Domain Users, so Domain Users must have a gidNUmber. Rowland
2018-07-23 16:04 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 23 Jul 2018 14:48:00 +0800 > d tbsky <tbskyd at gmail.com> wrote: > >> 2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>: >> > 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba >> > <samba at lists.samba.org>: >> >> >> >> Please see inline comments. >> >> >> >> On Thu, 19 Jul 2018 23:44:48 +0800 >> >> d tbsky <tbskyd at gmail.com> wrote: >> >> >> >>> thanks a lot for the quick help. I remember in old days it >> >>> happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x >> >>> to 4.7.1) and samba DC 4.7/4.8 it now happens every time. >> >>> below is the smb.conf configuration from member server >> >>> >> >>> [global] >> >>> workgroup = SAMDOM >> >>> netbios name = backup >> >>> realm = AD.SAMDOM.EXAMPLE.COM >> >>> security = ads >> >>> >> >>> idmap backend = tdb >> >> >> >> Remove the above line >> >> >> >>> idmap config *:backend = tdb >> >>> idmap config *:range = 1000000-1999999 >> >>> >> >>> idmap config SAMDOM:backend = ad >> >>> idmap config SAMDOM:default = yes >> >> >> >> You do not need the above line. >> >> >> >>> idmap config SAMDOM:range = 1000-999999 >> >>> idmap config SAMDOM:schema_mode = rfc2307 >> >>> >> >>> winbind enum users = yes >> >>> winbind enum groups = yes >> >>> winbind nested groups = no >> >>> winbind use default domain = yes >> >>> winbind offline logon = no >> >> >> >> You do not need the above line. >> >> >> >> I know you said in your other email that you are using samba-tool >> >> to create the users, but how, please provide an example. >> >> >> > >> > Hi: >> > sorry for the late reply. I was busy downgrade/upgrade samba >> > versions of dc and member servers. try to tune the configuration and >> > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and >> > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are >> > working fine. >> > >> > so there are some problems with recent RHEL samba packages, >> > although they work fine years ago. maybe mit kerberos or some other >> > issue I don't know(is samba file server without ad-dc also infected >> > by kerberos type?). I will try to report to RedHat bugzilla. >> > >> > thanks a lot for your help! >> >> Hi: >> after more testing, my previous conclusion is wrong. it's not RHEL >> package problem, but a samba bug/feature. I have tried samba 4.7.1 and >> 4.7.8. >> with configuration below(which is a new config option after samba >> 4.6), then everything is fine. without the configuration, samba >> 4.6/4.7 seems can not find primary group id, although they are already >> set and shows correctly if the user try to authenticate. >> >> idmap config SAMDOM:unix_primary_group = yes > > That isn't a bug, it is a feature ;-) > Before 4.6.0 everyone got 'Domain Users' as their primary Unix group, > but from 4.6.0, you can give users a gidNumber attribute and, with the > line above, this will be used for the users primary Unix group. > Whatever gidNumber is used, this must point to a group i.e. the group > must have the same gidNumber. > If the line doesn't exist, it falls back to using Domain Users, so > Domain Users must have a gidNUmber. > > RowlandHi: yes I like this feature and from now on I will use this feature. but unfortunately the fall back (default setting) is not working. I think it is a bug because " idmap config SAMDOM:unix_primary_group no" is not working as expected, although I will never use that again.
On Mon, 23 Jul 2018 16:46:50 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>:> >> >>> idmap config SAMDOM:range = 1000-999999> >> idmap config SAMDOM:unix_primary_group = yes > > > > That isn't a bug, it is a feature ;-) > > Before 4.6.0 everyone got 'Domain Users' as their primary Unix > > group, but from 4.6.0, you can give users a gidNumber attribute > > and, with the line above, this will be used for the users primary > > Unix group. Whatever gidNumber is used, this must point to a group > > i.e. the group must have the same gidNumber. > > If the line doesn't exist, it falls back to using Domain Users, so > > Domain Users must have a gidNUmber. > > > > Rowland > > Hi: > yes I like this feature and from now on I will use this feature. > but unfortunately the fall back (default setting) is not working. > I think it is a bug because " idmap config SAMDOM:unix_primary_group > no" is not working as expected, although I will never use that again.That is the default setting and as such, the line doesn't need to be there unless you want/need to set it to 'yes' If it isn't set then Domain Users must have a gidNumber attribute containing a number inside the range set in smb.conf, in your case '1000-999999' If a gidNumber isn't set in the users object (again inside the range) and Domain users doesn't have a gidNumber, then all your users will be ignored. Rowland