On 22/02/2023 06:43, d tbsky via samba wrote:> Hi: > I have a samba dc and a samba member file server. > > I use rfc2307 id mapping and posix acl share for windows/linux > client for many years. they are simple and work fine. however in older > versions of samba (maybe 5 years ago). sometimes after I create a user > account at samba dc, the member file server can not recognize it (eg: > "getent passwd xxxx" or "id xxxx" return nothing). > > when the situation happened, if I use the account to login a > windows client pc and access the file server, suddenly the file server > recognize the account at that moment and user can access it. although > I feel strange but it works eventually. and with newer samba versions > "getent passwd/id" seems works every time. > > recently I need to create a guest share to host computer group > policy resource. I tried but failed and found that recent win10 > enterprise/win11 deny guest share access by default. so I think maybe > I can loosen samba configuration.Why would you think that ? If you need guest access, then you need to turn it back on, on the Windows clients.> > my original idmap config at file server looks like: > > iidmap config *:backend = tdb > idmap config *:range = 1000000-1999999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 1000-999999 > > I comment out last line "idmap config SAMDOM:range = 1000-999999" andWhat was your reasoning for doing that ? What did you hope to achieve ?> restart samba. "getent passwd" return all the domain accounts with or > without rfc2307 settings. "id machine$" also works and my computer > group policy can read the share resource correctly.Now if you did restart Samba, this should have cleared the winbind cache, unless, is nscd also running ? If it is, I suggest you remove it, you cannot have two caches.> > but two days later suddenly my usual user account can not access the > share and samba file server log said " failed: Permission denied. > Current token: uid=1000010".Looks like the cache expired and your user became part of the default domain '*'> > that's too bad. my good rfc2307 uid (1001) is replaced by a dynamic > "1000010". my lazy dream is broken. I think my configuration is > illegal. maybe it was working because some kind of caching and now > cache is gone.Just said that.> > so I revert my configuration and restart smbd/winbind. but "id xxxx" > or "getent passwd xxxx" is still "1000010". I try add "winbind cache > time=1","idmap cache time=1","idmap negative cache time=1", also I try > delete > "/var/lib/samba/winbindd_cache.tdb" and > "/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still > can not get rid of the dynamic user id "1000010".It looks more and more like nscd is running.> > finally I remember the older samba behavior and try to logout/login my > windows pc. then I saw my rfc2307 gid is back. I restart the windows > and login again. this time I finally get my rfc2307 uid "1001". > > so what's behind the scene? why I need to logon domain to make idmap correctly? > and I think I need to give my computer/machine account a rfc2307 uid. > it seems rfc2307 can not co-exist with dynamic id mapping. is that > correct?No, or no Unix domain member would work. What you are describing as 'dynamic id mapping' is the default domain '*' which uses the tdb idmap backend and this allocates Unix ID's for the BUILTIN domain and anything that isn't in the 'SAMDOM' domain, by removing the line, you put everything into the default domain. The only mysteries here are, why did you remove the line and is nscd running ? Rowland
Rowland Penny via samba <samba at lists.samba.org>> > recently I need to create a guest share to host computer group > > policy resource. I tried but failed and found that recent win10 > > enterprise/win11 deny guest share access by default. so I think maybe > > I can loosen samba configuration. > > Why would you think that ? > If you need guest access, then you need to turn it back on, on the > Windows clients.I don't want to fight with windows default if possible. and domain computers are not really unknown guests, I just didn't give them rfc2307 uid before. I want to make a read only share for domain computers with minimal effort if possible.> > my original idmap config at file server looks like: > > > > iidmap config *:backend = tdb > > idmap config *:range = 1000000-1999999 > > idmap config SAMDOM:backend = ad > > idmap config SAMDOM:schema_mode = rfc2307 > > idmap config SAMDOM:range = 1000-999999 > > > > I comment out last line "idmap config SAMDOM:range = 1000-999999" and > > What was your reasoning for doing that ? > What did you hope to achieve ?I hope samba would use rfc2307 uid if the account has the setting, otherwize use dynamic id. so a normal user account would has rfc2307 uid, but a machine account will use dynamic id. It seems like just my dream.> > > restart samba. "getent passwd" return all the domain accounts with or > > without rfc2307 settings. "id machine$" also works and my computer > > group policy can read the share resource correctly. > > Now if you did restart Samba, this should have cleared the winbind > cache, unless, is nscd also running ? If it is, I suggest you remove it, > you cannot have two caches.no I don't have nscd installed or running.> > so I revert my configuration and restart smbd/winbind. but "id xxxx" > > or "getent passwd xxxx" is still "1000010". I try add "winbind cache > > time=1","idmap cache time=1","idmap negative cache time=1", also I try > > delete > > "/var/lib/samba/winbindd_cache.tdb" and > > "/var/lib/samba/winbindd_cache.tdb" and restart winbind/smbd but still > > can not get rid of the dynamic user id "1000010". > > It looks more and more like nscd is running.no I don't have nscd running. In fact these years when idmap was missing or incorrect (getent passwd xxxx, id xxxx), I have no way to make it appear/correct again unless a re-logon windows machine accesses the file server. The id mappings are always working for several years, so I almost forgot the incorrect/missing situation.> No, or no Unix domain member would work. What you are describing as > 'dynamic id mapping' is the default domain '*' which uses the tdb idmap > backend and this allocates Unix ID's for the BUILTIN domain and anything > that isn't in the 'SAMDOM' domain, by removing the line, you put > everything into the default domain. >I think that's the truth. I didn't realize the full detail of the configuration. Now I understand. Thanks a lot for the clarification.> The only mysteries here are, why did you remove the line and is nscd > running ?because I was too lazy to add rfc2307 uid to machine accounts. Now I will do it if there is no easy way.