angela.gavazzi@goetheanum.ch
2004-May-03 09:59 UTC
[Samba] Changed UIDs from winbind after server reboot!
I set up a samba 3.0.2 server as member server in a NT4 Domain.
Winbind works great and I can "use" the NT Domain users for all I
need.
At the moment I'm testing different shares with their permissions.
The Samba will also be our printserver, so I set up also cups and added
the printers to samba with cupsaddsmb - Great tool! . Users could
connect and all worked fine.
After a reboot I had to do after adding a kernel option (RTC),
suddenly the test user told me that they could
no longer connect to the shares and the printers.
When looking I found out, that all permissions where changed.
The first time I thought I did a big mistake because
working too long in the night. :-)
2 Days later I rebooted the server again - and had the same thing.
Alls permissions where changed.
I tested stopping samba and winbind - nothing strage happened.
Then I rebooted the server again - and a lot of UID changed again.
Did I missunderstood completely the function of winbind or is
there something wrong here?
Here a little more infos to the system
Let me know if other infos are needed.
Tia Angela
woody 3 with actual sec. patches
samba 3.0.2 from backports
here's the smb.conf
[global]
workgroup = AAG
netbios name = S10amba
security = domain
encrypt passwords = yes
password server = 192.168.100.31
wins server = 192.168.100.30
host msdfs = yes
#################################
#template shell = /bin/false
#template homedir = /work/home/%u
max mux = 200
max open files = 8000
###############################################################
# Umgang mit Daten
###############################################################
display charset = ISO8859-1
unix charset = ISO8859-1
dos charset = CP850
#username level = 5
case sensitive = no
Preserve case = yes
log file = /var/log/samba/log.smbd.%m
log level = 1
follow symlinks = yes
################################################################
#Diverse Einstellungen f?r DOS und Win
###############################################################
map archive = yes
map system = no
map hidden = no
###############################################################
# Globale Druckeinstellungen
###############################################################
load printers = yes
printing = cups
printcap name = cups
#schreibgesch?tzte Dateien d?rfen gel?scht werden
delete readonly = yes
#Samba als Zeitserver; hauptsache es sind mal alle Uhren gleich....
time server = yes
dos filetimes = yes
fake directory create times = yes
dos filetime resolution = yes
# sichert die Integrit?t der Dateien gegen Verlust von Performance
; Am heikelsten sind Datenbankdateien also nur diese ohne oplocks
; und zwar f?r alle Verzeichnisse
veto oplock files = /*.mdb/*.dbf/
deadtime = 5
# Die folgenden Punkte m?ssen auf yes gestellt werden, wenn Samba
; als PDC fungieren soll.
os level = 20
local master = yes
preferred master = no
domain master = no
wins support = no
domain logons = no
winbind separator = +
# Benutze uids von 10000-20000 f?r Dom?nenbenutzer
winbind uid = 10000-20000
# Benutze gids von 10000-20000 f?r Dom?nengruppen
winbind gid = 10000-20000
# Erlaube enumeration von winbind user und gruppen
winbind enum users = yes
winbind enum groups = yes
name resolve order = wins hosts lmhosts bcast
############################################################
# Sicherheitseinstellungen
############################################################
hosts allow = 127.0.0.1 192.168.100.0/24
hosts deny = 0.0.0.0/0
[IPC$]
path = /tmp
hosts allow = 127.0.0.1 192.168.100.0/24
hosts deny = 0.0.0.0/0
#############################################################
#Drucker
#############################################################
[print$]
comment = Download Drucker Treiber
path = /work/printerdrivers
browseable = yes
guest ok = no
public = yes
read only = yes
write list = AAG+Dom?nen-Admins, root, AAG+Administrator
[printers]
path = /var/spool/samba
browseable = yes
public = yes
guest ok = no
writable = no
printable = yes
printer admin = AAG+Dom?nen-Admins, root, AAG+Administrator
write list = AAG+Dom?nen-Admins, root, AAG+Administrator
[AAG-Daten]
path = /work/dfs
msdfs root = yes
browseable = yes
writeable = yes
valid users =@AAG+Dom?nen-Benutzer
[AV]
path=/work/aag/edv/AV
Valid users = AAG+HHA @AAG+Dom?nen-Admins
write list = AAG+ HHA @AAG+Dom?nen-Admins
[EDV]
path = /work/aag/edv
browseable = yes
valid users = AAG+Dom?nen-Admins
write list = AAG+Dom?nen-Admins
admin users = AAG+Dom?nen-Admins
# ACL Einstellungen
nt acl support = yes
inherit acl = yes
create mask = 770
directory mask = 770
Security mask = 770
directory security mask = 0777
force security mode = 0000
force directory security mode = 0000
force group = AAG+Dom?nen-Admins
force create mode = 0770
force directory mode = 770
force security mode = 0440
force directory security mode = 0440
[Wochenschrift]
path = /work/aag/wosch
browseable = yes
valid users = AAG+Dom?nen-Admins AAG+AdminWochensch
write list = AAG+Dom?nen-Admins AAG+AdminWochensch
admin users = AAG+Dom?nen-Admins AAG+AdminWochensch
# ACL Einstellungen
nt acl support = yes
inherit acl = yes
create mask = 770
directory mask = 770
Security mask = 770
directory security mask = 0777
force security mode = 0000
force directory security mode = 0000
force group = AAG+AdminWochensch
force create mode = 0770
force directory mode = 770
force security mode = 0440
force directory security mode = 0440
[homes]
comment=Pers?nliches Verzeichenis von %S
path=/work/aag/users/%u
#valid users = %u AAG+Administrator
#force user=%u
writeable = yes
browseable = no
Sounds like your idmap file is being removed on reboot. run testparm -sv | grep directory and see where the lock directory is located. Make sure the file winbindd_idmap.tdb in this directory is not getting removed somehow on reboot. Check your winbindd log file to see if there are errors there. angela.gavazzi@goetheanum.ch wrote:> I set up a samba 3.0.2 server as member server in a NT4 Domain. > Winbind works great and I can "use" the NT Domain users for all I need. > At the moment I'm testing different shares with their permissions. > The Samba will also be our printserver, so I set up also cups and added > the printers to samba with cupsaddsmb - Great tool! . Users could > connect and all worked fine. > > After a reboot I had to do after adding a kernel option (RTC), > suddenly the test user told me that they could > no longer connect to the shares and the printers. > When looking I found out, that all permissions where changed. > The first time I thought I did a big mistake because > working too long in the night. :-) > 2 Days later I rebooted the server again - and had the same thing. > Alls permissions where changed. > > I tested stopping samba and winbind - nothing strage happened. > Then I rebooted the server again - and a lot of UID changed again. > > Did I missunderstood completely the function of winbind or is > there something wrong here? > >