samba - Jun 2008 - Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server - ADS Integration - Winbind

Hi,

I read at least 100 different documentations during the last week and
didn't get it. So I decided to ask the list for help :)

Unfortunately we have to move to a Windows 2008 Server ADS in our
company as this is required for some other projects. But we want to 
keep our nice 5+ samba-server providing fast 50TB+ of storage.

So we have to find a way to nicely integrate the storage with the new
ADS installed. Therefor I installed a Testlab consisting of 2 debian
etch storage-servers with each 12TB lvm-based storage attached. Also we
have 2 MS 2008 Server SP1 as PDC and BDC. Further we have some Windows
XP 32 and 64 Bit clients as workstations for testing.

Now we setup everything and decided to use samba 3.2.0 as there are some
bugs related to W2k8 server are solved. So I build debian packages from
experimental for etch an installed them. Then I set up kerberos and
samba using "security = ads". Everythings works great. I can get a
kerberos ticket with kinit also I can join the ADS with "net ads join
-Uadministrator". I set up /etc/nssswitch to use winbind and I can
request user information successfully.

But now I have to set up shared IDMAP for my samba servers to have the
same UIDs and GIDs on all machines. As it would be nice to have all that
on the ADS server I tried the following for days without success and
that is where I need help:

- I installed the "MS Identity Management for Unix"
- I added UID, Homedir, Shell and "Default Group" to the AD User
- I set "Unix Attr" for my groups
- I configured samba to as followed:

----- snip -----

[global]
workgroup = TESTLAB
realm = TESTLAB.COMPANY.COM
netbios name = filesrv001
server string = Samba Storage Fileserver 001 (%v)
security = ADS
idmap domains = BUILTIN, TESTLAB
idmap config TESTLAB:backend = ad
idmap config TESTLAB:default = yes
idmap config TESTLAB:schema_mode = rfc2307
idmap config BUILTIN:backend            = tdb
idmap config BUILTIN:base_rid           = 800
idmap config BUILTIN:range              = 800-999
winbind nss info = rfc2307
winbind use default domain = yes
winbind nested groups = Yes
password server = WIN-RXYDW1KO5DH.testlab.company.com
wins server = WIN-RXYDW1KO5DH.testlab.company.com
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
hide unreadable = yes
hide dot files = yes
unix charset = LOCALE
log level = 5

[big_data]
comment = Very Big Share
path =  /SERV
browseable = yes
guest ok = no
valid users = "@STGT\entenhausen"
create mask = 660
directory mode = 770
writeable = yes
readonly = no
force group = "STGT\entenhausen"

----- snip -----

- I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
- I delete the Join on the ADS
- Then I rebooted the Linux-Server, re-joined the ADS
- And I can retrieve the user with getent and it has IT UID

filesrv001:/var/log/samba# getent passwd tic.tic
tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false

- But the default group, the home-dir and the shell is not right
- seems like the values are not retrieved correctly from ADS
- also strange: I set up the second storage with the same configs
- only changed names
- if I retrieve the user-information there
- it looks like this

getent passwd tic.tic
tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false

- so the default-group is changing 
- but its still not the value listed in the ADS

Any ideas on that? Did I get something completely wrong? I'll now take a
closer look to the Win 2008 logfiles and I'll check the communication
with tcpdump. But I'm mostly stuck and really could need some hints.
Or should I try another solution? IDMAP-RID cannot be used as we are
planning a "trust domain" setup

Thank you and best regards

                 Daniel

Hi again,

On Fri, 2008-06-27 at 13:31 +0200, Samba-Liste wrote:
> Hi,
> 
> I read at least 100 different documentations during the last week and
> didn't get it. So I decided to ask the list for help :)
> 
- the problem is solved now. I found this in the logs on linux-side:

 log.winbindd:  Error loading module
'/usr/lib/samba/nss_info/rfc2307.so':
/usr/lib/samba/nss_info/rfc2307.so: cannot open shared object file: No such file
or directory

- which took me to this message of Jerry Carter:

http://lists.samba.org/archive/samba/2008-April/140030.html

- So I went to /usr/lib/samba
- created the nss_info directory
- in there I made a symbolic link rfc2307.so to ../idmap/ad.so
- restarted samba and winbind and all is fine

I'll contact the maintainer of the debian experimental samba 3.2.0
packages. Maybe he can fix this in the build description.

Jerry, thanks for all your magic posts :)

best regards

	Daniel

Hi,

did you try using nis instead of winbind ???
i'm saying that because you are using MS Identity Management for Unix and
this provides a nis server. this would provide you the same UIDs and GIDs on all
machines.

Marcos.


--- Em sex, 27/6/08, Samba-Liste <samba@admindu.de> escreveu:
> De: Samba-Liste <samba@admindu.de>
> Assunto: [Samba] Help needed. Samba 3.2.0rc2 - IDMAP - Windows 2008 Server
- ADS Integration - Winbind
> Para: "samba" <samba@lists.samba.org>
> Data: Sexta-feira, 27 de Junho de 2008, 8:31
> Hi,
> 
> I read at least 100 different documentations during the
> last week and
> didn't get it. So I decided to ask the list for help :)
> 
> Unfortunately we have to move to a Windows 2008 Server ADS
> in our
> company as this is required for some other projects. But we
> want to 
> keep our nice 5+ samba-server providing fast 50TB+ of
> storage.
> 
> So we have to find a way to nicely integrate the storage
> with the new
> ADS installed. Therefor I installed a Testlab consisting of
> 2 debian
> etch storage-servers with each 12TB lvm-based storage
> attached. Also we
> have 2 MS 2008 Server SP1 as PDC and BDC. Further we have
> some Windows
> XP 32 and 64 Bit clients as workstations for testing.
> 
> Now we setup everything and decided to use samba 3.2.0 as
> there are some
> bugs related to W2k8 server are solved. So I build debian
> packages from
> experimental for etch an installed them. Then I set up
> kerberos and
> samba using "security = ads". Everythings works
> great. I can get a
> kerberos ticket with kinit also I can join the ADS with
> "net ads join
> -Uadministrator". I set up /etc/nssswitch to use
> winbind and I can
> request user information successfully.
> 
> But now I have to set up shared IDMAP for my samba servers
> to have the
> same UIDs and GIDs on all machines. As it would be nice to
> have all that
> on the ADS server I tried the following for days without
> success and
> that is where I need help:
> 
> - I installed the "MS Identity Management for
> Unix"
> - I added UID, Homedir, Shell and "Default Group"
> to the AD User
> - I set "Unix Attr" for my groups
> - I configured samba to as followed:
> 
> ----- snip -----
> 
> [global]
> workgroup = TESTLAB
> realm = TESTLAB.COMPANY.COM
> netbios name = filesrv001
> server string = Samba Storage Fileserver 001 (%v)
> security = ADS
> idmap domains = BUILTIN, TESTLAB
> idmap config TESTLAB:backend = ad
> idmap config TESTLAB:default = yes
> idmap config TESTLAB:schema_mode = rfc2307
> idmap config BUILTIN:backend            = tdb
> idmap config BUILTIN:base_rid           = 800
> idmap config BUILTIN:range              = 800-999
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind nested groups = Yes
> password server = WIN-RXYDW1KO5DH.testlab.company.com
> wins server = WIN-RXYDW1KO5DH.testlab.company.com
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> hide unreadable = yes
> hide dot files = yes
> unix charset = LOCALE
> log level = 5
> 
> [big_data]
> comment = Very Big Share
> path =  /SERV
> browseable = yes
> guest ok = no
> valid users = "@STGT\entenhausen"
> create mask = 660
> directory mode = 770
> writeable = yes
> readonly = no
> force group = "STGT\entenhausen"
> 
> ----- snip -----
> 
> - I cleaned /var/run/samba, /var/log/samba, /var/lib/samba
> - I delete the Join on the ADS
> - Then I rebooted the Linux-Server, re-joined the ADS
> - And I can retrieve the user with getent and it has IT UID
> 
> filesrv001:/var/log/samba# getent passwd tic.tic
> tic.tic:*:20007:10001::/home/STGT/tic.tic:/bin/false
> 
> - But the default group, the home-dir and the shell is not
> right
> - seems like the values are not retrieved correctly from
> ADS
> - also strange: I set up the second storage with the same
> configs
> - only changed names
> - if I retrieve the user-information there
> - it looks like this
> 
> getent passwd tic.tic
> tic.tic:*:20007:10000:Tic Tic:/home/STGT/tic.tic:/bin/false
> 
> - so the default-group is changing 
> - but its still not the value listed in the ADS
> 
> Any ideas on that? Did I get something completely wrong?
> I'll now take a
> closer look to the Win 2008 logfiles and I'll check the
> communication
> with tcpdump. But I'm mostly stuck and really could
> need some hints.
> Or should I try another solution? IDMAP-RID cannot be used
> as we are
> planning a "trust domain" setup
> 
> Thank you and best regards
> 
>                  Daniel
> 
> -- 
> To unsubscribe from this list go to the following URL and
> read the
> instructions: 
> https://lists.samba.org/mailman/listinfo/samba

      Novos endere?os, o Yahoo! que voc? conhece. Crie um email novo com a sua
cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses