samba - Nov 2008 - Trying to get uid and gid to match and getent to work

I am using the following in my smb.conf on samba-3.0.28-0.el5.8

        idmap domains = MYDOMAIN
        idmap config MYDOMAIN:backend        = rid
        idmap config MYDOMAIN:base_rid       = 998
        idmap config MYDOMAIN:range          = 998 - 49999
        idmap uid = 998-20000
        idmap gid = 998-20000
        template homedir = /home/users/%U
#       template primary group = "Domain Users"
        template shell = /bin/bash
        winbind separator = +
;       winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes

The problem was first noticed when we connected to another member server and
noticed that all of the usernames and groups were different.
During trouble shooting we noticed that wbinfo was reporting the list of users
but getent was not check libnss_winbind.so
We just copied it to every directory we thought it might be looking

/lib/libnss_winbind.so
/lib64/libnss_winbind.so
/lib64/libnss_winbind.so.2
/lib64/security/pam_winbind.so
/usr/lib/libnss_winbind.so
/usr/lib64/libnss_winbind.so
/usr/lib64/nss/libnss_winbind.so
/usr/lib64/nss/libnss_winbind.so.2
/usr/lib64/pppd/2.4.4/winbind.so

Deleted the /var/cache/samba/winbind_cache.tdb
and  winbindd_idmap.tdb

after restarting winbind and samba the winbindd_idmap.tdp did not reappear.
and getent was still not working.

Also seeing the following error when restart winbind

Nov  6 11:57:58 localhost winbindd[21350]: [2008/11/06 11:57:58, 0]
nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
Nov  6 11:57:58 localhost winbindd[21350]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 1
Nov  6 11:57:58 localhost winbindd[21351]: [2008/11/06 11:57:58, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2363)
Nov  6 11:57:58 localhost winbindd[21351]:   cli_rpc_pipe_open_ntlmssp_internal:
cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

---- phwashington@tx.rr.com wrote: 
> I am using the following in my smb.conf on samba-3.0.28-0.el5.8
> 
>         idmap domains = MYDOMAIN
>         idmap config MYDOMAIN:backend        = rid
>         idmap config MYDOMAIN:base_rid       = 998
>         idmap config MYDOMAIN:range          = 998 - 49999
>         idmap uid = 998-20000
>         idmap gid = 998-20000
>         template homedir = /home/users/%U
> #       template primary group = "Domain Users"
>         template shell = /bin/bash
>         winbind separator = +
> ;       winbind use default domain = Yes
>         winbind enum users = yes
>         winbind enum groups = yes
> 
> The problem was first noticed when we connected to another member server
and noticed that all of the usernames and groups were different.
> During trouble shooting we noticed that wbinfo was reporting the list of
users but getent was not check libnss_winbind.so
> We just copied it to every directory we thought it might be looking
> 
> /lib/libnss_winbind.so
> /lib64/libnss_winbind.so
> /lib64/libnss_winbind.so.2
> /lib64/security/pam_winbind.so
> /usr/lib/libnss_winbind.so
> /usr/lib64/libnss_winbind.so
> /usr/lib64/nss/libnss_winbind.so
> /usr/lib64/nss/libnss_winbind.so.2
> /usr/lib64/pppd/2.4.4/winbind.so
> 
> Deleted the /var/cache/samba/winbind_cache.tdb
> and  winbindd_idmap.tdb
> 
> after restarting winbind and samba the winbindd_idmap.tdp did not reappear.
> and getent was still not working.
> 
> Also seeing the following error when restart winbind
> 
> Nov  6 11:57:58 localhost winbindd[21350]: [2008/11/06 11:57:58, 0]
nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
> Nov  6 11:57:58 localhost winbindd[21350]:   initialize_winbindd_cache:
clearing cache and re-creating with version number 1
> Nov  6 11:57:58 localhost winbindd[21351]: [2008/11/06 11:57:58, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2363)
> Nov  6 11:57:58 localhost winbindd[21351]:  
cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error
NT_STATUS_NETWORK_ACCESS_DENIED
> 
Okay, I was able to get getent to work.
had to go back to ldconfig to get the library files to load the variants of
libnss_winbind.

So now am trying to get it to allow domain users to login and get the uid's
and gid's to match across servers.

---- phwashington@tx.rr.com wrote: 
> 
> ---- phwashington@tx.rr.com wrote: 
> > I am using the following in my smb.conf on samba-3.0.28-0.el5.8
> > 
> >         idmap domains = MYDOMAIN
> >         idmap config MYDOMAIN:backend        = rid
> >         idmap config MYDOMAIN:base_rid       = 998
> >         idmap config MYDOMAIN:range          = 998 - 49999
> >         idmap uid = 998-20000
> >         idmap gid = 998-20000
> >         template homedir = /home/users/%U
> > #       template primary group = "Domain Users"
> >         template shell = /bin/bash
> >         winbind separator = +
> > ;       winbind use default domain = Yes
> >         winbind enum users = yes
> >         winbind enum groups = yes
> > 
> > The problem was first noticed when we connected to another member
server and noticed that all of the usernames and groups were different.
> > During trouble shooting we noticed that wbinfo was reporting the list
of users but getent was not check libnss_winbind.so
> > We just copied it to every directory we thought it might be looking
> > 
> > /lib/libnss_winbind.so
> > /lib64/libnss_winbind.so
> > /lib64/libnss_winbind.so.2
> > /lib64/security/pam_winbind.so
> > /usr/lib/libnss_winbind.so
> > /usr/lib64/libnss_winbind.so
> > /usr/lib64/nss/libnss_winbind.so
> > /usr/lib64/nss/libnss_winbind.so.2
> > /usr/lib64/pppd/2.4.4/winbind.so
> > 
> > Deleted the /var/cache/samba/winbind_cache.tdb
> > and  winbindd_idmap.tdb
> > 
> > after restarting winbind and samba the winbindd_idmap.tdp did not
reappear.
> > and getent was still not working.
> > 
> > Also seeing the following error when restart winbind
> > 
> > Nov  6 11:57:58 localhost winbindd[21350]: [2008/11/06 11:57:58, 0]
nsswitch/winbindd_cache.c:initialize_winbindd_cache(2230)
> > Nov  6 11:57:58 localhost winbindd[21350]:  
initialize_winbindd_cache: clearing cache and re-creating with version number 1
> > Nov  6 11:57:58 localhost winbindd[21351]: [2008/11/06 11:57:58, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2363)
> > Nov  6 11:57:58 localhost winbindd[21351]:  
cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error
NT_STATUS_NETWORK_ACCESS_DENIED
> > 
> Okay, I was able to get getent to work.
> had to go back to ldconfig to get the library files to load the variants of
libnss_winbind.
> 
> So now am trying to get it to allow domain users to login and get the
uid's and gid's to match across servers.
> 
I now have 2 servers reporting different uid's, haven't checked the
gid's, but I assume I have the same problem.

On system running samba-3.0.10-1.4E.9

MYDOMAIN+user1:*:10115:10000:SMB User:/home/users/user1:/bin/bash
MYDOMAIN+user2:*:10116:10000:SMB User:/home/users/user2:/bin/bash
MYDOMAIN+user3:*:10011:10000:SMB User:/home/users/user3:/bin/bash
MYDOMAIN+user4:*:10008:10000:SMB User:/home/users/user4:/bin/bash


On system 2 running samba samba3-3.0.32-36

MYDOMAIN+user1:*:12700:10000:SMB User:/home/users/user1:/bin/bash
MYDOMAIN+user2:*:12702:10000:SMB User:/home/users/user2:/bin/bash
MYDOMAIN+user3:*:12710:10000:SMB User:/home/users/user3:/bin/bash
MYDOMAIN+user4:*:12718:10000:SMB User:/home/users/user4:/bin/bash

>---- phwashington@tx.rr.com wrote: 
>> I am using the following in my smb.conf on samba-3.0.28-0.el5.8
>> 
>> ..... snip .....
>Okay, I was able to get getent to work.
>had to go back to ldconfig to get the library files to load the variants of
libnss_winbind.
>
>So now am trying to get it to allow domain users to login and get the
uid's and gid's to match across servers.

The way to do this is to use an ldap backend on the file servers
On one Member server the ldap is the master, and on all the others the ldap
servers are slave's
I have not tested this (my network is not that large).

but this is also mentioned in the following doc
http://us3.samba.org/samba/docs/man/Samba-Guide/

Then in chapter 7 at the end there is the following:
 
What are the benefits of using LDAP for my domain member servers?
	
The key benefit of using LDAP is that the UID of all users and the GID of all
groups are globally consistent on domain controllers as well as on domain member
servers. This means that it is possible to copy/replicate files across servers
without loss of identity.

When use is made of account identity resolution via winbind, even when an IDMAP
backend is stored in LDAP, the UID/GID on domain member servers is consistent,
but differs from the ID that the user/group has on domain controllers. The
winbind allocated UID/GID that is stored in LDAP (or locally) will be in the
numeric range specified in the idmap uid/gid in the smb.conf file. On domain
controllers, the UID/GID is that of the POSIX value assigned in the LDAP
directory as part of the POSIX account information.


One more thing if you use the guide in chapter 7 and you come to the part of
editing the nsswitch.conf file, do not use ldap there but winbind
The guide tells you to do this.
 Edit the NSS control file /etc/nsswitch.conf so it has the following entries:

...
passwd: files ldap
shadow: files ldap
group:  files ldap
...
hosts:  files wins

Use this instead.

 Edit the NSS control file /etc/nsswitch.conf so it has the following entries:

...
passwd: files winbind
shadow: files winbind
group:  files winbind
...
hosts:  files wins

I hope this helps..

regards,
Johan Hendriks
Double L Automatisering

Thanks, I'm working on the solution.  You are probably not the only one who 
hasn't tested this out.  So far I have gotten the other ldap server up.  And
was
also successful in shutting down 2 file servers which have been operational for 
2 years.  All I did was set the the ldap log level to 8 on the Samba-ldap PDC.  
I'll keep working on it, but I'm not convinced that an LDAP backend is
all that
efficient now.  Especially considering we only have 200 entities in the 
database( Users, Computers, Groups). 
 

---- Johan Hendriks <Johan@double-l.nl> wrote: 
> 
> 
> 
> >---- phwashington@tx.rr.com wrote: 
> >> I am using the following in my smb.conf on samba-3.0.28-0.el5.8
> >> 
> >> ..... snip .....
> 
> >Okay, I was able to get getent to work.
> >had to go back to ldconfig to get the library files to load the
variants of libnss_winbind.
> >
> >So now am trying to get it to allow domain users to login and get the
uid's and gid's to match across servers.
> 
> 
> The way to do this is to use an ldap backend on the file servers
> On one Member server the ldap is the master, and on all the others the ldap
servers are slave's
> I have not tested this (my network is not that large).
> 
> but this is also mentioned in the following doc
> http://us3.samba.org/samba/docs/man/Samba-Guide/
> 
> Then in chapter 7 at the end there is the following:
>  
> What are the benefits of using LDAP for my domain member servers?
> 	
> The key benefit of using LDAP is that the UID of all users and the GID of
all groups are globally consistent on domain controllers as well as on domain
member servers. This means that it is possible to copy/replicate files across
servers without loss of identity.
> 
> When use is made of account identity resolution via winbind, even when an
IDMAP backend is stored in LDAP, the UID/GID on domain member servers is
consistent, but differs from the ID that the user/group has on domain
controllers. The winbind allocated UID/GID that is stored in LDAP (or locally)
will be in the numeric range specified in the idmap uid/gid in the smb.conf
file. On domain controllers, the UID/GID is that of the POSIX value assigned in
the LDAP directory as part of the POSIX account information.
> 
> 
> One more thing if you use the guide in chapter 7 and you come to the part
of editing the nsswitch.conf file, do not use ldap there but winbind
> The guide tells you to do this.
>  Edit the NSS control file /etc/nsswitch.conf so it has the following
entries:
> 
> ...
> passwd: files ldap
> shadow: files ldap
> group:  files ldap
> ...
> hosts:  files wins
> 
> Use this instead.
> 
>  Edit the NSS control file /etc/nsswitch.conf so it has the following
entries:
> 
> ...
> passwd: files winbind
> shadow: files winbind
> group:  files winbind
> ...
> hosts:  files wins
> 
> I hope this helps..
> 
> regards,
> Johan Hendriks
> Double L Automatisering

Thanks, I'm working on the solution.  You are probably not the only one who 
hasn't tested this out.  So far I have gotten the other ldap server up.  And
was
also successful in shutting down 2 file servers which have been operational for 
2 years.  All I did was set the the ldap log level to 8 on the Samba-ldap PDC.  
I'll keep working on it, but I'm not convinced that an LDAP backend is
all that
efficient now.  Especially considering we only have 200 entities in the 
database( Users, Computers, Groups).