Guilhem Souque
2012-Feb-27 10:52 UTC
[Samba] samba ldap domain member server with cifs and nfs
Hi samba lists, we have a samba-ldap domain running on a debian squeeze (samba 3.5.6)server (pdc and bdc). I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. My Debian server member use winbind (on ldap) for mapping the users windows sid to the unix uid. The users mapping is write in the the ldap directory : ou=idmap,dc=exemple,dc=com The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? I plan to write a script that will write the entry in the idmap OU to have consistent uid mapping between libnss-ldap and cifs share. Note: my smb.conf [global] workgroup = foo security = DOMAIN server string = server1 #passdb backend = ldapsam:ldap://192.168.10.150 log level = 2 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts wins server = 192.168.1.7 ldap suffix = dc=exemple,dc=com ldap machine suffix = ou=Machines ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=exemple,dc=com ldap timeout = 20 idmap backend = ldap:ldap://192.168.1.7 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind trusted domains only = Yes winbind separator = / ldap ssl = off Thanks Best regards Guilhem --------------------------- Breaking News: Artprice launches electronic auctions More info >>> http://web.artprice.com/classifieds/info?l=en Alerte Info: Artprice lance les ventes aux encheres realisees a distance par voie electronique Plus d'info >>> http://web.artprice.com/classifieds/info?l=fr Artprice est operateur de courtage aux encheres realisees a distance par voie electronique (article 5 de la loi 2011-850 du 20 juillet 2011) --- Alchemy and Mysteries of Artprice --- View the video http://web.artprice.tv/video --------------------------- Artprice on twitter: http://twitter.com/artpricedotcom "Ce message et toutes les pieces jointes sont des informations strictement confidentielles et reservees au(x) destinataire(s). Ce courriel n'a pas de valeur contractuelle et son contenu ne constitue ni une acceptation, ni un engagement de la part de l'auteur et des societes du groupe Serveur et Artprice, sauf dans le cas ou cela aurait ete prevu avec le destinataire par un accord ecrit. Le contenu de ce message et les pieces jointes ne peuvent constituer une preuve au sens de l'article 1316-1 du Code Civil. L'auteur et les societes du groupe Serveur et Artprice declinent toute responsabilite au titre de ce courriel s'il a ete altere, deforme, falsifie ou indument utilise par des tiers ou encore s'il a cause tout dommage ou perte de toute nature. Si vous n'etes pas le bon destinataire, merci de nous contacter et de ne pas le divulguer." "This message including any attachments are confidential and privileged material intended solely for the addressees. Its contents do not constitute a commitment by groupe Serveur sas and Artprice SA, except when provided for in a written agreement with the addressees. The contents of this message cannot constitute neither the proof nor the acceptance of any agreement as per article 1316-1 of the French civil code. Groupe Serveur sas and Artprice SA shall not be rendered liable in any manner whatsoever for the delay and/or loss in transit of this message, for corruption, alteration, falsification, misuse or fraudulent use (which may be made) of this message. If you receive this message in error, please delete it and immediately notify the sender. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized use, copying or dissemination is prohibited."
Guilhem Souque
2012-Feb-27 11:01 UTC
[Samba] samba ldap domain member server with cifs and nfs
Hi samba lists, we have a samba-ldap domain running on a debian squeeze (samba 3.5.6)server (pdc and bdc). I try to configure a domain member server on an other debian squeeze that will serve as cifs and nfs server. My Debian server member use winbind (on ldap) for mapping the users windows sid to the unix uid. The users mapping is write in the the ldap directory : ou=idmap,dc=exemple,dc=com The unix uids provided by winbind are not the same than those used by the system (libnsss-ldap) winbind don't know the reel user uid. The result is that i can't use nfs with cifs because the system users uid (libnss-ldap) are different than those provided by winbind. it's seems that in samba 3.0.24 (debian etch) the uid in the idmap OU was the same that those in the USERS OU because i have some entry that are correct and i had domain member server in this samba version. Is there a way to synchronize unix uids with idmap uids? I plan to write a script that will write the entry in the idmap OU to have consistent uid mapping between libnss-ldap and cifs share. Note: my smb.conf [global] workgroup = foo security = DOMAIN server string = server1 #passdb backend = ldapsam:ldap://192.168.10.150 log level = 2 syslog = 0 log file = /var/log/samba/%m max log size = 0 smb ports = 139 name resolve order = wins bcast hosts wins server = 192.168.1.7 ldap suffix = dc=exemple,dc=com ldap machine suffix = ou=Machines ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=exemple,dc=com ldap timeout = 20 idmap backend = ldap:ldap://192.168.1.7 idmap uid = 1000-20000 idmap gid = 1000-20000 winbind trusted domains only = Yes winbind separator = / ldap ssl = off Thanks Best regards Guilhem --------------------------- Breaking News: Artprice launches electronic auctions More info >>> http://web.artprice.com/classifieds/info?l=en Alerte Info: Artprice lance les ventes aux encheres realisees a distance par voie electronique Plus d'info >>> http://web.artprice.com/classifieds/info?l=fr Artprice est operateur de courtage aux encheres realisees a distance par voie electronique (article 5 de la loi 2011-850 du 20 juillet 2011) --- Alchemy and Mysteries of Artprice --- View the video http://web.artprice.tv/video --------------------------- Artprice on twitter: http://twitter.com/artpricedotcom "Ce message et toutes les pieces jointes sont des informations strictement confidentielles et reservees au(x) destinataire(s). Ce courriel n'a pas de valeur contractuelle et son contenu ne constitue ni une acceptation, ni un engagement de la part de l'auteur et des societes du groupe Serveur et Artprice, sauf dans le cas ou cela aurait ete prevu avec le destinataire par un accord ecrit. Le contenu de ce message et les pieces jointes ne peuvent constituer une preuve au sens de l'article 1316-1 du Code Civil. L'auteur et les societes du groupe Serveur et Artprice declinent toute responsabilite au titre de ce courriel s'il a ete altere, deforme, falsifie ou indument utilise par des tiers ou encore s'il a cause tout dommage ou perte de toute nature. Si vous n'etes pas le bon destinataire, merci de nous contacter et de ne pas le divulguer." "This message including any attachments are confidential and privileged material intended solely for the addressees. Its contents do not constitute a commitment by groupe Serveur sas and Artprice SA, except when provided for in a written agreement with the addressees. The contents of this message cannot constitute neither the proof nor the acceptance of any agreement as per article 1316-1 of the French civil code. Groupe Serveur sas and Artprice SA shall not be rendered liable in any manner whatsoever for the delay and/or loss in transit of this message, for corruption, alteration, falsification, misuse or fraudulent use (which may be made) of this message. If you receive this message in error, please delete it and immediately notify the sender. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized use, copying or dissemination is prohibited."