Good morning all, I really hate emailing lists, but I've come to a wall that I just cant work out how to get past at the moment, so am hoping for some community assistance if possible. Some background: We are running Windows Server 2003 on all of our domain controllers, and are in the middle of migrating to server 2008 R2. We have unix exentions enabled (rfc2307 I believe), and manage all of our uids/shell/home via this. Our linux servers are a mix of RHEL 5.1, 5.4 and 5.5. We were using Samba 3.0.33-3.29.el5_5.1 or equivalent on most of our servers, but we hit a stone wall when trying to get them to co-exist with a domain controller that was running Server 2008. So we upgraded to the redhat package Samba3x which I believe is 3.3.8 on some of the hosts and 3.5.10 on the others. However then we hit the snafu that the servers running samba3x wouldn't talk to the domain controllers running server 2003 still. To combat that, we null routed the server 2003 servers, and only let the Linux servers talk to AD servers running 2008. This was working fine, except that some servers stopped being able to run "getent passwd" or "getent group" and would just return nothing from winbind. As a test, I converted over to RID as the idmap backend away from ADS, and this appears to have almost worked perfectly. Except now that a users UID isn't being returned from the AD unixattributes tab, but instead has what I assume is the RID ID for the user. Other attributes seem to be coming down ok For example on a production host that is still running samba 3.0.33, returns: [nathan_adm at qbtdbsprd01 ~]$ getent passwd nathan_adm nathan_adm:*:310:900:Nathan Frankish - Admin:/unixshared/home/nathan_adm:/bin/bash But on an upgraded host its returning [root at qdrbinppz01 ~]# getent passwd nathan_adm nathan_adm:*:9071:900:Nathan Frankish - Admin:/unixshared/home/nathan_adm:/bin/bash Likewise with group look ups, im getting simular results. Ive tried converting back to ADS from RID to see if that will help, but after updating smb.conf and restarting winbind, it still appears to be getting its info from RID and not from ADS. Below I have two config files.. One of the upgraded hosts, one of the not upgraded hosts. Is there any way I can rid to do what I want? Or get ADS to play nicely on the domain? Or should I just convert to RID entirely and fix all the users permissions on directories etc **upgraded hosts config** #======================= Global Settings ================================ [global] interfaces = 10.8.52.0/24 10.8.57.0/24 10.30.52.0/24 10.8.78.0/24 10.8.0.0/22 10.30.0.0/22 10.8.103.0/24 bind interfaces only = yes workgroup = QLDMOTORWAYS local master = no passdb backend = tdbsam password server = QB2DC-PRD01.QLDMOTORWAYS.COM.AU realm = QLDMOTORWAYS.COM.AU domain master = no local master = no preferred master = no os level = 0 server string = qdrbinppz01 Linux server security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 idmap backend = ad idmap uid = 100-200 idmap gid = 100-200 idmap config QLDMOTORWAYS : schema_mode =rfc2307 idmap config QLDMOTORWAYS : backend = ADs idmap config QLDMOTORWAYS : range = 300-2000000 winbind separator = + template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind nss info = rfc2307 winbind cache time = 1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes **non upgraded host** #======================= Global Settings ================================ [global] workgroup = QLDMOTORWAYS local master = no passdb backend = tdbsam password server = * realm = QLDMOTORWAYS.COM.AU domain master = no local master = no preferred master = no os level = 0 server string = qbtdbsprd01 Linux server security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 idmap backend = ad idmap uid = 100-2000000 idmap gid = 100-2000000 winbind separator = + template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind nss info = rfc2307 winbind cache time = 1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes Much appreciate any help that can be provided.. Nathan Frankish | Systems Engineer
On Mon, Mar 12, 2012 at 10:17:26AM +1000, Nathan Frankish wrote:> I really hate emailing lists, but I've come to a wall that I just cant > work out how to get past at the moment, so am hoping for some community > assistance if possible. > > > > Some background: > > We are running Windows Server 2003 on all of our domain controllers, and > are in the middle of migrating to server 2008 R2. We have unix exentions > enabled (rfc2307 I believe), and manage all of our uids/shell/home via > this. > > > > Our linux servers are a mix of RHEL 5.1, 5.4 and 5.5. > > > > We were using Samba 3.0.33-3.29.el5_5.1 or equivalent on most of our > servers, but we hit a stone wall when trying to get them to co-exist > with a domain controller that was running Server 2008. > > So we upgraded to the redhat package Samba3x which I believe is 3.3.8 on > some of the hosts and 3.5.10 on the others. > > > > However then we hit the snafu that the servers running samba3x wouldn't > talk to the domain controllers running server 2003 still. To combat > that, we null routed the server 2003 servers, and only let the Linux > servers talk to AD servers running 2008. > > This was working fine, except that some servers stopped being able to > run "getent passwd" or "getent group" and would just return nothing from > winbind. > > > > As a test, I converted over to RID as the idmap backend away from ADS, > and this appears to have almost worked perfectly. Except now that a > users UID isn't being returned from the AD unixattributes tab, but > instead has what I assume is the RID ID for the user. Other attributes > seem to be coming down okWhen you change idmap backends, you must always also delete all caches. Delete the winbindd_cache.tdb file and issue a "net cache flush". Hope that helps, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de