Hi everone. Ubuntu 12.04 v3.6 clients with winbind joined to 12.04 Samba4 DC Clients: smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap uid = 300000-400000 idmap gid = 20000-30000 /etc/nsswitch.conf passwd: compat winbind group: compat winbind Problem: The uid range is ignored. Both uid and gid come from the gid range. e.g.: getent passwd steve2 POLOP\steve2:*:20007:20000:steve2:/home/POLOP/steve2:/bin/bash Why is the uid range of 300000-400000 ignored? Cheers, Steve
On 02/08/12 16:01, steve wrote:> Hi everone. > > Ubuntu 12.04 v3.6 clients with winbind joined to 12.04 Samba4 DC > > Clients: > smb.conf > [global] > realm = polop.site > workgroup = POLOP > security = ADS > wide links = Yes > unix extensions = No > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > idmap uid = 300000-400000 > idmap gid = 20000-30000 > > /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > Problem: > The uid range is ignored. Both uid and gid come from the gid range. e.g.: > getent passwd steve2 > POLOP\steve2:*:20007:20000:steve2:/home/POLOP/steve2:/bin/bash > > Why is the uid range of 300000-400000 ignored?I have a feeling that there is no separate uid and gid range in 3.6. Check the man page. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
Hi Steve, please use "idmap config * : range = ..." instead of idmap uid/gid. Best regards Bj?rn On 08/02/2012 05:01 PM, steve wrote:> Hi everone. > > Ubuntu 12.04 v3.6 clients with winbind joined to 12.04 Samba4 DC > > Clients: > smb.conf > [global] > realm = polop.site > workgroup = POLOP > security = ADS > wide links = Yes > unix extensions = No > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > idmap uid = 300000-400000 > idmap gid = 20000-30000 > > /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > Problem: > The uid range is ignored. Both uid and gid come from the gid range. e.g.: > getent passwd steve2 > POLOP\steve2:*:20007:20000:steve2:/home/POLOP/steve2:/bin/bash > > Why is the uid range of 300000-400000 ignored? > Cheers, > Steve >-- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
On 02/08/12 17:14, Bjoern Baumbach wrote:> Hi Steve, > > please use "idmap config * : range = ..." instead of idmap uid/gid. >Thanks Jonathan and Bjoern I have that now. I chose: idmap config * : range = 30000-40000 I have deleted the winbind files from /var/lib/samba and /var/cache/samba and restarted smbd and winbind but the idmap ranges are still at the old values. In fact they are the same numerical values as on the DC e.g. -rw-r--r-- 1 3000037 20513 0 Aug 2 17:34 file1 Back on the DC/fileserver that is correctly mapped as: -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 Is there a cache somewhere else? I have even totally purged the whole of samba and reinstalled from nothing but still the old values reappear. How do I lose the old values so it accepts my new range and maps the files correctly as humanly readable uid:gid pairs rather than numbers? nscd is not active. cheers Steve /etc/samba/smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap config * : backend = tdb idmap config * : range = 30000-40000
2012-08-02 17:45 keltez?ssel, steve ?rta:> On 02/08/12 17:14, Bjoern Baumbach wrote: >> Hi Steve, >> >> please use "idmap config * : range = ..." instead of idmap uid/gid. >> > > Thanks Jonathan and Bjoern > I have that now. > > I chose: > idmap config * : range = 30000-40000 > > I have deleted the winbind files from /var/lib/samba and > /var/cache/samba and restarted smbd and winbind but the idmap ranges > are still at the old values. In fact they are the same numerical > values as on the DC e.g. > > -rw-r--r-- 1 3000037 20513 0 Aug 2 17:34 file1 > > Back on the DC/fileserver that is correctly mapped as: > > -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 > > Is there a cache somewhere else? I have even totally purged the whole > of samba and reinstalled from nothing but still the old values reappear. > How do I lose the old values so it accepts my new range and maps the > files correctly as humanly readable uid:gid pairs rather than numbers? > nscd is not active. > > cheers > Steve > > /etc/samba/smb.conf > [global] > realm = polop.site > workgroup = POLOP > security = ADS > wide links = Yes > unix extensions = No > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > idmap config * : backend = tdb > idmap config * : range = 30000-40000 > >I would suggest using idmap_ad: http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Regards Geza Gemes
On 02/08/12 18:16, G?mes G?za wrote:> 2012-08-02 17:45 keltez?ssel, steve ?rta: >> On 02/08/12 17:14, Bjoern Baumbach wrote: >>> Hi Steve, >>> >>> please use "idmap config * : range = ..." instead of idmap uid/gid. >>> >> >> Thanks Jonathan and Bjoern >> I have that now. >> >> I chose: >> idmap config * : range = 30000-40000 >> >> I have deleted the winbind files from /var/lib/samba and >> /var/cache/samba and restarted smbd and winbind but the idmap ranges >> are still at the old values. In fact they are the same numerical >> values as on the DC e.g. >> >> -rw-r--r-- 1 3000037 20513 0 Aug 2 17:34 file1 >> >> Back on the DC/fileserver that is correctly mapped as: >> >> -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 >> >> Is there a cache somewhere else? I have even totally purged the whole >> of samba and reinstalled from nothing but still the old values reappear. >> How do I lose the old values so it accepts my new range and maps the >> files correctly as humanly readable uid:gid pairs rather than numbers? >> nscd is not active. >> >> cheers >> Steve >> >> /etc/samba/smb.conf >> [global] >> realm = polop.site >> workgroup = POLOP >> security = ADS >> wide links = Yes >> unix extensions = No >> template shell = /bin/bash >> winbind enum users = Yes >> winbind enum groups = Yes >> idmap config * : backend = tdb >> idmap config * : range = 30000-40000 >> >> > I would suggest using idmap_ad: > > http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html > > Regards > > Geza GemesHi Geza No. In this case it is a pure-by-the-book winbind test lan. The problem is this: Here is my id: POLOP\steve2 at ubuntu1:~$ id uid=30007(POLOP\steve2) gid=30014(POLOP\domain users) groups=30014(POLOP\domain users),30016(POLOP\staff),30018(BUILTIN\users) When I create a file, I want to see a uid:gid of POLOP\steve2 POLOP\domain users (as indeed I do back on the fileserver/DC) But on the client, I see only the uid:gid _numbers_ which are stored in idmap.ldb on the server: POLOP\steve2 at ubuntu1:~$ touch afile POLOP\steve2 at ubuntu1:~$ ls -l afile -rw-r--r-- 1 3000037 20513 0 Aug 2 18:34 afile How do I convert 3000037 to POLOP\steve2 and 20513 to POLOP\domain users on the client? The shares are mounted via kerberized nfs on the client and _did_ map correctly before this thread started. Cheers, Steve
Il 02/08/2012 18:42, steve ha scritto:> The shares are mounted via kerberized nfs on the client and _did_ map > correctly before this thread started.Are you sure you updated /etc/nnsswitch.conf to use winbind after purging the old Samba install? BYtE, Diego.
On 02/08/12 20:57, NdK wrote:> Il 02/08/2012 18:42, steve ha scritto: > >> The shares are mounted via kerberized nfs on the client and _did_ map >> correctly before this thread started. > Are you sure you updated /etc/nnsswitch.conf to use winbind after > purging the old Samba install? > > BYtE, > Diego. >Hi Yes, I have passwd: files winbind group: files winbind getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Cheers, Steve
On 03/08/12 07:01, steve wrote:> On 02/08/12 20:57, NdK wrote: >> Il 02/08/2012 18:42, steve ha scritto: >> >>> The shares are mounted via kerberized nfs on the client and _did_ map >>> correctly before this thread started. >> Are you sure you updated /etc/nnsswitch.conf to use winbind after >> purging the old Samba install? >> >> BYtE, >> Diego. >> > Hi > Yes, I have > > passwd: files winbind > group: files winbind > > getent passwd/group works fine. I get the names and coresponding uid:gid > numbers within the range specified in smb.conf but all I get when I list > files on the nfs share, are numerical uid:gid values. I want those > values to be DOMAIN\username DOMAIN\group rather than numerical values. > > How do I do that? > > The uid:gid values are not in the range set in smb.conf. They are the > uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring > winbind. >If I get this correctly you have files on an NFS server with UID/GID values in say range 10000-19999, and have winbind configured to do mappings in the range of 20000-29999. Doh, winbind will look at the UID/GID on the NFS server and go outside the range I am set to map and do nothing because you have told it to do so. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
Hey Steve, I knew the error "Can't initialize directory" with the auto-create method of pam+winbind for home directories as well, but I think my setup is a little bit different than yours... My setup looks like this: - 50 linux-server - 5 AD secondary DC's (Active Directory w2k8 R2) - 1 Master-DC (Active Directory w2k8 R2) The linux-server were setup with RHEL 5 (nearly half of all). Approx. 15 server were setup with Oracle Linux 6.2 (nearly the same like RHEL). Do you use the same Linux-Version for your clients (e.g. servers)? If so just try to put the same pam-lines (/etc/pam.d/system-auth) into the file password-auth file (/etc/pam.d/password-auth). These are my files: --> /etc/pam.d/system-auth <-- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 --> /etc/pam.d/password-auth <-- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 And my smb.conf looks like this: # GLOBAL PARAMETERS [global] workgroup = <MY-WORKGROUP> realm = <MY-DOMAIN.LCL> password server = * preferred master = no server string = <YOUR> File-Server security = ads encrypt passwords = yes local master = no log level = 1 log file = /var/log/samba/%m max log size = 50 #printcap name = cups #printcap = cups printcap = /dev/null winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = \\ winbind refresh tickets = yes winbind offline logon = true winbind trusted domains only = no #winbind trusted domains only = yes map untrusted to domain = Yes allow trusted domains = yes obey pam restrictions = no idmap backend = tdb idmap uid = 10000-600000 idmap gid = 10000-600000 #idmap config EOS : tdb #idmap config EOS : 10000-100000 #idmap config DFD : tdb #idmap config DFD : 110000-200000 #idmap config * : backend = tdb #idmap config * : range = 10000-600000 passdb backend = tdbsam ;template primary group = "domain users" #template shell = /bin/false template shell = /bin/bash winbind nss info = rfc2307 client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Heimatverzeichnisse valid users = %S path = /home/<DOMAIN>/ read only = yes browseable = no #verstecke "nicht-lesbare" Verzeichnisse hide unreadable = yes #verstecke "nicht-schreibbare" Dateien u. Ordner hide unwriteable files = yes create mask = 0700 directory mask = 0700 When you login to one of my linux box with a user called "schlegels", the home directory will be created like this: /home/<DOMAIN>/schlegels Oddjobd is not working for me... I don't know exactly if my setup is the same like yours, because I'm not able to read the whole conversation (too many things to do). Cheers and good luck, Steven 2012/8/8 steve <steve at steve-ss.com>:> On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: >> >> steve wrote: >>> >>> On 07/08/12 16:15, Jonathan Buzzard wrote: >>>> >>>> On 07/08/12 15:10, steve wrote: >>>>> >>>>> On 04/08/12 22:06, NdK wrote: >>>>>> >>>>>> Il 04/08/2012 21:13, steve ha scritto: >>>>>> >>>>> >>>>>> Uh? "wide links" seems a bad idea to me... At least from a security >>>>>> perspective. >>>>>> Why a single home directory? We have a single NFS share containing >>>>>> folders for the two domains and inside those a folder for each home. >>>>>> We are trying to migrate away from that, preferring a '[homes]' share >>>>>> where users will place the data they want to have available on every >>>>>> PC. >>>>>> This way even Firefox should work... >>>>>> >>>>> Hi Diego >>>>> We have home directories like: >>>>> home2/staff >>>>> home2/students/7a >>>>> home2/students/7b >>>>> >>>>> Winbind allows only one template homedir and all user home folders must >>>>> reside there (or tell me otherwise). >>>>> >>>>> The only way we can have what we want is: >>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD >>>>> 2. winbind. We have a symlink in template homedir to the real data. For >>>>> that we need wide links. >>>>> >>>> >>>> 3. Use winbind to store the true unixHomeDirectory in AD. >>>> >>> >>> Hi >>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as >>> it's concerned, all home directories have to be in template homedir. >>> >>> How would I use winbind to store it? This is why we tend toward 1. >>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only >>> uidNumber and gidNumber. It doesn't sem to give you any control over login >>> shell and unixHomeDirectory. Everyone has the same shell and homedir. >>> >> >> Well it's read only, winbind pulls the information from the AD, but take >> out your template homedir/shell lines from smb.conf and do something like >> >> winbind nss info = rfc2307 >> winbind expand groups = 2 >> winbind nested groups = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> Note you can get nested groups this way, something I don't think nss-ldapd >> provides. It does work I have it in production for over 1500 users right now >> with some 900 active SMB sessions. >> > Hi Jonathan > Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory > in AD. I removed template homedir =, created the user directory and gave it > the correct permissions, but logging in, winbind tries to create the > directory: > su steve2 > Creating directory ''. > Unable to create and initialize directory ''. > su: Permission denied > > Cheers, > Steve > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba