Thomas Attenberger
2013-Oct-16 10:12 UTC
[Samba] idmap problems after update from 3.0.33 to 3.6.6
Hello, we are using a standalone samba server, which is a Win2008R2 domain member. The access rights on the shares are set with acl's. After the update I could access the shares. But if i take a look to the rights on the shares with "getfacl" I see only numbers instead of usernames and groups. Then I did a "getent passwd".There are now other numbers mapped to the users as before the update of samba! So now again "getfacl", there are now wrong user and group names... Here is the smb.conf after the update. I changed only the idmap parameter. [global] workgroup = ATRON realm = ATRON.LOCAL security = ADS preferred master = no server string = %h log file = /var/log/samba/smb.log.%m winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind separator = + # idmap uid = 10000-20000 # idmap gid = 10000-20000 idmap config ATRON:range=10000-20000 template shell = /bin/bash username map = /etc/samba/smbusers Unfortunately I'm no samba expert, so I hope someone can help me... Regards Tom
Thomas Attenberger
2013-Oct-16 11:36 UTC
[Samba] idmap problems after update from 3.0.33 to 3.6.6
I find out that the path has changed. /var/cache/samba/ --> /var/lib/samba So I moved all necessary files (here's a list http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html) to the new path. Now "wbinfo -u" is working, but "getent passwd" brings only local users... What did I forgot? Regards 2013/10/16 Thomas Attenberger <thomas.attenberger at gmx.net>> Hello, > > we are using a standalone samba server, which is a Win2008R2 domain > member. The access rights on the shares are set with acl's. > After the update I could access the shares. But if i take a look to the > rights on the shares with "getfacl" I see only numbers instead of usernames > and groups. Then I did a "getent passwd".There are now other numbers mapped > to the users as before the update of samba! So now again "getfacl", there > are now wrong user and group names... > > Here is the smb.conf after the update. I changed only the idmap parameter. > > [global] > > workgroup = ATRON > realm = ATRON.LOCAL > security = ADS > preferred master = no > server string = %h > log file = /var/log/samba/smb.log.%m > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind separator = + > # idmap uid = 10000-20000 > # idmap gid = 10000-20000 > idmap config ATRON:range=10000-20000 > template shell = /bin/bash > username map = /etc/samba/smbusers > > Unfortunately I'm no samba expert, so I hope someone can help me... > > Regards > Tom >
On Wed, 2013-10-16 at 12:12 +0200, Thomas Attenberger wrote:> Hello, > > we are using a standalone samba server, which is a Win2008R2 domain member. > The access rights on the shares are set with acl's. > After the update I could access the shares. But if i take a look to the > rights on the shares with "getfacl" I see only numbers instead of usernames > and groups. Then I did a "getent passwd".There are now other numbers mapped > to the users as before the update of samba! So now again "getfacl", there > are now wrong user and group names... > > Here is the smb.conf after the update. I changed only the idmap parameter. > > [global] > > workgroup = ATRON > realm = ATRON.LOCAL > security = ADS > preferred master = no > server string = %h > log file = /var/log/samba/smb.log.%m > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind separator = + > # idmap uid = 10000-20000 > # idmap gid = 10000-20000 > idmap config ATRON:range=10000-20000 > template shell = /bin/bash > username map = /etc/samba/smbusers > > Unfortunately I'm no samba expert, so I hope someone can help me... > > Regards > TomHi It depends where your rfc2307 attributes are coming from. If they are in AD then: winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ATRON:backend = ad idmap config ATRON:range = 10000-20000 idmap config ATRON:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = Yes and due to me just having happened to have read a recent post, maybe also comment out the line: winbind separator = + Oh, don't forget to specify winbind in nsswitch.conf If you're not using AD then there are other alternatives but we do not have enough information to help further with the config you have provided. HTH Steve