I don't have an AD backend for this domain. The DC's are "classic" domain controllers, Samba 3.6 , with LDAP backend for all accounts. Would this still be an option? I tried adding idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:range = 100-300 Didn't seem to work. Thanks On 12/18/14 11:57, Rowland Penny wrote:> On 18/12/14 16:43, Gaiseric Vandal wrote: >> I think IDMAP_RID would not be the appropriate solution for me. Not >> only do I want consistent IDMapping across all servers - which this >> could do - but I want them to match the the existing unix uidNumber >> in LDAP. > > You never said that you had uidNumber in LDAP!, in fact you seemed to > mention every winbind backend except the one that uses the rfc2307 > attributes. > > Stop messing around and use the winbind ad backend. > > Rowland >> >> >> Thanks for your help. >> >> >> >> >> On 12/18/14 04:29, Rowland Penny wrote: >>> On 17/12/14 22:01, Gaiseric Vandal wrote: >>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On >>>> all machines unix accounts and groups are in the LDAP as well as >>>> idmap entries for trusted domains. Samba accounts on domain >>>> controllers are in LDAP so there is problem with consistency >>>> unix/windows id and group mapping on the domain controllers. The >>>> domain controllers are the main file servers as well. >>>> >>>> I am configuring a new member server, also Samba 3.6.4 (Solaris >>>> 11.) On the member server, I have joined the domain. When >>>> accessing shared directory from a Windows 7 machine as a regular >>>> user, I can only access files that I am the owner. Group is >>>> ignored. The Security properties of files (from windows) show >>>> users and groups as "Unix User\myname" and "Unix Group\mygroup." >>>> >>>> >>>> Winbind is running on both the domain controller and the member >>>> server. The "wbinfo -u" and "winfo -g" commands show the users and >>>> groups. This machine does not need to support trusted >>>> domains. It looks like I need some sort of IDMapping. SInce >>>> I have unix accounts in LDAP backend I was trying to configure >>>> idmap_nss. >>>> >>>> >>>> idmap config MYDOMAIN : backend = nss >>>> idmap config MYDOMAIN : range = 100-300 >>>> >>>> >>>> log.192.168.0.105 >>>> wbinfo correctly translates between names and SIDs >>>> >>>> :/# wbinfo -n myname >>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) >>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>> MYDOMAIN\myname 1 >>>> /# >>>> >>>> >>>> however any translation between SID (or name) and unix uidnumber fails >>>> >>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid >>>> /# >>>> >>>> >>>> >>>> Member servers have always been problematic no matter what I try >>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = >>>> yes) and on Solaris and Linux samba machines of various verions. >>>> >>>> >>>> I also tried >>>> >>>> >>>> idmap config MYDOMAIN : backend = rid >>>> idmap config MYDOMAIN : range = 100-300 >>>> idmap config MYDOMAIN : base_rid = 0 >>>> >>>> >>>> >>>> but no luck. >>> >>> Not surprised really, the rid is calculated using this formula: >>> >>> ID = RID - BASE_RID + LOW_RANGE_ID. >>> >>> So, using the info you posted above: >>> >>> ID = 1234 - 0 + 100 >>> >>> Which becomes: >>> >>> ID = 1334 >>> >>> There is your problem, The ID number is larger than the high range >>> you set in smb.conf, try adding a couple of zero's to the range, i.e >>> change 100-300 to 100-30000 >>> >>> Rowland >>> >>>> >>>> >>>> idmap_nss support is enabled >>>> >>>> # smbd -b | grep idmap_nss >>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb >>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix >>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>> vfs_default vfs_solarisacl >>>> >>>> >>>> # smbd -b | grep idmap_rid >>>> idmap_rid_init >>>> >>>> >>>> >>>> Any idea what I am missing? >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>> >> >
On 18/12/14 17:24, Gaiseric Vandal wrote:> I don't have an AD backend for this domain. The DC's are "classic" > domain controllers, Samba 3.6 , with LDAP backend for all accounts. > Would this still be an option? > > > > > I tried adding > > > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:range = 100-300 > > > > Didn't seem to work. > > > Thanks > > > > On 12/18/14 11:57, Rowland Penny wrote: >> On 18/12/14 16:43, Gaiseric Vandal wrote: >>> I think IDMAP_RID would not be the appropriate solution for me. Not >>> only do I want consistent IDMapping across all servers - which this >>> could do - but I want them to match the the existing unix uidNumber >>> in LDAP. >> >> You never said that you had uidNumber in LDAP!, in fact you seemed to >> mention every winbind backend except the one that uses the rfc2307 >> attributes. >> >> Stop messing around and use the winbind ad backend. >> >> Rowland >>> >>> >>> Thanks for your help. >>> >>> >>> >>> >>> On 12/18/14 04:29, Rowland Penny wrote: >>>> On 17/12/14 22:01, Gaiseric Vandal wrote: >>>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On >>>>> all machines unix accounts and groups are in the LDAP as well as >>>>> idmap entries for trusted domains. Samba accounts on domain >>>>> controllers are in LDAP so there is problem with consistency >>>>> unix/windows id and group mapping on the domain controllers. The >>>>> domain controllers are the main file servers as well. >>>>> >>>>> I am configuring a new member server, also Samba 3.6.4 (Solaris >>>>> 11.) On the member server, I have joined the domain. When >>>>> accessing shared directory from a Windows 7 machine as a regular >>>>> user, I can only access files that I am the owner. Group is >>>>> ignored. The Security properties of files (from windows) show >>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup." >>>>> >>>>> >>>>> Winbind is running on both the domain controller and the member >>>>> server. The "wbinfo -u" and "winfo -g" commands show the users >>>>> and groups. This machine does not need to support trusted >>>>> domains. It looks like I need some sort of IDMapping. SInce >>>>> I have unix accounts in LDAP backend I was trying to configure >>>>> idmap_nss. >>>>> >>>>> >>>>> idmap config MYDOMAIN : backend = nss >>>>> idmap config MYDOMAIN : range = 100-300 >>>>> >>>>> >>>>> log.192.168.0.105 >>>>> wbinfo correctly translates between names and SIDs >>>>> >>>>> :/# wbinfo -n myname >>>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) >>>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>> MYDOMAIN\myname 1 >>>>> /# >>>>> >>>>> >>>>> however any translation between SID (or name) and unix uidnumber >>>>> fails >>>>> >>>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid >>>>> /# >>>>> >>>>> >>>>> >>>>> Member servers have always been problematic no matter what I try >>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = >>>>> yes) and on Solaris and Linux samba machines of various verions. >>>>> >>>>> >>>>> I also tried >>>>> >>>>> >>>>> idmap config MYDOMAIN : backend = rid >>>>> idmap config MYDOMAIN : range = 100-300 >>>>> idmap config MYDOMAIN : base_rid = 0 >>>>> >>>>> >>>>> >>>>> but no luck. >>>> >>>> Not surprised really, the rid is calculated using this formula: >>>> >>>> ID = RID - BASE_RID + LOW_RANGE_ID. >>>> >>>> So, using the info you posted above: >>>> >>>> ID = 1234 - 0 + 100 >>>> >>>> Which becomes: >>>> >>>> ID = 1334 >>>> >>>> There is your problem, The ID number is larger than the high range >>>> you set in smb.conf, try adding a couple of zero's to the range, >>>> i.e change 100-300 to 100-30000 >>>> >>>> Rowland >>>> >>>>> >>>>> >>>>> idmap_nss support is enabled >>>>> >>>>> # smbd -b | grep idmap_nss >>>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb >>>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix >>>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>>> vfs_default vfs_solarisacl >>>>> >>>>> >>>>> # smbd -b | grep idmap_rid >>>>> idmap_rid_init >>>>> >>>>> >>>>> >>>>> Any idea what I am missing? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >OK, I think that you are going to have to use 'security = domain' and join the machine to your NT4 style domain, see 'man smb.conf' Rowland
I did have it setup for security=domain. As I looked through the logs I saw errors about winbind not being able to allocated mappings- but for the local groups (e.g. Administrators.) Normally on member servers I explicitly map well known local groups to gidNumbers that are consistent across all systems. I hadn't done that yet. Maybe idmap was choking up on local group mappings before it even tried dealing with domain users. Based on some of the examples I saw in man pages and on the web I changed smb.conf from idmap config MYDOMAIN : backend = nss idmap config MYDOMAIN : range = 100-300 to idmap config * : backend = tdb idmap config * : range = 5000-6000 idmap config MYDOMAIN : backend = nss idmap config MYDOMAIN : range = 100-300 Restarted samba and winbind. I could see that it automatically created a group mapping for the expected local groups # net groupmap list Administrators (S-1-5-32-544) -> 5000 Users (S-1-5-32-545) -> 5001 And now "wibinfo -S" will translate a domain user SID into a local uidNumber So making progress. Thanks On 12/18/14 12:39, Rowland Penny wrote:> On 18/12/14 17:24, Gaiseric Vandal wrote: >> I don't have an AD backend for this domain. The DC's are "classic" >> domain controllers, Samba 3.6 , with LDAP backend for all >> accounts. Would this still be an option? >> >> >> >> >> I tried adding >> >> >> idmap config MYDOMAIN:schema_mode = rfc2307 >> idmap config MYDOMAIN:backend = ad >> idmap config MYDOMAIN:range = 100-300 >> >> >> >> Didn't seem to work. >> >> >> Thanks >> >> >> >> On 12/18/14 11:57, Rowland Penny wrote: >>> On 18/12/14 16:43, Gaiseric Vandal wrote: >>>> I think IDMAP_RID would not be the appropriate solution for me. Not >>>> only do I want consistent IDMapping across all servers - which this >>>> could do - but I want them to match the the existing unix >>>> uidNumber in LDAP. >>> >>> You never said that you had uidNumber in LDAP!, in fact you seemed >>> to mention every winbind backend except the one that uses the >>> rfc2307 attributes. >>> >>> Stop messing around and use the winbind ad backend. >>> >>> Rowland >>>> >>>> >>>> Thanks for your help. >>>> >>>> >>>> >>>> >>>> On 12/18/14 04:29, Rowland Penny wrote: >>>>> On 17/12/14 22:01, Gaiseric Vandal wrote: >>>>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On >>>>>> all machines unix accounts and groups are in the LDAP as well as >>>>>> idmap entries for trusted domains. Samba accounts on domain >>>>>> controllers are in LDAP so there is problem with consistency >>>>>> unix/windows id and group mapping on the domain controllers. The >>>>>> domain controllers are the main file servers as well. >>>>>> >>>>>> I am configuring a new member server, also Samba 3.6.4 (Solaris >>>>>> 11.) On the member server, I have joined the domain. When >>>>>> accessing shared directory from a Windows 7 machine as a regular >>>>>> user, I can only access files that I am the owner. Group is >>>>>> ignored. The Security properties of files (from windows) show >>>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup." >>>>>> >>>>>> >>>>>> Winbind is running on both the domain controller and the member >>>>>> server. The "wbinfo -u" and "winfo -g" commands show the users >>>>>> and groups. This machine does not need to support trusted >>>>>> domains. It looks like I need some sort of IDMapping. >>>>>> SInce I have unix accounts in LDAP backend I was trying to >>>>>> configure idmap_nss. >>>>>> >>>>>> >>>>>> idmap config MYDOMAIN : backend = nss >>>>>> idmap config MYDOMAIN : range = 100-300 >>>>>> >>>>>> >>>>>> log.192.168.0.105 >>>>>> wbinfo correctly translates between names and SIDs >>>>>> >>>>>> :/# wbinfo -n myname >>>>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) >>>>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>>> MYDOMAIN\myname 1 >>>>>> /# >>>>>> >>>>>> >>>>>> however any translation between SID (or name) and unix uidnumber >>>>>> fails >>>>>> >>>>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>>>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid >>>>>> /# >>>>>> >>>>>> >>>>>> >>>>>> Member servers have always been problematic no matter what I try >>>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only >>>>>> = yes) and on Solaris and Linux samba machines of various verions. >>>>>> >>>>>> >>>>>> I also tried >>>>>> >>>>>> >>>>>> idmap config MYDOMAIN : backend = rid >>>>>> idmap config MYDOMAIN : range = 100-300 >>>>>> idmap config MYDOMAIN : base_rid = 0 >>>>>> >>>>>> >>>>>> >>>>>> but no luck. >>>>> >>>>> Not surprised really, the rid is calculated using this formula: >>>>> >>>>> ID = RID - BASE_RID + LOW_RANGE_ID. >>>>> >>>>> So, using the info you posted above: >>>>> >>>>> ID = 1234 - 0 + 100 >>>>> >>>>> Which becomes: >>>>> >>>>> ID = 1334 >>>>> >>>>> There is your problem, The ID number is larger than the high range >>>>> you set in smb.conf, try adding a couple of zero's to the range, >>>>> i.e change 100-300 to 100-30000 >>>>> >>>>> Rowland >>>>> >>>>>> >>>>>> >>>>>> idmap_nss support is enabled >>>>>> >>>>>> # smbd -b | grep idmap_nss >>>>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb >>>>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix >>>>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>>>> vfs_default vfs_solarisacl >>>>>> >>>>>> >>>>>> # smbd -b | grep idmap_rid >>>>>> idmap_rid_init >>>>>> >>>>>> >>>>>> >>>>>> Any idea what I am missing? >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > OK, I think that you are going to have to use 'security = domain' and > join the machine to your NT4 style domain, see 'man smb.conf' > > Rowland >