I don't have an AD backend for this domain. The DC's are "classic" domain controllers, Samba 3.6 , with LDAP backend for all accounts. Would this still be an option? I tried adding idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:range = 100-300 Didn't seem to work. Thanks On 12/18/14 11:57, Rowland Penny wrote:> On 18/12/14 16:43, Gaiseric Vandal wrote: >> I think IDMAP_RID would not be the appropriate solution for me. Not >> only do I want consistent IDMapping across all servers - which this >> could do - but I want them to match the the existing unix uidNumber >> in LDAP. > > You never said that you had uidNumber in LDAP!, in fact you seemed to > mention every winbind backend except the one that uses the rfc2307 > attributes. > > Stop messing around and use the winbind ad backend. > > Rowland >> >> >> Thanks for your help. >> >> >> >> >> On 12/18/14 04:29, Rowland Penny wrote: >>> On 17/12/14 22:01, Gaiseric Vandal wrote: >>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On >>>> all machines unix accounts and groups are in the LDAP as well as >>>> idmap entries for trusted domains. Samba accounts on domain >>>> controllers are in LDAP so there is problem with consistency >>>> unix/windows id and group mapping on the domain controllers. The >>>> domain controllers are the main file servers as well. >>>> >>>> I am configuring a new member server, also Samba 3.6.4 (Solaris >>>> 11.) On the member server, I have joined the domain. When >>>> accessing shared directory from a Windows 7 machine as a regular >>>> user, I can only access files that I am the owner. Group is >>>> ignored. The Security properties of files (from windows) show >>>> users and groups as "Unix User\myname" and "Unix Group\mygroup." >>>> >>>> >>>> Winbind is running on both the domain controller and the member >>>> server. The "wbinfo -u" and "winfo -g" commands show the users and >>>> groups. This machine does not need to support trusted >>>> domains. It looks like I need some sort of IDMapping. SInce >>>> I have unix accounts in LDAP backend I was trying to configure >>>> idmap_nss. >>>> >>>> >>>> idmap config MYDOMAIN : backend = nss >>>> idmap config MYDOMAIN : range = 100-300 >>>> >>>> >>>> log.192.168.0.105 >>>> wbinfo correctly translates between names and SIDs >>>> >>>> :/# wbinfo -n myname >>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) >>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>> MYDOMAIN\myname 1 >>>> /# >>>> >>>> >>>> however any translation between SID (or name) and unix uidnumber fails >>>> >>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid >>>> /# >>>> >>>> >>>> >>>> Member servers have always been problematic no matter what I try >>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = >>>> yes) and on Solaris and Linux samba machines of various verions. >>>> >>>> >>>> I also tried >>>> >>>> >>>> idmap config MYDOMAIN : backend = rid >>>> idmap config MYDOMAIN : range = 100-300 >>>> idmap config MYDOMAIN : base_rid = 0 >>>> >>>> >>>> >>>> but no luck. >>> >>> Not surprised really, the rid is calculated using this formula: >>> >>> ID = RID - BASE_RID + LOW_RANGE_ID. >>> >>> So, using the info you posted above: >>> >>> ID = 1234 - 0 + 100 >>> >>> Which becomes: >>> >>> ID = 1334 >>> >>> There is your problem, The ID number is larger than the high range >>> you set in smb.conf, try adding a couple of zero's to the range, i.e >>> change 100-300 to 100-30000 >>> >>> Rowland >>> >>>> >>>> >>>> idmap_nss support is enabled >>>> >>>> # smbd -b | grep idmap_nss >>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb >>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix >>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>> vfs_default vfs_solarisacl >>>> >>>> >>>> # smbd -b | grep idmap_rid >>>> idmap_rid_init >>>> >>>> >>>> >>>> Any idea what I am missing? >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>> >> >
On 18/12/14 17:24, Gaiseric Vandal wrote:> I don't have an AD backend for this domain. The DC's are "classic" > domain controllers, Samba 3.6 , with LDAP backend for all accounts. > Would this still be an option? > > > > > I tried adding > > > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:range = 100-300 > > > > Didn't seem to work. > > > Thanks > > > > On 12/18/14 11:57, Rowland Penny wrote: >> On 18/12/14 16:43, Gaiseric Vandal wrote: >>> I think IDMAP_RID would not be the appropriate solution for me. Not >>> only do I want consistent IDMapping across all servers - which this >>> could do - but I want them to match the the existing unix uidNumber >>> in LDAP. >> >> You never said that you had uidNumber in LDAP!, in fact you seemed to >> mention every winbind backend except the one that uses the rfc2307 >> attributes. >> >> Stop messing around and use the winbind ad backend. >> >> Rowland >>> >>> >>> Thanks for your help. >>> >>> >>> >>> >>> On 12/18/14 04:29, Rowland Penny wrote: >>>> On 17/12/14 22:01, Gaiseric Vandal wrote: >>>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On >>>>> all machines unix accounts and groups are in the LDAP as well as >>>>> idmap entries for trusted domains. Samba accounts on domain >>>>> controllers are in LDAP so there is problem with consistency >>>>> unix/windows id and group mapping on the domain controllers. The >>>>> domain controllers are the main file servers as well. >>>>> >>>>> I am configuring a new member server, also Samba 3.6.4 (Solaris >>>>> 11.) On the member server, I have joined the domain. When >>>>> accessing shared directory from a Windows 7 machine as a regular >>>>> user, I can only access files that I am the owner. Group is >>>>> ignored. The Security properties of files (from windows) show >>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup." >>>>> >>>>> >>>>> Winbind is running on both the domain controller and the member >>>>> server. The "wbinfo -u" and "winfo -g" commands show the users >>>>> and groups. This machine does not need to support trusted >>>>> domains. It looks like I need some sort of IDMapping. SInce >>>>> I have unix accounts in LDAP backend I was trying to configure >>>>> idmap_nss. >>>>> >>>>> >>>>> idmap config MYDOMAIN : backend = nss >>>>> idmap config MYDOMAIN : range = 100-300 >>>>> >>>>> >>>>> log.192.168.0.105 >>>>> wbinfo correctly translates between names and SIDs >>>>> >>>>> :/# wbinfo -n myname >>>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1) >>>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>> MYDOMAIN\myname 1 >>>>> /# >>>>> >>>>> >>>>> however any translation between SID (or name) and unix uidnumber >>>>> fails >>>>> >>>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234 >>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND >>>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid >>>>> /# >>>>> >>>>> >>>>> >>>>> Member servers have always been problematic no matter what I try >>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = >>>>> yes) and on Solaris and Linux samba machines of various verions. >>>>> >>>>> >>>>> I also tried >>>>> >>>>> >>>>> idmap config MYDOMAIN : backend = rid >>>>> idmap config MYDOMAIN : range = 100-300 >>>>> idmap config MYDOMAIN : base_rid = 0 >>>>> >>>>> >>>>> >>>>> but no luck. >>>> >>>> Not surprised really, the rid is calculated using this formula: >>>> >>>> ID = RID - BASE_RID + LOW_RANGE_ID. >>>> >>>> So, using the info you posted above: >>>> >>>> ID = 1234 - 0 + 100 >>>> >>>> Which becomes: >>>> >>>> ID = 1334 >>>> >>>> There is your problem, The ID number is larger than the high range >>>> you set in smb.conf, try adding a couple of zero's to the range, >>>> i.e change 100-300 to 100-30000 >>>> >>>> Rowland >>>> >>>>> >>>>> >>>>> idmap_nss support is enabled >>>>> >>>>> # smbd -b | grep idmap_nss >>>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb >>>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix >>>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>>> vfs_default vfs_solarisacl >>>>> >>>>> >>>>> # smbd -b | grep idmap_rid >>>>> idmap_rid_init >>>>> >>>>> >>>>> >>>>> Any idea what I am missing? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >OK, I think that you are going to have to use 'security = domain' and join the machine to your NT4 style domain, see 'man smb.conf' Rowland
I did have it setup for security=domain.
As I looked through the logs I saw errors about winbind not being able
to allocated mappings- but for the local groups (e.g.
Administrators.) Normally on member servers I explicitly map well known
local groups to gidNumbers that are consistent across all systems. I
hadn't done that yet. Maybe idmap was choking up on local group
mappings before it even tried dealing with domain users.
Based on some of the examples I saw in man pages and on the web I
changed smb.conf from
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : range = 100-300
to
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : range = 100-300
Restarted samba and winbind. I could see that it automatically
created a group mapping for the expected local groups
# net groupmap list
Administrators (S-1-5-32-544) -> 5000
Users (S-1-5-32-545) -> 5001
And now "wibinfo -S" will translate a domain user SID into a local
uidNumber
So making progress.
Thanks
On 12/18/14 12:39, Rowland Penny wrote:> On 18/12/14 17:24, Gaiseric Vandal wrote:
>> I don't have an AD backend for this domain. The DC's are
"classic"
>> domain controllers, Samba 3.6 , with LDAP backend for all
>> accounts. Would this still be an option?
>>
>>
>>
>>
>> I tried adding
>>
>>
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:range = 100-300
>>
>>
>>
>> Didn't seem to work.
>>
>>
>> Thanks
>>
>>
>>
>> On 12/18/14 11:57, Rowland Penny wrote:
>>> On 18/12/14 16:43, Gaiseric Vandal wrote:
>>>> I think IDMAP_RID would not be the appropriate solution for me.
Not
>>>> only do I want consistent IDMapping across all servers - which
this
>>>> could do - but I want them to match the the existing unix
>>>> uidNumber in LDAP.
>>>
>>> You never said that you had uidNumber in LDAP!, in fact you seemed
>>> to mention every winbind backend except the one that uses the
>>> rfc2307 attributes.
>>>
>>> Stop messing around and use the winbind ad backend.
>>>
>>> Rowland
>>>>
>>>>
>>>> Thanks for your help.
>>>>
>>>>
>>>>
>>>>
>>>> On 12/18/14 04:29, Rowland Penny wrote:
>>>>> On 17/12/14 22:01, Gaiseric Vandal wrote:
>>>>>> I have two Samba 3.6.24 domain controllers (Solaris
10.) On
>>>>>> all machines unix accounts and groups are in the LDAP
as well as
>>>>>> idmap entries for trusted domains. Samba accounts on
domain
>>>>>> controllers are in LDAP so there is problem with
consistency
>>>>>> unix/windows id and group mapping on the domain
controllers. The
>>>>>> domain controllers are the main file servers as well.
>>>>>>
>>>>>> I am configuring a new member server, also Samba 3.6.4
(Solaris
>>>>>> 11.) On the member server, I have joined the domain.
When
>>>>>> accessing shared directory from a Windows 7 machine as
a regular
>>>>>> user, I can only access files that I am the owner.
Group is
>>>>>> ignored. The Security properties of files (from
windows) show
>>>>>> users and groups as "Unix User\myname" and
"Unix Group\mygroup."
>>>>>>
>>>>>>
>>>>>> Winbind is running on both the domain controller and
the member
>>>>>> server. The "wbinfo -u" and "winfo
-g" commands show the users
>>>>>> and groups. This machine does not need to support
trusted
>>>>>> domains. It looks like I need some sort of
IDMapping.
>>>>>> SInce I have unix accounts in LDAP backend I was trying
to
>>>>>> configure idmap_nss.
>>>>>>
>>>>>>
>>>>>> idmap config MYDOMAIN : backend = nss
>>>>>> idmap config MYDOMAIN : range = 100-300
>>>>>>
>>>>>>
>>>>>> log.192.168.0.105
>>>>>> wbinfo correctly translates between names and SIDs
>>>>>>
>>>>>> :/# wbinfo -n myname
>>>>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>>>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>> MYDOMAIN\myname 1
>>>>>> /#
>>>>>>
>>>>>>
>>>>>> however any translation between SID (or name) and unix
uidnumber
>>>>>> fails
>>>>>>
>>>>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>> failed to call wbcSidToUid:
WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not convert sid
S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>>>>> /#
>>>>>>
>>>>>>
>>>>>>
>>>>>> Member servers have always been problematic no matter
what I try
>>>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted
domains only
>>>>>> = yes) and on Solaris and Linux samba machines of
various verions.
>>>>>>
>>>>>>
>>>>>> I also tried
>>>>>>
>>>>>>
>>>>>> idmap config MYDOMAIN : backend = rid
>>>>>> idmap config MYDOMAIN : range = 100-300
>>>>>> idmap config MYDOMAIN : base_rid = 0
>>>>>>
>>>>>>
>>>>>>
>>>>>> but no luck.
>>>>>
>>>>> Not surprised really, the rid is calculated using this
formula:
>>>>>
>>>>> ID = RID - BASE_RID + LOW_RANGE_ID.
>>>>>
>>>>> So, using the info you posted above:
>>>>>
>>>>> ID = 1234 - 0 + 100
>>>>>
>>>>> Which becomes:
>>>>>
>>>>> ID = 1334
>>>>>
>>>>> There is your problem, The ID number is larger than the
high range
>>>>> you set in smb.conf, try adding a couple of zero's to
the range,
>>>>> i.e change 100-300 to 100-30000
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>>
>>>>>> idmap_nss support is enabled
>>>>>>
>>>>>> # smbd -b | grep idmap_nss
>>>>>> pdb_ldap pdb_smbpasswd pdb_tdbsam
pdb_wbc_sam idmap_tdb
>>>>>> idmap_passdb idmap_nss nss_info_template
auth_sam auth_unix
>>>>>> auth_winbind auth_wbc auth_server auth_domain
auth_builtin
>>>>>> vfs_default vfs_solarisacl
>>>>>>
>>>>>>
>>>>>> # smbd -b | grep idmap_rid
>>>>>> idmap_rid_init
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any idea what I am missing?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
> OK, I think that you are going to have to use 'security = domain'
and
> join the machine to your NT4 style domain, see 'man smb.conf'
>
> Rowland
>