"Andreas Braml (BürgerEnergie Berlin)"
2015-Jan-28 19:56 UTC
[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! After a night of sleeping it over, I just started from scratch today. So I re-did all the client setups, starting with Ubuntu, this time 14.04, not 12.04 as when I first tried. Again I did what it says in the Wiki and - bingo! It works as advertised, Unix uid/gid, home directory and login shell information come from the directory now. Even PAM login works, although I don't need that for now. I wonder where I screwed up the first time. The steps aren't that complicated after all. Well... So the problem is not in the AD setup. But when I take the "known good" smb.conf to a fresh FreeBSD client installed from scratch, adjusting the netbios name and then doing the join, the behavior stays the same: backend rid works, ad does not. There seems to be a problem with FreeBSD as a member server after all. And I will check with Ubuntu 12.04 again. On 27.01.2015 16:48, Rowland Penny wrote:> OK, you posted 'I followed the instructions for RFC 2307 and > decided to use RID+100000 for the default users/groups and 102XXX > for my additional groups/users' What do you mean by 'default > users/groups'The ones you get after the provisioning step is done.> and 'additional groups/users' ?The ones that I add later.> You really only need to give Domain Users and Domain Admins a > 'gidNumber' attribute, you then give your users a 'uidNumber' > attribute.At one point I thought that this might be the problem - so long as there's only even one single group/user that doesn't have a [gu]idNumber set, it wouldn't work. That assumption was wrong, obviously. But it didn't hurt either with the hunt for the problem at hand. I won't do that in the production environment. So only groups/users that are relevant for what's shared on the member server (ACLs) will get the [gu]idNumber.> Why did you choose the numbers that you have ? you can start both > 'uidNumber' & 'gidNumber' from 10000, this is what windows > expects, there doesn't need to be any link between RID and > uidNumber/gidNumber.The highest uid in use on the BSD is for the 'nobody' user (65534). It might be a while before the AD user/group count gets to that, but I wanted to play it safe here and started beyond that. msSFU30MaxUidNumber and msSFU30MaxGidNumber are set accordingly.> I think your problem is that you have given your users/groups > numbers that are outside the ranges you have set in AD.No, it's not. (Since it works on Ubuntu now.) Sorry for the interruption - move along! Cheers, Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc=371f -----END PGP SIGNATURE-----
Rowland Penny
2015-Jan-28 20:21 UTC
[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
On 28/01/15 19:56, "Andreas Braml (B?rgerEnergie Berlin)" wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi! > > After a night of sleeping it over, I just started from scratch today. > > So I re-did all the client setups, starting with Ubuntu, this time > 14.04, not 12.04 as when I first tried. Again I did what it says in > the Wiki and - bingo! It works as advertised, Unix uid/gid, home > directory and login shell information come from the directory now. > Even PAM login works, although I don't need that for now. > I wonder where I screwed up the first time. The steps aren't that > complicated after all. Well... > > So the problem is not in the AD setup. > > But when I take the "known good" smb.conf to a fresh FreeBSD client > installed from scratch, adjusting the netbios name and then doing the > join, the behavior stays the same: backend rid works, ad does not.Very strange, but just one thing, you don't actually have to set the netbios name in smb.conf. It might help if you post your smb.conf.> > There seems to be a problem with FreeBSD as a member server after all.Possibly> > And I will check with Ubuntu 12.04 again. > > On 27.01.2015 16:48, Rowland Penny wrote: >> OK, you posted 'I followed the instructions for RFC 2307 and >> decided to use RID+100000 for the default users/groups and 102XXX >> for my additional groups/users' What do you mean by 'default >> users/groups' > The ones you get after the provisioning step is done.you do not need to give these a uidNumber or gidNumber.>> and 'additional groups/users' ? > The ones that I add later. > >> You really only need to give Domain Users and Domain Admins a >> 'gidNumber' attribute, you then give your users a 'uidNumber' >> attribute. > At one point I thought that this might be the problem - so long as > there's only even one single group/user that doesn't have a [gu]idNumber > set, it wouldn't work. That assumption was wrong, obviously. But it > didn't hurt either with the hunt for the problem at hand.If you use the 'ad' backend, winbind will only pull users & groups that have a uidNumber or gidNumber, these numbers need to be inside the range set in smb.conf, any other users are ignored.> > I won't do that in the production environment. So only groups/users that > are relevant for what's shared on the member server (ACLs) will get the > [gu]idNumber. > >> Why did you choose the numbers that you have ? you can start both >> 'uidNumber' & 'gidNumber' from 10000, this is what windows >> expects, there doesn't need to be any link between RID and >> uidNumber/gidNumber. > The highest uid in use on the BSD is for the 'nobody' user (65534). It > might be a while before the AD user/group count gets to that, but I > wanted to play it safe here and started beyond that. msSFU30MaxUidNumber > and msSFU30MaxGidNumber are set accordingly.Yes, I noticed that about 'nobody' (there was probably a reason for this) so my adduser script jumps around 65534.>> I think your problem is that you have given your users/groups >> numbers that are outside the ranges you have set in AD. > No, it's not. (Since it works on Ubuntu now.)Well it was just a thought, I know I had problems when I first started using winbind, I could only get the RID backend to work, until it just seemed to click and now I have no problems. :-) Rowland> Sorry for the interruption - move along! > > > Cheers, > Andreas > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUyT7lAAoJEMs6lqj1bb0REyQH/2+M8/DexlLWiO6miBL0cO7U > yRZLjxagy7EG//av3vwv9+4xPqG0RwUdbDwjuKsAvPTiEmft+a5nPfoW2U/988HO > zwwuOV3jqQ48wgvyYvdlR9tWLsR6u1cwL9wqrUmsLn8ZvC+XGBJ80UKlvws2GH7m > mxGaZay1Blua2wfiwJDyvN/ScdwXvU178XbHIipC1nhVwY/9+oNzXVLeINQtwTPD > Qs4i0hVkryqJl8evuOQcMWUrXWVqHhOutKXWwSpwVCBTEdfHW5CfjcKnBIJAU5BQ > T84M40wKHeGl/wGZPIABopOP/prefXS1bfAD35QbtYNProbdHH2ghIXTONBYVUc> =371f > -----END PGP SIGNATURE-----
a.braml at buerger-energie-berlin.de
2015-Jan-28 22:25 UTC
[Samba] [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
Hi! Am 28.01.2015 21:21, schrieb Rowland Penny:> On 28/01/15 19:56, "Andreas Braml (B?rgerEnergie Berlin)" wrote: >> [...] >> >> But when I take the "known good" smb.conf to a fresh FreeBSD client >> installed from scratch, adjusting the netbios name and then doing the >> join, the behavior stays the same: backend rid works, ad does not. > > Very strange, but just one thing, you don't actually have to set the > netbios name in smb.conf.In the known good smb.conf I left it out already. Maybe amend the Wiki page accordingly, i.e. put in a note that you can leave out some parameters, as they are defaults anyway (winbind trusted domains only = no is even deprecated/ignored?)> It might help if you post your smb.conf.Here goes: [global] workgroup = TEST security = ADS realm = TEST.BUERGER-ENERGIE-BERLIN.DE dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 70000-99999 idmap config TEST:backend = ad idmap config TEST:schema_mode = rfc2307 idmap config TEST:range = 100000-2000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes [demoshare] path = /usr/local/share/test read only = no> >> >> There seems to be a problem with FreeBSD as a member server after all. > > Possibly > >> >> And I will check with Ubuntu 12.04 again.Which might take a while, figuring our where to put compiled binaries etc. The stock packages are too old (no libnss-winbind for starters) and I don't feel like registering at SerNet. But I have a hunch that this was why it didn't work back then - me too stupid, not putting libs in the right directory or something like that.> [...] >> At one point I thought that this might be the problem - so long as >> there's only even one single group/user that doesn't have a >> [gu]idNumber >> set, it wouldn't work. That assumption was wrong, obviously. But it >> didn't hurt either with the hunt for the problem at hand. > > If you use the 'ad' backend, winbind will only pull users & groups > that have a uidNumber or gidNumber, these numbers need to be inside > the range set in smb.conf, any other users are ignored.Like it say in the manpage. But as I said, at one point I thought that this might be a "all or nothing" which the documentation failes to mention. Fortunately this is not the case, works as advertised.>> The highest uid in use on the BSD is for the 'nobody' user (65534). It >> might be a while before the AD user/group count gets to that, but I >> wanted to play it safe here and started beyond that. >> msSFU30MaxUidNumber >> and msSFU30MaxGidNumber are set accordingly. > > Yes, I noticed that about 'nobody' (there was probably a reason for > this) so my adduser script jumps around 65534.But tools like ADUC don't respect that (?) I plan to delegate some of the user/group administration. The delegees will most likely use the MS tools.>>> I think your problem is that you have given your users/groups >>> numbers that are outside the ranges you have set in AD. >> No, it's not. (Since it works on Ubuntu now.) > > Well it was just a thought, I know I had problems when I first started > using winbind, I could only get the RID backend to work, until it just > seemed to click and now I have no problems. :-)Seems like history repeats itself once more :D Cheers, Andreas
Reasonably Related Threads
- [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
- [SOLVED] (kinda) Re: Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)
- Can't get idmap_ad to work with winbind (only idmap_rid)