On 02/04/15 13:38, buhorojo wrote:> On 02/04/15 14:09, Rowland Penny wrote: >> On 02/04/15 12:41, buhorojo wrote: >>> On 02/04/15 12:48, Rowland Penny wrote: >>>> On 02/04/15 11:37, buhorojo wrote: >>>>> On 02/04/15 12:19, Rowland Penny wrote: >>>>>> On 02/04/15 11:05, buhorojo wrote: >>>>>>> On 02/04/15 11:27, Rowland Penny wrote: >>>>>>>> On 02/04/15 10:20, buhorojo wrote: >>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle wrote: >>>>>>>>>> nss/winbind does work, yes, there is 1 missing file, just >>>>>>>>>> created it. >>>>>>>>>> ( and this is not needed on a DC ! ) >>>>>>>>> So you are telling us that something that returns: >>>>>>>>> /bin/false >>>>>>>>> when: >>>>>>>>> /bin/bash >>>>> >>>>> >>>> >>>> WHERE is the output from getent wrong ? >>> >>> Please read the thread. One example is given above. >>> Thanks. It really doesn't matter;) >>> >> >> OK, I have re-read the thread, I cannot find one example of the >> errors you get when using samba with the winbind backend, loads of >> errors when trying to install sssd with sernet packages, but no >> actual winbind errors. > Once again: > winbind gives /bin/false > sssd gives /bin/bash > The user has: > loginShell: /bin/bash > > If it doesn't matter for you, don't worry! > >That is *NOT* an error, that is the way the winbind built into the samba daemon works, it does not pull anything else from AD other than the users uidNumber and the gidNumber of their primary group. There is a work round involving the 'template' directories that can be set in smb.conf, these affect everybody that connects to the machine it is set on, per user settings cannot be set. It is one of the reasons against using the DC as a file server, but there are others. People have complained about the hard drive filling up until the DC is restarted, there have also been problems with excessive use of memory. I will put it this way, which part of the following statement do you not understand ? *We _do not recommend_ using the Domain Controller as a file Server*. As taken from the DC page on the samba wiki. I have no worries about using windbind, it works for me because I use it as recommended, it would seem that you are the one with the worries. Rowland
On 02/04/15 14:56, Rowland Penny wrote:> On 02/04/15 13:38, buhorojo wrote: >> On 02/04/15 14:09, Rowland Penny wrote: >>> On 02/04/15 12:41, buhorojo wrote: >>>> On 02/04/15 12:48, Rowland Penny wrote: >>>>> On 02/04/15 11:37, buhorojo wrote: >>>>>> On 02/04/15 12:19, Rowland Penny wrote: >>>>>>> On 02/04/15 11:05, buhorojo wrote: >>>>>>>> On 02/04/15 11:27, Rowland Penny wrote: >>>>>>>>> On 02/04/15 10:20, buhorojo wrote: >>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle wrote: >>>>>>>>>>> nss/winbind does work, yes, there is 1 missing file, just >>>>>>>>>>> created it. >>>>>>>>>>> ( and this is not needed on a DC ! ) >>>>>>>>>> So you are telling us that something that returns: >>>>>>>>>> /bin/false >>>>>>>>>> when: >>>>>>>>>> /bin/bash >>>>>> >>>>>> >>>>> >>>>> WHERE is the output from getent wrong ? >>>> >>>> Please read the thread. One example is given above. >>>> Thanks. It really doesn't matter;) >>>> >>> >>> OK, I have re-read the thread, I cannot find one example of the >>> errors you get when using samba with the winbind backend, loads of >>> errors when trying to install sssd with sernet packages, but no >>> actual winbind errors. >> Once again: >> winbind gives /bin/false >> sssd gives /bin/bash >> The user has: >> loginShell: /bin/bash >> >> If it doesn't matter for you, don't worry! >> >> > > That is *NOT* an error, that is the way the winbind built into the > samba daemon works, it does not pull anything else from AD other than > the users uidNumber and the gidNumber of their primary group. > There is a work round involving the 'template' directories that can be > set in smb.conf, these affect everybody that connects to the machine > it is set on, per user settings cannot be set. > > It is one of the reasons against using the DC as a file server, but > there are others. People have complained about the hard drive filling > up until the DC is restarted, there have also been problems with > excessive use of memory. > > I will put it this way, which part of the following statement do you > not understand ? > > *We _do not recommend_ using the Domain Controller as a file Server*. >We run scripts which require accurate nss information. So, no worries. On our machines, sssd works fine. winbind doesn't. Rowland, wasn't it you who asked the developers how much work it would cost them to (to use your term) 'pull' unixHomeDirectory and loginShell from AD using winbind? You seemed misled that it was to be made available in the next version. It seems that the developers themselves regretted that it wouldn't be.
El 02/04/15 a les 14:56, Rowland Penny ha escrit:> > *We _do not recommend_ using the Domain Controller as a file Server*.I'm sorry to chime in again, but I have no intention of using the DC as a file server *but* I like to have the user mapping in place for other purposes (e.g. see the file ownership when I nfs mount the netapp storage). Since I already configured sssd in all member servers (in the test network, this isn't going to go live for a while) and winbind is not supposed to work on the DC (or so I read in this list) I simply thought that sssd was the natural solution. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
On 02/04/15 14:35, buhorojo wrote:> On 02/04/15 14:56, Rowland Penny wrote: >> On 02/04/15 13:38, buhorojo wrote: >>> On 02/04/15 14:09, Rowland Penny wrote: >>>> On 02/04/15 12:41, buhorojo wrote: >>>>> On 02/04/15 12:48, Rowland Penny wrote: >>>>>> On 02/04/15 11:37, buhorojo wrote: >>>>>>> On 02/04/15 12:19, Rowland Penny wrote: >>>>>>>> On 02/04/15 11:05, buhorojo wrote: >>>>>>>>> On 02/04/15 11:27, Rowland Penny wrote: >>>>>>>>>> On 02/04/15 10:20, buhorojo wrote: >>>>>>>>>>> On 02/04/15 08:36, L.P.H. van Belle wrote: >>>>>>>>>>>> nss/winbind does work, yes, there is 1 missing file, just >>>>>>>>>>>> created it. >>>>>>>>>>>> ( and this is not needed on a DC ! ) >>>>>>>>>>> So you are telling us that something that returns: >>>>>>>>>>> /bin/false >>>>>>>>>>> when: >>>>>>>>>>> /bin/bash >>>>>>> >>>>>>> >>>>>> >>>>>> WHERE is the output from getent wrong ? >>>>> >>>>> Please read the thread. One example is given above. >>>>> Thanks. It really doesn't matter;) >>>>> >>>> >>>> OK, I have re-read the thread, I cannot find one example of the >>>> errors you get when using samba with the winbind backend, loads of >>>> errors when trying to install sssd with sernet packages, but no >>>> actual winbind errors. >>> Once again: >>> winbind gives /bin/false >>> sssd gives /bin/bash >>> The user has: >>> loginShell: /bin/bash >>> >>> If it doesn't matter for you, don't worry! >>> >>> >> >> That is *NOT* an error, that is the way the winbind built into the >> samba daemon works, it does not pull anything else from AD other than >> the users uidNumber and the gidNumber of their primary group. >> There is a work round involving the 'template' directories that can >> be set in smb.conf, these affect everybody that connects to the >> machine it is set on, per user settings cannot be set. >> >> It is one of the reasons against using the DC as a file server, but >> there are others. People have complained about the hard drive filling >> up until the DC is restarted, there have also been problems with >> excessive use of memory. >> >> I will put it this way, which part of the following statement do you >> not understand ? >> >> *We _do not recommend_ using the Domain Controller as a file Server*. >> > > We run scripts which require accurate nss information. So, no worries. > On our machines, sssd works fine. winbind doesn't. > > Rowland, wasn't it you who asked the developers how much work it would > cost them to (to use your term) 'pull' unixHomeDirectory and > loginShell from AD using winbind? You seemed misled that it was to be > made available in the next version. It seems that the developers > themselves regretted that it wouldn't be. >If you use samba as recommended, winbind will do all that sssd does for authentication. Yes I did ask, but I had it explained to me why it didn't yet work, I was also told that sssd is *not* a samba component and not to ask questions about it here on the *SAMBA* mailing list. Rowland
On 02/04/15 14:37, Luca Olivetti wrote:> El 02/04/15 a les 14:56, Rowland Penny ha escrit: > >> *We _do not recommend_ using the Domain Controller as a file Server*. > I'm sorry to chime in again, but I have no intention of using the DC as > a file server *but* I like to have the user mapping in place for other > purposes (e.g. see the file ownership when I nfs mount the netapp storage). > Since I already configured sssd in all member servers (in the test > network, this isn't going to go live for a while) and winbind is not > supposed to work on the DC (or so I read in this list) I simply thought > that sssd was the natural solution. > > ByeIf the nfs mount is the DC, you are using the DC as a file server, but if you are just using the DC for authentication, then winbind will do what sssd does, you just need to set winbind correctly on the member servers. It isn't that winbind doesn't work on the DC, it is that, until 4.2, winbind was built into the samba daemon and did not have the capabilities of the standalone winbindd daemon. Unfortunately when 4.2 came out, it was found that though winbindd was now being used and some of the problems had been solved, the unixhomedirectory & shell attributes are still not available from AD. The devs seem to be concentrating on getting the windows side working better/correctly before any Unix problems, a mistake in my opinion, but they are writing the code (something I couldn't do) and as such they get to say in which direction to go (could be worse, LP could be one of the devs). I am sure that the Unix winbindd problems will get fixed, I just unsure when :-) Rowland
On 16:59:22 wrote buhorojo:> We run scripts which require accurate nss information. So, no > worries. On our machines, sssd works fine. winbind doesn't.You may try nslcd, it works on a DC with debian packages. I have never tried the sernet package, because of the dependies. Maybe your solution is self building the sssd packages. If you are not able to do this ask one who will do. -- Regards Harry Jede
Greetings, Rowland Penny!>> Once again: >> winbind gives /bin/false >> sssd gives /bin/bash >> The user has: >> loginShell: /bin/bash >> >> If it doesn't matter for you, don't worry! >> >>> That is *NOT* an error,NSS backend outright lying to the user is not a bug? What is it then? A butterfly? You're making so little sense, I begin to doubt your qualification.> that is the way the winbind built into the samba > daemon works, it does not pull anything else from AD other than the > users uidNumber and the gidNumber of their primary group. > There is a work round involving the 'template' directories that can be > set in smb.conf, these affect everybody that connects to the machine it > is set on, per user settings cannot be set.That is a direct contradiction to the very idea of having a single authoritative user management database. Or, if you like, I can compress the previous phrase into one word, starting with "b".> It is one of the reasons against using the DC as a file server,How's setting winbind on a member server would alter the outcome?> but there are others. People have complained about the hard drive filling up > until the DC is restarted, there have also been problems with excessive > use of memory.That's clearly indicate bugs breeding and multiplying in the application. Instead of telling people "oh, just don't do it", why not fix the bugs?> I will put it this way, which part of the following statement do you not > understand ?> *We _do not recommend_ using the Domain Controller as a file Server*.So, you are recommending to not use domain controller at all, I got it right? Because a system that does nothing at all, just sitting there and grinning, is an useless junk and should be discarded as soon as possible.> As taken from the DC page on the samba wiki.> I have no worries about using windbind, it works for me because I use it > as recommended, it would seem that you are the one with the worries.So, you are not using your linux servers for terminal access? SSH/SFTP/Git/whatever? That explains your ignorance. -- With best regards, Andrey Repin Thursday, April 2, 2015 20:04:41 Sorry for my terrible english...
On 02/04/15 18:14, Andrey Repin wrote:> Greetings, Rowland Penny! > >>> Once again: >>> winbind gives /bin/false >>> sssd gives /bin/bash >>> The user has: >>> loginShell: /bin/bash >>> >>> If it doesn't matter for you, don't worry! >>> >>> >> That is *NOT* an error, > NSS backend outright lying to the user is not a bug? > What is it then? A butterfly? > You're making so little sense, I begin to doubt your qualification. > >> that is the way the winbind built into the samba >> daemon works, it does not pull anything else from AD other than the >> users uidNumber and the gidNumber of their primary group. >> There is a work round involving the 'template' directories that can be >> set in smb.conf, these affect everybody that connects to the machine it >> is set on, per user settings cannot be set. > That is a direct contradiction to the very idea of having a single > authoritative user management database. > Or, if you like, I can compress the previous phrase into one word, starting > with "b". > >> It is one of the reasons against using the DC as a file server, > How's setting winbind on a member server would alter the outcome? > >> but there are others. People have complained about the hard drive filling up >> until the DC is restarted, there have also been problems with excessive >> use of memory. > That's clearly indicate bugs breeding and multiplying in the application. > Instead of telling people "oh, just don't do it", why not fix the bugs? > >> I will put it this way, which part of the following statement do you not >> understand ? >> *We _do not recommend_ using the Domain Controller as a file Server*. > So, you are recommending to not use domain controller at all, I got it right? > Because a system that does nothing at all, just sitting there and grinning, > is an useless junk and should be discarded as soon as possible. > >> As taken from the DC page on the samba wiki. >> I have no worries about using windbind, it works for me because I use it >> as recommended, it would seem that you are the one with the worries. > So, you are not using your linux servers for terminal access? > SSH/SFTP/Git/whatever? > That explains your ignorance. > >Look, I am with you here, samba no matter where you use it should use the rfc2307 attributes if they are available, but they aren't all used on the DC. We will just have to wait until the devs get round to making the others work. It is no use complaining to me, I actually opened a bug on this for 4.2rc2 10886, perhaps if people add to this, something may happen, I don't know, I have no control over the devs. Rowland