Rowland Penny
2015-Apr-05 12:25 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 13:10, Luca Olivetti wrote:> El 05/04/15 a les 11:57, Rowland Penny ha escrit: > >>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 >>> gidNumber: 513 >>> >>> >> I think that could very well be your problem, you have these lines in >> the smb.conf on your member server: >> >> idmap config CCENTER : backend = ad >> idmap config CCENTER : schema_mode = rfc2307 >> idmap config CCENTER : range = 1000-50000 >> >> What they mean is, use the winbind 'ad' backend with rfc2307 attributes >> and ignore any uidNumbers & gidNumbers that fall outside the range >> '1000-50000' >> >> '513' is less than '1000' so will be ignored, and as 'Domain Users' is >> the users primary group and must have a valid gidNumber, all users are >> ignored. >> >> Try this, give 'Domain Users' a larger gidNumber: >> >> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' >> >> Change 'gidNumber: 513' >> >> To 'gidNumber: 10513' >> >> Now try 'getent passwd domainuser' > Wouldn't it be better to simply change the range to 500-50000? > If he's like me, he'll have many hundreds gigabites of files with those > uids/gids > > Bye >Well yes, but I wanted to show the OP the relation between what the uidNumber attribute holds and the range set in smb.conf. If what I propose works (and I sure it will), I would have then advised the OP to reset Domain Users back to 513, but I would also have pointed out that you now cannot have *ANY* local users or groups! I would also have pointed out that the lowest uid on Debian/Ubuntu, that is not a system user, is 1000, so using the range '500-50000' is not a good idea. Rowland
buhorojo
2015-Apr-05 12:47 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 14:25, Rowland Penny wrote:> On 05/04/15 13:10, Luca Olivetti wrote: >> El 05/04/15 a les 11:57, Rowland Penny ha escrit: >> >>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 >>>> gidNumber: 513 >>>> >>>> >>> I think that could very well be your problem, you have these lines in >>> the smb.conf on your member server: >>> >>> idmap config CCENTER : backend = ad >>> idmap config CCENTER : schema_mode = rfc2307 >>> idmap config CCENTER : range = 1000-50000 >>> >>> What they mean is, use the winbind 'ad' backend with rfc2307 attributes >>> and ignore any uidNumbers & gidNumbers that fall outside the range >>> '1000-50000' >>> >>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is >>> the users primary group and must have a valid gidNumber, all users are >>> ignored. >>> >>> Try this, give 'Domain Users' a larger gidNumber: >>> >>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' >>> >>> Change 'gidNumber: 513' >>> >>> To 'gidNumber: 10513' >>> >>> Now try 'getent passwd domainuser' >> Wouldn't it be better to simply change the range to 500-50000? >> If he's like me, he'll have many hundreds gigabites of files with those >> uids/gids >> >> Bye >>Of course it would.> > Well yes, but I wanted to show the OP the relation between what the > uidNumber attribute holds and the range set in smb.conf. If what I > propose works (and I sure it will), I would have then advised the OP > to reset Domain Users back to 513, but I would also have pointed out > that you now cannot have *ANY* local users or groups!500 as a lower range is perfectly reasonable. Have you never heard of /etc/login.defs?> > I would also have pointed out that the lowest uid on Debian/Ubuntu, > that is not a system user, is 1000, so using the range '500-50000' is > not a good idea. > > Rowland
Reindl Harald
2015-Apr-05 12:52 UTC
[Samba] Member server - winbind unable to resolve users/groups
Am 05.04.2015 um 14:47 schrieb buhorojo:> 500 as a lower range is perfectly reasonable. Have you never heard of > /etc/login.defs?and what are you doing with already system users created before change login.defs? it's perfectly reasonable on systems which had login.defs to 500 in a early state but nowhere else, at least not as recommendation to anybody you don't know in person and where you don't be there to solve other problems which may appear after the change -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150405/9d6dfafb/attachment.pgp>
Luca Olivetti
2015-Apr-05 12:56 UTC
[Samba] Member server - winbind unable to resolve users/groups
El 05/04/15 a les 14:25, Rowland Penny ha escrit:> Well yes, but I wanted to show the OP the relation between what the > uidNumber attribute holds and the range set in smb.conf. If what I > propose works (and I sure it will), I would have then advised the OP to > reset Domain Users back to 513, but I would also have pointed out that > you now cannot have *ANY* local users or groups!Why not? 1-499 can still be local groups, as can be gids > 50000> > I would also have pointed out that the lowest uid on Debian/Ubuntu, that > is not a system user, is 1000, so using the range '500-50000' is not a > good idea.It is if you already have users with those uids. Not everybody can start fresh. When I started using linux and samba many years ago, the distribution I used had 500 as the lowest uid (e.g. my uid is 500) and it's not practical to change the ownership of the more than 3 millions files I have. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
Rowland Penny
2015-Apr-05 13:08 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 13:47, buhorojo wrote:> On 05/04/15 14:25, Rowland Penny wrote: >> On 05/04/15 13:10, Luca Olivetti wrote: >>> El 05/04/15 a les 11:57, Rowland Penny ha escrit: >>> >>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan >>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513 >>>>> gidNumber: 513 >>>>> >>>>> >>>> I think that could very well be your problem, you have these lines in >>>> the smb.conf on your member server: >>>> >>>> idmap config CCENTER : backend = ad >>>> idmap config CCENTER : schema_mode = rfc2307 >>>> idmap config CCENTER : range = 1000-50000 >>>> >>>> What they mean is, use the winbind 'ad' backend with rfc2307 >>>> attributes >>>> and ignore any uidNumbers & gidNumbers that fall outside the range >>>> '1000-50000' >>>> >>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is >>>> the users primary group and must have a valid gidNumber, all users are >>>> ignored. >>>> >>>> Try this, give 'Domain Users' a larger gidNumber: >>>> >>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' >>>> >>>> Change 'gidNumber: 513' >>>> >>>> To 'gidNumber: 10513' >>>> >>>> Now try 'getent passwd domainuser' >>> Wouldn't it be better to simply change the range to 500-50000? >>> If he's like me, he'll have many hundreds gigabites of files with those >>> uids/gids >>> >>> Bye >>> > Of course it would.Whilst what you are proposing is a possibility, I would never recommend using an ID number so low.>> >> Well yes, but I wanted to show the OP the relation between what the >> uidNumber attribute holds and the range set in smb.conf. If what I >> propose works (and I sure it will), I would have then advised the OP >> to reset Domain Users back to 513, but I would also have pointed out >> that you now cannot have *ANY* local users or groups! > 500 as a lower range is perfectly reasonable. Have you never heard of > /etc/login.defs?Yes I have, so what do propose changing in it ? bearing in mind that what ever is changed in it will have to be changed on every Unix machine in the domain, which sort of defeats the idea of central authentication. Rowland>> >> I would also have pointed out that the lowest uid on Debian/Ubuntu, >> that is not a system user, is 1000, so using the range '500-50000' is >> not a good idea. >> >> Rowland >
Rowland Penny
2015-Apr-05 13:31 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 05/04/15 13:56, Luca Olivetti wrote:> El 05/04/15 a les 14:25, Rowland Penny ha escrit: > >> Well yes, but I wanted to show the OP the relation between what the >> uidNumber attribute holds and the range set in smb.conf. If what I >> propose works (and I sure it will), I would have then advised the OP to >> reset Domain Users back to 513, but I would also have pointed out that >> you now cannot have *ANY* local users or groups! > Why not? 1-499 can still be local groups, as can be gids > 50000 > >> I would also have pointed out that the lowest uid on Debian/Ubuntu, that >> is not a system user, is 1000, so using the range '500-50000' is not a >> good idea. > It is if you already have users with those uids. Not everybody can start > fresh. When I started using linux and samba many years ago, the > distribution I used had 500 as the lowest uid (e.g. my uid is 500) and > it's not practical to change the ownership of the more than 3 millions > files I have. > > ByeOK, so you have users that start at '500', these will undoubtedly be local Unix users not AD users, unless you have migrated these users to AD, in which case you would have had to remove the local Unix users. If you will never need any local Unix users (and what happens if the domain connection goes down ?) then you could start the AD users at where the local Unix users are supposed to start (debian 1000, older red-hat 500, newer red-hat 1000), but this is if you *only* have Unix system users on the computer. I cannot recommend this type of setup, there is no reason to have such a setup and if you do have such a setup, then my recommendation is to retire and let somebody else sort out your mess. Rowland
Possibly Parallel Threads
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups