samba - Apr 2015 - Member server - winbind unable to resolve users/groups

On 05/04/15 13:10, Luca Olivetti wrote:
> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>
>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>> gidNumber: 513
>>>
>>>
>> I think that could very well be your problem, you have these lines in
>> the smb.conf on your member server:
>>
>>          idmap config CCENTER : backend = ad
>>          idmap config CCENTER : schema_mode = rfc2307
>>          idmap config CCENTER : range = 1000-50000
>>
>> What they mean is, use the winbind 'ad' backend with rfc2307
attributes
>> and ignore any uidNumbers & gidNumbers that fall outside the range
>> '1000-50000'
>>
>> '513' is less than '1000' so will be ignored, and as
'Domain Users' is
>> the users primary group and must have a valid gidNumber, all users are
>> ignored.
>>
>> Try this, give 'Domain Users' a larger gidNumber:
>>
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain
Users)'
>>
>> Change 'gidNumber: 513'
>>
>> To 'gidNumber: 10513'
>>
>> Now try 'getent passwd domainuser'
> Wouldn't it be better to simply change the range to 500-50000?
> If he's like me, he'll have many hundreds gigabites of files with
those
> uids/gids
>
> Bye
>
Well yes, but I wanted to show the OP the relation between what the 
uidNumber attribute holds and the range set in smb.conf. If what I 
propose works (and I sure it will), I would have then advised the OP to 
reset Domain Users back to 513, but I would also have pointed out that 
you now cannot have *ANY* local users or groups!

I would also have pointed out that the lowest uid on Debian/Ubuntu, that 
is not a system user, is 1000, so using the range '500-50000' is not a 
good idea.

Rowland

On 05/04/15 14:25, Rowland Penny wrote:
> On 05/04/15 13:10, Luca Olivetti wrote:
>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>
>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>> gidNumber: 513
>>>>
>>>>
>>> I think that could very well be your problem, you have these lines
in
>>> the smb.conf on your member server:
>>>
>>>          idmap config CCENTER : backend = ad
>>>          idmap config CCENTER : schema_mode = rfc2307
>>>          idmap config CCENTER : range = 1000-50000
>>>
>>> What they mean is, use the winbind 'ad' backend with
rfc2307 attributes
>>> and ignore any uidNumbers & gidNumbers that fall outside the
range
>>> '1000-50000'
>>>
>>> '513' is less than '1000' so will be ignored, and
as 'Domain Users' is
>>> the users primary group and must have a valid gidNumber, all users
are
>>> ignored.
>>>
>>> Try this, give 'Domain Users' a larger gidNumber:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain
Users)'
>>>
>>> Change 'gidNumber: 513'
>>>
>>> To 'gidNumber: 10513'
>>>
>>> Now try 'getent passwd domainuser'
>> Wouldn't it be better to simply change the range to 500-50000?
>> If he's like me, he'll have many hundreds gigabites of files
with those
>> uids/gids
>>
>> Bye
>>
Of course it would.
>
> Well yes, but I wanted to show the OP the relation between what the 
> uidNumber attribute holds and the range set in smb.conf. If what I 
> propose works (and I sure it will), I would have then advised the OP 
> to reset Domain Users back to 513, but I would also have pointed out 
> that you now cannot have *ANY* local users or groups!
500 as a lower range is perfectly reasonable. Have you never heard of 
/etc/login.defs?
>
> I would also have pointed out that the lowest uid on Debian/Ubuntu, 
> that is not a system user, is 1000, so using the range '500-50000'
is
> not a good idea.
>
> Rowland

Am 05.04.2015 um 14:47 schrieb buhorojo:
> 500 as a lower range is perfectly reasonable. Have you never heard of
> /etc/login.defs?
and what are you doing with already system users created before change 
login.defs? it's perfectly reasonable on systems which had login.defs to 
500 in a early state but nowhere else, at least not as recommendation to 
anybody you don't know in person and where you don't be there to solve 
other problems which may appear after the change

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150405/9d6dfafb/attachment.pgp>

El 05/04/15 a les 14:25, Rowland Penny ha escrit:
> Well yes, but I wanted to show the OP the relation between what the
> uidNumber attribute holds and the range set in smb.conf. If what I
> propose works (and I sure it will), I would have then advised the OP to
> reset Domain Users back to 513, but I would also have pointed out that
> you now cannot have *ANY* local users or groups!
Why not? 1-499 can still be local groups, as can be gids > 50000
> 
> I would also have pointed out that the lowest uid on Debian/Ubuntu, that
> is not a system user, is 1000, so using the range '500-50000' is
not a
> good idea.
It is if you already have users with those uids. Not everybody can start
fresh. When I started using linux and samba many years ago, the
distribution I used had 500 as the lowest uid (e.g. my uid is 500) and
it's not practical to change the ownership of the more than 3 millions
files I have.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

On 05/04/15 13:47, buhorojo wrote:
> On 05/04/15 14:25, Rowland Penny wrote:
>> On 05/04/15 13:10, Luca Olivetti wrote:
>>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>>
>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>>> gidNumber: 513
>>>>>
>>>>>
>>>> I think that could very well be your problem, you have these
lines in
>>>> the smb.conf on your member server:
>>>>
>>>>          idmap config CCENTER : backend = ad
>>>>          idmap config CCENTER : schema_mode = rfc2307
>>>>          idmap config CCENTER : range = 1000-50000
>>>>
>>>> What they mean is, use the winbind 'ad' backend with
rfc2307
>>>> attributes
>>>> and ignore any uidNumbers & gidNumbers that fall outside
the range
>>>> '1000-50000'
>>>>
>>>> '513' is less than '1000' so will be ignored,
and as 'Domain Users' is
>>>> the users primary group and must have a valid gidNumber, all
users are
>>>> ignored.
>>>>
>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
'(cn=Domain Users)'
>>>>
>>>> Change 'gidNumber: 513'
>>>>
>>>> To 'gidNumber: 10513'
>>>>
>>>> Now try 'getent passwd domainuser'
>>> Wouldn't it be better to simply change the range to 500-50000?
>>> If he's like me, he'll have many hundreds gigabites of
files with those
>>> uids/gids
>>>
>>> Bye
>>>
> Of course it would.
Whilst what you are proposing is a possibility, I would never recommend 
using an ID number so low.
>>
>> Well yes, but I wanted to show the OP the relation between what the 
>> uidNumber attribute holds and the range set in smb.conf. If what I 
>> propose works (and I sure it will), I would have then advised the OP 
>> to reset Domain Users back to 513, but I would also have pointed out 
>> that you now cannot have *ANY* local users or groups!
> 500 as a lower range is perfectly reasonable. Have you never heard of 
> /etc/login.defs?
Yes I have, so what do propose changing in it ? bearing in mind that 
what ever is changed in it will have to be changed on every Unix machine 
in the domain, which sort of defeats the idea of central authentication.

Rowland
>>
>> I would also have pointed out that the lowest uid on Debian/Ubuntu, 
>> that is not a system user, is 1000, so using the range
'500-50000' is
>> not a good idea.
>>
>> Rowland
>

On 05/04/15 13:56, Luca Olivetti wrote:
> El 05/04/15 a les 14:25, Rowland Penny ha escrit:
>
>> Well yes, but I wanted to show the OP the relation between what the
>> uidNumber attribute holds and the range set in smb.conf. If what I
>> propose works (and I sure it will), I would have then advised the OP to
>> reset Domain Users back to 513, but I would also have pointed out that
>> you now cannot have *ANY* local users or groups!
> Why not? 1-499 can still be local groups, as can be gids > 50000
>
>> I would also have pointed out that the lowest uid on Debian/Ubuntu,
that
>> is not a system user, is 1000, so using the range '500-50000'
is not a
>> good idea.
> It is if you already have users with those uids. Not everybody can start
> fresh. When I started using linux and samba many years ago, the
> distribution I used had 500 as the lowest uid (e.g. my uid is 500) and
> it's not practical to change the ownership of the more than 3 millions
> files I have.
>
> Bye
OK, so you have users that start at '500', these will undoubtedly be 
local Unix users not AD users, unless you have migrated these users to 
AD, in which case you would have had to remove the local Unix users.

If you will never need any local Unix users (and what happens if the 
domain connection goes down ?) then you could start the AD users at 
where the local Unix users are supposed to start (debian 1000, older 
red-hat 500, newer red-hat 1000), but this is if you *only* have Unix 
system users on the computer.

I cannot recommend this type of setup, there is no reason to have such a 
setup and if you do have such a setup, then my recommendation is to 
retire and let somebody else sort out your mess.

Rowland