samba - Apr 2015 - Member server - winbind unable to resolve users/groups

On 05/04/15 13:47, buhorojo wrote:
> On 05/04/15 14:25, Rowland Penny wrote:
>> On 05/04/15 13:10, Luca Olivetti wrote:
>>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>>
>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>>> gidNumber: 513
>>>>>
>>>>>
>>>> I think that could very well be your problem, you have these
lines in
>>>> the smb.conf on your member server:
>>>>
>>>>          idmap config CCENTER : backend = ad
>>>>          idmap config CCENTER : schema_mode = rfc2307
>>>>          idmap config CCENTER : range = 1000-50000
>>>>
>>>> What they mean is, use the winbind 'ad' backend with
rfc2307
>>>> attributes
>>>> and ignore any uidNumbers & gidNumbers that fall outside
the range
>>>> '1000-50000'
>>>>
>>>> '513' is less than '1000' so will be ignored,
and as 'Domain Users' is
>>>> the users primary group and must have a valid gidNumber, all
users are
>>>> ignored.
>>>>
>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
'(cn=Domain Users)'
>>>>
>>>> Change 'gidNumber: 513'
>>>>
>>>> To 'gidNumber: 10513'
>>>>
>>>> Now try 'getent passwd domainuser'
>>> Wouldn't it be better to simply change the range to 500-50000?
>>> If he's like me, he'll have many hundreds gigabites of
files with those
>>> uids/gids
>>>
>>> Bye
>>>
> Of course it would.
Whilst what you are proposing is a possibility, I would never recommend 
using an ID number so low.
>>
>> Well yes, but I wanted to show the OP the relation between what the 
>> uidNumber attribute holds and the range set in smb.conf. If what I 
>> propose works (and I sure it will), I would have then advised the OP 
>> to reset Domain Users back to 513, but I would also have pointed out 
>> that you now cannot have *ANY* local users or groups!
> 500 as a lower range is perfectly reasonable. Have you never heard of 
> /etc/login.defs?
Yes I have, so what do propose changing in it ? bearing in mind that 
what ever is changed in it will have to be changed on every Unix machine 
in the domain, which sort of defeats the idea of central authentication.

Rowland
>>
>> I would also have pointed out that the lowest uid on Debian/Ubuntu, 
>> that is not a system user, is 1000, so using the range
'500-50000' is
>> not a good idea.
>>
>> Rowland
>

Greetings, Rowland Penny!
>>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>>> objectSid:
S-1-5-21-1031481445-3291699540-3997755762-513
>>>>>> gidNumber: 513
>>>>>>
>>>>>>
>>>>> I think that could very well be your problem, you have
these lines in
>>>>> the smb.conf on your member server:
>>>>>
>>>>>          idmap config CCENTER : backend = ad
>>>>>          idmap config CCENTER : schema_mode = rfc2307
>>>>>          idmap config CCENTER : range = 1000-50000
>>>>>
>>>>> What they mean is, use the winbind 'ad' backend
with rfc2307
>>>>> attributes
>>>>> and ignore any uidNumbers & gidNumbers that fall
outside the range
>>>>> '1000-50000'
>>>>>
>>>>> '513' is less than '1000' so will be
ignored, and as 'Domain Users' is
>>>>> the users primary group and must have a valid gidNumber,
all users are
>>>>> ignored.
>>>>>
>>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>>
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
'(cn=Domain Users)'
>>>>>
>>>>> Change 'gidNumber: 513'
>>>>>
>>>>> To 'gidNumber: 10513'
>>>>>
>>>>> Now try 'getent passwd domainuser'
I have enough Linux members to see the apparent issues of such change.
I'd need to get to every one of them and change file permissions to the new
gid.
>>>> Wouldn't it be better to simply change the range to
500-50000?
>>>> If he's like me, he'll have many hundreds gigabites of
files with those
>>>> uids/gids
>>>>
>>>> Bye
>>>>
>> Of course it would.
> Whilst what you are proposing is a possibility, I would never recommend 
> using an ID number so low.
It isn't "so" low, and there would not be new mapped groups of ids
in that
range, since main winbind configuration is on dedicated system, and it is set
higher than that. So, I see no apparent issue allowing it to work straight.
If I ever need a new installation, then of course I'd heed your warning.
>>> Well yes, but I wanted to show the OP the relation between what the
>>> uidNumber attribute holds and the range set in smb.conf. If what I 
>>> propose works (and I sure it will), I would have then advised the
OP
>>> to reset Domain Users back to 513, but I would also have pointed
out
>>> that you now cannot have *ANY* local users or groups!
>> 500 as a lower range is perfectly reasonable. Have you never heard of 
>> /etc/login.defs?
> Yes I have, so what do propose changing in it ? bearing in mind that 
> what ever is changed in it will have to be changed on every Unix machine 
> in the domain, which sort of defeats the idea of central authentication.
I'll have to get to every machine in domain to upgrade Samba and tune its
config.
While it is a taxing task in itself, it is faster and easier, than to turn the
system upside down by changing every file permissions I'm not satisfied
with.
>>> I would also have pointed out that the lowest uid on Debian/Ubuntu,
>>> that is not a system user, is 1000, so using the range
'500-50000' is
>>> not a good idea.
That is only a suggestion. To now, I've never seen a system with more than
150
system users in production. However small my sample of *NIX systems has been.
So, I find the suggestion to lower the idmap range reasonable.

In retrospect, the problem wasn't worth a cracked egg. As always. x.x

root at dc1~# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb
'(|(gidnumber)(uidnumber))' gidnumber uidnumber | grep -i
"^.idnumber" | cut -d" " -f 2 | sort -un
root at member~# getent group | cut -d: -f 3 | sort -un

Exclude uid's 0 and 65534. Compare the lists. If results are satisfactory,
set
the idmap range to include lowest xid from the SAM database.

Also, login.defs explained why I've got so high RID's in my database.
Turned out, I've created the setup in Hardy, where it was largely ignored,
but
I've added many users in 10.04, where the setup was already different.
UID_MAX/GID_MAX is 60000 in login.defs, and smbldap-tools selected RID's
above
local range to represent domain members.

Thanks for not losing hope on me. I've got the basic setup working now.
The promised writeup will be up soon enough. May be in a week.
I have some stuff to attend to in the meantime, that I was pushing away last 2
months.


-- 
With best regards,
Andrey Repin
Sunday, April 5, 2015 21:07:19

Sorry for my terrible english...

On 05/04/15 20:07, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>>>>> dn: CN=Domain
Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>>>> objectSid:
S-1-5-21-1031481445-3291699540-3997755762-513
>>>>>>> gidNumber: 513
>>>>>>>
>>>>>>>
>>>>>> I think that could very well be your problem, you have
these lines in
>>>>>> the smb.conf on your member server:
>>>>>>
>>>>>>           idmap config CCENTER : backend = ad
>>>>>>           idmap config CCENTER : schema_mode = rfc2307
>>>>>>           idmap config CCENTER : range = 1000-50000
>>>>>>
>>>>>> What they mean is, use the winbind 'ad' backend
with rfc2307
>>>>>> attributes
>>>>>> and ignore any uidNumbers & gidNumbers that fall
outside the range
>>>>>> '1000-50000'
>>>>>>
>>>>>> '513' is less than '1000' so will be
ignored, and as 'Domain Users' is
>>>>>> the users primary group and must have a valid
gidNumber, all users are
>>>>>> ignored.
>>>>>>
>>>>>> Try this, give 'Domain Users' a larger
gidNumber:
>>>>>>
>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
'(cn=Domain Users)'
>>>>>>
>>>>>> Change 'gidNumber: 513'
>>>>>>
>>>>>> To 'gidNumber: 10513'
>>>>>>
>>>>>> Now try 'getent passwd domainuser'
> I have enough Linux members to see the apparent issues of such change.
> I'd need to get to every one of them and change file permissions to the
new
> gid.
>
>>>>> Wouldn't it be better to simply change the range to
500-50000?
>>>>> If he's like me, he'll have many hundreds gigabites
of files with those
>>>>> uids/gids
>>>>>
>>>>> Bye
>>>>>
>>> Of course it would.
>> Whilst what you are proposing is a possibility, I would never recommend
>> using an ID number so low.
> It isn't "so" low, and there would not be new mapped groups
of ids in that
> range, since main winbind configuration is on dedicated system, and it is
set
> higher than that. So, I see no apparent issue allowing it to work straight.
> If I ever need a new installation, then of course I'd heed your
warning.
>
>>>> Well yes, but I wanted to show the OP the relation between what
the
>>>> uidNumber attribute holds and the range set in smb.conf. If
what I
>>>> propose works (and I sure it will), I would have then advised
the OP
>>>> to reset Domain Users back to 513, but I would also have
pointed out
>>>> that you now cannot have *ANY* local users or groups!
>>> 500 as a lower range is perfectly reasonable. Have you never heard
of
>>> /etc/login.defs?
>> Yes I have, so what do propose changing in it ? bearing in mind that
>> what ever is changed in it will have to be changed on every Unix
machine
>> in the domain, which sort of defeats the idea of central
authentication.
> I'll have to get to every machine in domain to upgrade Samba and tune
its
> config.
> While it is a taxing task in itself, it is faster and easier, than to turn
the
> system upside down by changing every file permissions I'm not satisfied
with.
>
>>>> I would also have pointed out that the lowest uid on
Debian/Ubuntu,
>>>> that is not a system user, is 1000, so using the range
'500-50000' is
>>>> not a good idea.
> That is only a suggestion. To now, I've never seen a system with more
than 150
> system users in production. However small my sample of *NIX systems has
been.
> So, I find the suggestion to lower the idmap range reasonable.
>
> In retrospect, the problem wasn't worth a cracked egg. As always. x.x
>
> root at dc1~# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb
'(|(gidnumber)(uidnumber))' gidnumber uidnumber | grep -i
"^.idnumber" | cut -d" " -f 2 | sort -un
> root at member~# getent group | cut -d: -f 3 | sort -un
>
> Exclude uid's 0 and 65534. Compare the lists. If results are
satisfactory, set
> the idmap range to include lowest xid from the SAM database.
>
> Also, login.defs explained why I've got so high RID's in my
database.
> Turned out, I've created the setup in Hardy, where it was largely
ignored, but
> I've added many users in 10.04, where the setup was already different.
> UID_MAX/GID_MAX is 60000 in login.defs, and smbldap-tools selected
RID's above
> local range to represent domain members.
>
> Thanks for not losing hope on me. I've got the basic setup working now.
> The promised writeup will be up soon enough. May be in a week.
> I have some stuff to attend to in the meantime, that I was pushing away
last 2
> months.
>
>
I think, from what posted, you have now got the gist of setting up 
winbind, I know I initially didn't get it and had problems and blamed 
winbind. Once I did get it working, I could see just where I had been 
going wrong and couldn't really believe just how easy it was to set up, 
now that I understood it :-D