samba - Apr 2015 - samba member logon.. question.

On 09/04/15 12:01, L.P.H. van Belle wrote:
> Ok, thanks, now you say it, logical yes..
> It also explains more why lots of users have the problem accessing the
member servers..
> can we mix ad and rid...
I would suppose so, but not on the same machine :-)

Why would you want to though ?

Using the RFC2307 attributes, you will get the same ID number on every 
Unix machine, whereas if you use the 'rid' backend, whilst you should 
get the same ID on each Unix machine, you will never get the same ID on 
an AD DC, in fact without intervention, you will get a different ID on 
different DCs

If you only have one DC and one member server, then use the member 
server and use the 'rid' backend, anything other than this, use the 
RFC2307 attributes and the 'ad' backend.

Rowland
> Thanks!
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 9 april 2015 12:41
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba member logon.. question.
>>
>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>> Hai all,
>>>    
>>> I was testing with a member server and i had a small problem.
>>> I found the solution but im just asking why?
>>> Situation. DC + Member server, all is working fine.
>>> All test ok. with AD backend !
>>>    
>>> Now i did set some GPO's and i created a user to test.
>> Tested wbinfo -u worked ok, id user did not work.. but i ignored that.
>>
>> Hi Louis, surely if 'id user' didn't work then your user is
unknown to
>> the Unix machine.
>>
>>> Now im logging in and my pc was complaining the user and
>> profiles share was inaccessable.
>>>    
>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>     gss_unwrap_iov failed with [ Miscellaneous failure (see
>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>     [2015/04/08 16:48:19.968069, 0]
>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>     
>>> I increased the logging level on the member to 3 and found
>> the following messages..
>>> Found account name from PAC: testuser [T. testuser] Kerberos
>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>> and now it goes wrong.
>>>    
>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>> Well yes, the user doesn't exist on the machine.
>>
>>> Failed to map kerberos principal to system user
>> (NT_STATUS_LOGON_FAILURE)
>>>    
>>> If you encounter this problem, then give the user a UID and
>> the problem is solved, I was able to login again and the
>> message was gone.
>>
>> There you go, proof that the user must be known to the machine, you
>> could also have used the 'rid' backend, this would have
>> allocated an ID
>> number without one in being in AD.
>>
>> A windows user is just a windows user, unless you do something to make
>> it known to Unix.
>>
>> Rowland
>>
>>>    
>>> Is it obligated to give your users a uid/gid ?  or is this
>> backend depending?
>>> So what if you want to run you setup with AD backend but you
>> dont want to give all your users an uid/gid.
>>> Is this possible?  should be imo.
>>>    
>>> Greetz,
>>>    
>>> Louis
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

Greetings, Rowland Penny!
> On 09/04/15 12:01, L.P.H. van Belle wrote:
>> Ok, thanks, now you say it, logical yes..
>> It also explains more why lots of users have the problem accessing the
member servers..
>> can we mix ad and rid...
> I would suppose so, but not on the same machine :-)
> Why would you want to though ?
> Using the RFC2307 attributes, you will get the same ID number on every 
> Unix machine, whereas if you use the 'rid' backend, whilst you
should
> get the same ID on each Unix machine, you will never get the same ID on 
> an AD DC, in fact without intervention, you will get a different ID on 
> different DCs
Ok, good.
Now, how can I get RFC2307 attributes populated automatically upon users or
groups creation?
> If you only have one DC and one member server, then use the member 
> server and use the 'rid' backend, anything other than this, use the
> RFC2307 attributes and the 'ad' backend.

-- 
With best regards,
Andrey Repin
Thursday, April 9, 2015 15:56:32

Sorry for my terrible english...

in short.. 
look at :  samba-tool user add --help 

It gives some nice examples. 
have a look first ;-) 

Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: anrdaemon at yandex.ru 
>[mailto:samba-bounces at lists.samba.org] Namens Andrey Repin
>Verzonden: donderdag 9 april 2015 14:58
>Aan: Rowland Penny; samba at lists.samba.org
>Onderwerp: Re: [Samba] samba member logon.. question.
>
>Greetings, Rowland Penny!
>
>> On 09/04/15 12:01, L.P.H. van Belle wrote:
>>> Ok, thanks, now you say it, logical yes..
>>> It also explains more why lots of users have the problem 
>accessing the member servers..
>>> can we mix ad and rid...
>> I would suppose so, but not on the same machine :-)
>
>> Why would you want to though ?
>
>> Using the RFC2307 attributes, you will get the same ID 
>number on every 
>> Unix machine, whereas if you use the 'rid' backend, whilst 
>you should 
>> get the same ID on each Unix machine, you will never get the 
>same ID on 
>> an AD DC, in fact without intervention, you will get a 
>different ID on 
>> different DCs
>
>Ok, good.
>Now, how can I get RFC2307 attributes populated automatically 
>upon users or
>groups creation?
>
>> If you only have one DC and one member server, then use the member 
>> server and use the 'rid' backend, anything other than this, use
the
>> RFC2307 attributes and the 'ad' backend.
>
>
>-- 
>With best regards,
>Andrey Repin
>Thursday, April 9, 2015 15:56:32
>
>Sorry for my terrible english...
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

El 09/04/15 a les 14:57, Andrey Repin ha escrit:
>> Using the RFC2307 attributes, you will get the same ID number on every 
>> Unix machine, whereas if you use the 'rid' backend, whilst you
should
>> get the same ID on each Unix machine, you will never get the same ID on
>> an AD DC, in fact without intervention, you will get a different ID on 
>> different DCs
> 
> Ok, good.
> Now, how can I get RFC2307 attributes populated automatically upon users or
> groups creation?
You can't :-(
I'm experimenting with
https://github.com/laotse/SambaPosix
but it's quite buggy (at least regarding the features I'm trying,
namely, trying to assign uids the same way as ADUC).


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

El 09/04/15 a les 15:57, L.P.H. van Belle ha escrit:
> in short.. 
> look at :  samba-tool user add --help 
> 
> It gives some nice examples. 
> have a look first ;-) 
I just tried it. With the --uid option it automatically assigns an uid
number, but it doesn't follow the same criterion as ADUC (which reads
and updates msSFU30MaxUidNumber/msSFU30MaxGidNumber from
domain.tld/System/RpcServices/ypServ30/ypservers/domain).
Worse, if then I go to ADUC the unix tab is empty, and as soon as I
assign a nis domain it overwrites the uid with its own.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007