Jonathan Hunter
2015-Apr-12 10:55 UTC
[Samba] rid mapping works on member server but not DC
Hi, I have been struggling with this for a few days and think that now's the time I can ask for help :) It's not an area I have delved into before, so I have been trying to follow the documentation, do my own research, and do as much configuration/testing as I can myself; but I am now confused. (I am running 4.2.0 throughout). I have successfully set up and configured a member server with the following smb.conf (sanitised for the list): [global] workgroup = MY-DOMAIN security = ADS realm = MY-DOMAIN.MYORG.CO.UK dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 900000-999999 idmap config MY-DOMAIN:backend = rid idmap config MY-DOMAIN:range = 4000000-4999999 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind expand groups = 8 I can successfully update the RID range to e.g. 2000000-2999999 in smb.conf, and using the following commands this does take effect: # killall winbindd # /usr/local/samba/sbin/winbindd # net cache flush When I run "wbinfo -i username", I can see the updated RID mappings, as shown here: [... edit smb.conf from 2000000 to 4000000... ] # killall winbindd # /usr/local/samba/sbin/winbindd # wbinfo -i user1 user1:*:201105:200513:User 1:/home/MY-DOMAIN/user1:/bin/false # net cache flush # wbinfo -i user1 user1:*:4001105:4000513:User 1:/home/MY-DOMAIN/user1:/bin/false This all works perfectly, and is exactly what I want to achieve, as my UID mappings are currently inconsistent across various machines. However, I have a second server (which is a domain controller, not a domain member) and the same configuration does not work here - this is where I am now confused. What am I missing? Whatever I do, it does not seem to pay attention to the RID mapping settings (which I have copied over from the working member server I just set up to test, above): [... edit smb.conf to add the RID mapping section, using any numbers I like e.g. 2000000 ... ] # service samba4 restart <-- essentially, just kills and then restarts the /usr/local/samba/sbin/samba binary # wbinfo -i user2 user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false # net cache flush # wbinfo -i user2 user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false The 3000015 and 100 UID/GIDs seem to be the default mapping - these do not match the RID range I am trying to configure. Top section of smb.conf from the domain controller; all the idmap and winbind lines were copied directly from the working member server: [global] workgroup = MY-DOMAIN realm = MY-DOMAIN.MYORG.CO.UK netbios name = MY-DC1 server role = active directory domain controller dns forwarder = 192.168.1.2 idmap config *:backend = tdb idmap config *:range = 900000-999999 idmap config MY-DOMAIN:backend = rid idmap config MY-DOMAIN:range = 4000000-4999999 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind expand groups = 8 The only difference I can see is that the member server has the 'security = ads' line and the DC doesn't; however if I add that to the DC config, Samba won't start up, so I don't think that's it: [2015/04/12 11:40:56.019515, 0] ../source4/smbd/server.c:475(binary_smbd_main) At this time the 'samba' binary should only be used for either: 'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote' You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks [2015/04/12 11:40:56.019982, 0] ../lib/util/become_daemon.c:111(exit_daemon) STATUS=daemon failed to start: Samba detected misconfigured 'server role' and exited. Check logs for details, error code 22 There are some Kerberos lines also present on the member server but these aren't on the DC; are these critical for idmap activity?? Is there some other ldb/tdb cache file I need to clear out, perhaps? (I don't want to simply rm /usr/local/samba/private/* as I was doing on the test member server - this is a DC!) Or have I missed something basic, in which case sorry (and I will try to update the wiki to make it clearer in case others miss it, too..! :) ) Thanks, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On 12/04/15 11:55, Jonathan Hunter wrote:> Hi, > > I have been struggling with this for a few days and think that now's > the time I can ask for help :) It's not an area I have delved into > before, so I have been trying to follow the documentation, do my own > research, and do as much configuration/testing as I can myself; but I > am now confused. (I am running 4.2.0 throughout). > > I have successfully set up and configured a member server with the > following smb.conf (sanitised for the list): > > [global] > workgroup = MY-DOMAIN > security = ADS > realm = MY-DOMAIN.MYORG.CO.UK > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config *:backend = tdb > idmap config *:range = 900000-999999 > idmap config MY-DOMAIN:backend = rid > idmap config MY-DOMAIN:range = 4000000-4999999 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind expand groups = 8 > > I can successfully update the RID range to e.g. 2000000-2999999 in > smb.conf, and using the following commands this does take effect: > > # killall winbindd > # /usr/local/samba/sbin/winbindd > # net cache flush > > When I run "wbinfo -i username", I can see the updated RID mappings, > as shown here: > > [... edit smb.conf from 2000000 to 4000000... ] > # killall winbindd > # /usr/local/samba/sbin/winbindd > # wbinfo -i user1 > user1:*:201105:200513:User 1:/home/MY-DOMAIN/user1:/bin/false > # net cache flush > # wbinfo -i user1 > user1:*:4001105:4000513:User 1:/home/MY-DOMAIN/user1:/bin/false > > This all works perfectly, and is exactly what I want to achieve, as my > UID mappings are currently inconsistent across various machines. > > However, I have a second server (which is a domain controller, not a > domain member) and the same configuration does not work here - this is > where I am now confused. > > What am I missing? Whatever I do, it does not seem to pay attention to > the RID mapping settings (which I have copied over from the working > member server I just set up to test, above): > > [... edit smb.conf to add the RID mapping section, using any numbers I > like e.g. 2000000 ... ] > # service samba4 restart <-- essentially, just kills and then > restarts the /usr/local/samba/sbin/samba binary > # wbinfo -i user2 > user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false > # net cache flush > # wbinfo -i user2 > user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false > > The 3000015 and 100 UID/GIDs seem to be the default mapping - these do > not match the RID range I am trying to configure. > > Top section of smb.conf from the domain controller; all the idmap and > winbind lines were copied directly from the working member server: > > [global] > workgroup = MY-DOMAIN > realm = MY-DOMAIN.MYORG.CO.UK > netbios name = MY-DC1 > server role = active directory domain controller > dns forwarder = 192.168.1.2 > idmap config *:backend = tdb > idmap config *:range = 900000-999999 > idmap config MY-DOMAIN:backend = rid > idmap config MY-DOMAIN:range = 4000000-4999999 > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind expand groups = 8 > > The only difference I can see is that the member server has the > 'security = ads' line and the DC doesn't; however if I add that to the > DC config, Samba won't start up, so I don't think that's it: > > [2015/04/12 11:40:56.019515, 0] ../source4/smbd/server.c:475(binary_smbd_main) > At this time the 'samba' binary should only be used for either: > 'server role = active directory domain controller' or to access the > ntvfs file server with 'server services = +smb' or the rpc proxy with > 'dcerpc endpoint servers = remote' > You should start smbd/nmbd/winbindd instead for domain member and > standalone file server tasks > [2015/04/12 11:40:56.019982, 0] ../lib/util/become_daemon.c:111(exit_daemon) > STATUS=daemon failed to start: Samba detected misconfigured 'server > role' and exited. Check logs for details, error code 22 > > There are some Kerberos lines also present on the member server but > these aren't on the DC; are these critical for idmap activity?? > > Is there some other ldb/tdb cache file I need to clear out, perhaps? > (I don't want to simply rm /usr/local/samba/private/* as I was doing > on the test member server - this is a DC!) Or have I missed something > basic, in which case sorry (and I will try to update the wiki to make > it clearer in case others miss it, too..! :) ) > > Thanks, > > Jonathan >OK ,you are trying to get the user & groups ID numbers to match on the DC and a member server by using the 'rid' backend. I am sorry to tell you that you cannot do this, this is because the way that winbind works is different between the two machines. On the DC 'idmap.ldb' is used and the RIDs are used to create 'xidNumbers' starting from 3000000, whereas on the member server, the 'rid' backend calculates the ID number by 'ID = RID - BASE_RID + LOW_RANGE_ID'. So, if the users RID is '1105' and the base rid isn't set in smb.conf, this will become 'ID= 1105 - 0 + LOW_RANGE_ID' Or from your smb.conf 'ID= 1105 - 0 + 4000000' which becomes 'ID = 4001105' If you must have the same ID number on both the DC and the member server, you will have to use the 'ad' backend and add uidNumber & gidNumber attributes to your users and groups. Rowland
Jonathan Hunter
2015-Apr-12 12:50 UTC
[Samba] rid mapping works on member server but not DC
Thank you Rowland, that clearly explains why it isn't working for me. Appreciated. I was trying to achieve my goal of having two domain controllers for redundancy, without having additional physical machines - it looks like I'm now in the same boat as the other current thread ("Domain controller in a chroot"), which is unfortunate! :( My scenario is that I have one ESXi physical host, running a VM with one DC in it, and one CentOS 6 physical machine, running the other DC but also acting as a file server (and with inconsistent UIDs). In order to get this CentOS 6 host running as both a DC and file server, with consistent UIDs, it looks like I will need to either - use the 'ad' backend - somehow run samba locally as a member server, and for redundancy also run samba as a DC via something like Docker (which I don't think will work due to the need to expose the DC ports, IP etc. to the rest of the domain), or - perhaps use sssd? (which I haven't yet investigated, to be honest) I was reluctant to go down the 'ad' backend route simply because from what I can see, there is then the risk of a Windows admin for any part of the AD tree being able to 'impersonate' any UNIX user by simply changing the uidNumber of a user in that part of the tree, isn't there? (within range limits). Whereas with RID mapping the UID is algorithmically determined and would need co-operation from the UNIX host's admin, instead. Or am I over-thinking this? I understand that with 'ad' mapping, at least the current max UID is stored somewhere in LDAP and automatically applied to new users, so the administrative burden for adding new users is reduced, once each existing user has a uidNumber/gidNumber allocated. Thanks! Jonathan On 12 April 2015 at 13:09, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 12/04/15 11:55, Jonathan Hunter wrote: >> >> Hi, >> >> I have been struggling with this for a few days and think that now's >> the time I can ask for help :) It's not an area I have delved into >> before, so I have been trying to follow the documentation, do my own >> research, and do as much configuration/testing as I can myself; but I >> am now confused. (I am running 4.2.0 throughout). >> >> I have successfully set up and configured a member server with the >> following smb.conf (sanitised for the list): >> >> [global] >> workgroup = MY-DOMAIN >> security = ADS >> realm = MY-DOMAIN.MYORG.CO.UK >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> idmap config *:backend = tdb >> idmap config *:range = 900000-999999 >> idmap config MY-DOMAIN:backend = rid >> idmap config MY-DOMAIN:range = 4000000-4999999 >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = yes >> winbind expand groups = 8 >> >> I can successfully update the RID range to e.g. 2000000-2999999 in >> smb.conf, and using the following commands this does take effect: >> >> # killall winbindd >> # /usr/local/samba/sbin/winbindd >> # net cache flush >> >> When I run "wbinfo -i username", I can see the updated RID mappings, >> as shown here: >> >> [... edit smb.conf from 2000000 to 4000000... ] >> # killall winbindd >> # /usr/local/samba/sbin/winbindd >> # wbinfo -i user1 >> user1:*:201105:200513:User 1:/home/MY-DOMAIN/user1:/bin/false >> # net cache flush >> # wbinfo -i user1 >> user1:*:4001105:4000513:User 1:/home/MY-DOMAIN/user1:/bin/false >> >> This all works perfectly, and is exactly what I want to achieve, as my >> UID mappings are currently inconsistent across various machines. >> >> However, I have a second server (which is a domain controller, not a >> domain member) and the same configuration does not work here - this is >> where I am now confused. >> >> What am I missing? Whatever I do, it does not seem to pay attention to >> the RID mapping settings (which I have copied over from the working >> member server I just set up to test, above): >> >> [... edit smb.conf to add the RID mapping section, using any numbers I >> like e.g. 2000000 ... ] >> # service samba4 restart <-- essentially, just kills and then >> restarts the /usr/local/samba/sbin/samba binary >> # wbinfo -i user2 >> user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false >> # net cache flush >> # wbinfo -i user2 >> user2:*:3000015:100:User 2:/home/MY-DOMAIN/user2:/bin/false >> >> The 3000015 and 100 UID/GIDs seem to be the default mapping - these do >> not match the RID range I am trying to configure. >> >> Top section of smb.conf from the domain controller; all the idmap and >> winbind lines were copied directly from the working member server: >> >> [global] >> workgroup = MY-DOMAIN >> realm = MY-DOMAIN.MYORG.CO.UK >> netbios name = MY-DC1 >> server role = active directory domain controller >> dns forwarder = 192.168.1.2 >> idmap config *:backend = tdb >> idmap config *:range = 900000-999999 >> idmap config MY-DOMAIN:backend = rid >> idmap config MY-DOMAIN:range = 4000000-4999999 >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = yes >> winbind expand groups = 8 >> >> The only difference I can see is that the member server has the >> 'security = ads' line and the DC doesn't; however if I add that to the >> DC config, Samba won't start up, so I don't think that's it: >> >> [2015/04/12 11:40:56.019515, 0] >> ../source4/smbd/server.c:475(binary_smbd_main) >> At this time the 'samba' binary should only be used for either: >> 'server role = active directory domain controller' or to access the >> ntvfs file server with 'server services = +smb' or the rpc proxy with >> 'dcerpc endpoint servers = remote' >> You should start smbd/nmbd/winbindd instead for domain member and >> standalone file server tasks >> [2015/04/12 11:40:56.019982, 0] >> ../lib/util/become_daemon.c:111(exit_daemon) >> STATUS=daemon failed to start: Samba detected misconfigured 'server >> role' and exited. Check logs for details, error code 22 >> >> There are some Kerberos lines also present on the member server but >> these aren't on the DC; are these critical for idmap activity?? >> >> Is there some other ldb/tdb cache file I need to clear out, perhaps? >> (I don't want to simply rm /usr/local/samba/private/* as I was doing >> on the test member server - this is a DC!) Or have I missed something >> basic, in which case sorry (and I will try to update the wiki to make >> it clearer in case others miss it, too..! :) ) >> >> Thanks, >> >> Jonathan >> > > OK ,you are trying to get the user & groups ID numbers to match on the DC > and a member server by using the 'rid' backend. I am sorry to tell you that > you cannot do this, this is because the way that winbind works is different > between the two machines. On the DC 'idmap.ldb' is used and the RIDs are > used to create 'xidNumbers' starting from 3000000, whereas on the member > server, the 'rid' backend calculates the ID number by 'ID = RID - BASE_RID + > LOW_RANGE_ID'. > So, if the users RID is '1105' and the base rid isn't set in smb.conf, this > will become 'ID= 1105 - 0 + LOW_RANGE_ID' > > Or from your smb.conf 'ID= 1105 - 0 + 4000000' > > which becomes 'ID = 4001105' > > If you must have the same ID number on both the DC and the member server, > you will have to use the 'ad' backend and add uidNumber & gidNumber > attributes to your users and groups. > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein