On 04/06/15 16:58, Roel van Meer wrote:> Hi Jonathan,
>
> I think the reason might be this:
> - You are using "idmap_ldb:use rfc2307" in your Samba config,
which
> means that Samba will use the ID's specified in the unix attributes in
> your AD (uidNumber, gidNumber).
> - You are using "ldap_id_mapping = True" in sssd.conf, which
means
> that sssd will map uid and gid from the objectSID attribute.
>
> I think if you set "ldap_id_mapping = False" in sssd.conf
you'll get
> the same uid on both (that's how I use it anyway).
>
No, we don't think so because the user does not have the rfc2307
attributes in the directory and doesn't want to put them there. Maybe on
the contrary, comment the idmap_ldb:use rfc2307.
> See the manpage of sssd-ad for more information on the ldap_id_mapping
> param.
>
> I hope this helps,
>
> Regards, Roel
>
>
> Jonathan Hunter writes:
>
>> Thanks Rowland.
>>
>> 'getent passwd mydomainuser' does return the correct (new,
sssd) UID
>> e.g. 1514701182
>>
>> In my /etc/nsswitch.conf I have:
>> passwd: files sss
>> group: files sss
>>
>> The problem is that when I create a file from a client machine into a
>> samba share on this server, e.g. creating the file
>> \\servername\sharename\newfile.txt, this new file is not owned by UID
>> 1514701182, but rather 3000007.
>>
>> Before I ran 'net cache flush', a simple "ls -l"
showed the file as
>> being owned by the right user 'mydomainuser' - the wrong UID
only
>> showed up via "ls -nl", which tells ls to display UIDs rather
than
>> usernames. Now, however, when I run "ls -l", I just see the
UID - ls
>> is unable to resolve this UID to a name (which I'd expect would be
the
>> case, as nsswitch.conf does not have winbind listed)
>>
>> So, a file created using Samba's file server functionality, by user
>> mydomainuser, gets created as UID 3000007 (also seen via 'net cache
>> list', but not 'getent'); a file created using anything
else on the
>> machine uses the 'getent' UID of 1514701182 for mydomainuser.
>>
>> It is entirely possible that there is some process I haven't
restarted
>> on the machine, of course, that is causing this - but if so, I
don't
>> know what that would be. I have made sure (ps axuw|grep mb; also grep
>> samba, grep bind) that there are no samba processes still running when
>> I shut down samba, before restarting it.
>>
>> I'm reluctant to restart the whole machine but will do so if
that's
>> likely to help things along. (I'm reminded of the old joke that 90%
of
>> problems on Windows machines are fixed by restarting the computer, but
>> 90% of problems on Unix machines are *triggered* by restarting the
>> computer! :))
>>
>> On 3 June 2015 at 19:06, Rowland Penny <rowlandpenny at
googlemail.com>
>> wrote:
>> > On 03/06/15 00:37, Jonathan Hunter wrote:
>> >>
>> >> Hi,
>> >>
>> >> Some advice, if I may..
>> >>
>> >> I have two Samba4 domain controllers, that I recently switched
to
>> >> using sssd (against these same DCs) for UNIX user
authentication -
>> >> this part works perfectly.
>> >>
>> >> However, I am using one of these as a Samba file server also.
When I
>> >> create a file via a SMB share, the UNIX UID the file is owned
by is
>> >> the old 'winbind' UID (e.g. 3000007) rather than the
new 'sssd' UID
>> >> (e.g. 1514701182)
>> >
>> >
>> > The UID you refer to, has nothing to do with winbind, it is coming
>> from
>> > idmap.ldb and if by running 'getent passwd adomainuser'
you are
>> getting
>> > something like this:
>> >
>> > DOMAIN\adomainuser:*:3000007:100:Adomain
>> User:/home/DOMAIN/rowland:/bin/bash
>> >
>> > Then you must have a line like this in /etc/nsswitch.conf:
>> >
>> > passwd compat winbind
>> >
>> > As you have now installed sssd, replace 'winbind' with
'sss' and
>> you should
>> > get the number you are after.
>> >
>> > Rowland
>> >
>> >>
>> >> I have /etc/nsswitch.conf set to use 'files sss' for
passwd and
>> group.
>> >> 'id <username>' works fine and returns the
correct (new) UID.
>> >>
>> >> 'getent -s sss passwd <username>' returns the
new UID (that I want to
>> >> use).
>> >> 'getent -s winbind passwd <username>' returns
the old UID (that I
>> don't
>> >> want).
>> >>
>> >> I've restarted samba, I've run 'net cache
flush', I've tried adding
>> >> "-winbind" to the 'server services' line in
smb.conf.
>> >>
>> >> Presumably I've got something fundamentally wrong.. but
I'm not sure
>> >> what. Can this even be done? I want files created/accessed via
Samba
>> >> for my AD users to have the same UID as when the same user
logs in
>> via
>> >> ssh or similar (and gets the UID via sssd)...
>> >>
>> >> Cheers,
>> >>
>> >> Jonathan
>> >>
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> "If we knew what it was we were doing, it would not be called
>> research, would it?"
>> - Albert Einstein
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba