Ritter, Marcel (RRZE)
2015-Jul-10 07:05 UTC
[Samba] Getent Differences on a DC and a Member Server
Hi, I know there've been some workarounds on this topic, however I'm missing the reason for winbind to behave differently on a DC and on a member server (I also had to work around that problem and I'd really like it fixed). If there's a technical reason for it, it'd be nice to know about it. If there isn't, then it's just a bug that should be fixed. Could someone of the development team please comment on this? Bye, Marcel -----Ursprüngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Felix Matouschek Gesendet: Freitag, 3. Juli 2015 10:31 An: 'David Minard'; samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server Hi David,> Just to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell?Yes, it is only the DC that doesn't pull HomeDirectory and Shell via rfc2307. (when using winbindd) Member servers with winbindd do pull the desired values without problems, I have it setup like this and it works without problems. I have only two ideas to solve your problem: either you don't allow logins from users on the DC or you switch over to sssd on the DC. I suppose sssd should be suitable to achieve your desired results on the DC.> that is why I mentioned that I don't have SSSD installed - nor any > other nsswitch back to our current LDAPBut you do have winbind in your nsswitch? Greetings, Felix -----Ursprüngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard Gesendet: Freitag, 3. Juli 2015 03:28 An: samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server Thank you Felix. On 02/07/15 16:18, Felix Matouschek wrote:> Hi David, > > I experienced this issue as well, it's currently a limitation of Samba 4.2.2. > Samba 4.2.2 DCs do not support pulling home directories and login shells from AD via rfc2307. > > I solved this issue with the "template homedir" and "template shell" directives. > You lose some flexibility but at least it works.Lack of flexibility is my main problem. Unfortunately without restructuring how our home directories are set up, I need the flexibility. I need HomeDirectories etc to be pulled from the AD if I'm to retire our current LDAP servers and use Samba4 as a replacement.> > Excerpt from my DC smb.conf: > > winbind nss info = rfc2307:MYDOMAIN, template template shell = > /bin/bash template homedir = /home/users/%U > > Greetings, > FelixJust to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell? I ask because my member server is returning the desired values, but I get the impression that it should not be from comments on the list. Rowland was helping me with winbindd over the last few weeks and I got the impression that my Member Server should not be returning correct HomeDirectory and Shell - but it is - that is why I mentioned that I don't have SSSD installed - nor any other nsswitch back to our current LDAP. I need to know if what I am seeing is a freak of computing, or expected behaviour.> -----Ursprüngliche Nachricht----- > Von: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard > Gesendet: Donnerstag, 2. Juli 2015 06:18 > An: samba at lists.samba.org > Betreff: [Samba] Getent Differences on a DC and a Member Server > > G'day All, > > I'm running Centos 7, Samba4.2.2. (SSSD is NOT running (not > even installed on the Member Server)) > > /etc/nsswitch on both: > > passwd: files winbind > group: files winbind > > the winbind libs have been sym-linked as described in the tiki. All seems to be working well on both the DC and Member Server. > > Both smb.fonfs have: > > idmap config *:backend = tdb > idmap config *:range = 3000000-4000000 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 600-2999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > On the DC I've changed winbind to winbindd in the "server services" > line, and winbindd starts up as expected. > > Can anyone tell me why I get slightly different answers from 'getent passwd [username]' from a DC and a Member Server. > > eg: getent passwd fred > > DC: > > fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false > > On a Member Server: > > fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh > > > On the DC the HomeDirectory and Shell Fields are not what I defined for user Fred. > > On the Member Server, Homedirectory and Shell are what I defined for user Fred. > > Why is there a difference? > > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jul-10 09:43 UTC
[Samba] Getent Differences on a DC and a Member Server
On 10/07/15 08:05, Ritter, Marcel (RRZE) wrote:> Hi, > > I know there've been some workarounds on this topic, however I'm missing > the reason for winbind to behave differently on a DC and on a member > server (I also had to work around that problem and I'd really like it fixed).The reason is a bit historical, originally samba4, when running as an AD DC, used the builtin winbind. This did not have the full capabilities of the separate winbindd used on a member server and various things did not work. Samba, from 4.2.0, has switched to using the separate winbindd, the main reason for this switch was to get domain trusts working, something I understand is still not fully working and the devs are concentrating on making this work before getting anything else in winbindd to work. I think you will find that just about everybody would like winbindd 'fixing', but you will just have to wait (unless you care to come up with patches to make it work?)> > If there's a technical reason for it, it'd be nice to know about it. > If there isn't, then it's just a bug that should be fixed.There is a bug report about this and as I said, it will be fixed, I just do not know when. Rowland> > Could someone of the development team please comment on this? > > Bye, > Marcel > >
Ritter, Marcel (RRZE)
2015-Jul-10 13:52 UTC
[Samba] Getent Differences on a DC and a Member Server
Hi Rowland, thanks for explaining and pointing out the bug report. I searched samba bugzilla, and here are the two matching bug reports I found: https://bugzilla.samba.org/show_bug.cgi?id=9839 https://bugzilla.samba.org/show_bug.cgi?id=10886 The later one contains some more insight into why this problem isn't that easy to fix. Looks like it's some kind of race condition when using unix attributes). I'll try to find some time to dig into this ... and maybe produce some patches ... Bye, Marcel -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny Gesendet: Freitag, 10. Juli 2015 11:44 An: samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server On 10/07/15 08:05, Ritter, Marcel (RRZE) wrote:> Hi, > > I know there've been some workarounds on this topic, however I'm > missing the reason for winbind to behave differently on a DC and on a > member server (I also had to work around that problem and I'd really like it fixed).The reason is a bit historical, originally samba4, when running as an AD DC, used the builtin winbind. This did not have the full capabilities of the separate winbindd used on a member server and various things did not work. Samba, from 4.2.0, has switched to using the separate winbindd, the main reason for this switch was to get domain trusts working, something I understand is still not fully working and the devs are concentrating on making this work before getting anything else in winbindd to work. I think you will find that just about everybody would like winbindd 'fixing', but you will just have to wait (unless you care to come up with patches to make it work?)> > If there's a technical reason for it, it'd be nice to know about it. > If there isn't, then it's just a bug that should be fixed.There is a bug report about this and as I said, it will be fixed, I just do not know when. Rowland> > Could someone of the development team please comment on this? > > Bye, > Marcel > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba