samba - Dec 2015 - template shell RFC2307 loginShell

But that doesn't work for me. As I am saying
If I set it like that I only see 7 domain users with getent passwd
experimenting I see if I set

 idmap config * : range = 2000-7999
 idmap config DOMAIN:range = 8000-99999

I see all my users.

which is really odd because all my users have uids above 10000

What other trouble shooting steps can I take to see why this is acting this
way?

I edit /etc/samba/smb.conf
I run a script with the following

service winbind stop
service samba stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
service samba start
service winbind start

then I do
getent passwd|wc -l

########################3

when

 idmap config DOMAIN:range = 10000-99999

# getent passwd|wc -l
47

when

 idmap config DOMAIN:range = 9000-99999

# getent passwd|wc -l
109

when

 idmap config DOMAIN:range = 8000-99999

# getent passwd|wc -l
801

that seems to be as many as I can get
still doesn't add up as

# cat /etc/passwd|wc -l
40

# wbinfo -u|wc -l
798

So I should have 838
users.
But no matter what I set idmap config DOMAIN:range to I don't see any more
than 801 users with getent passwd


On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:
> On 07/12/15 15:42, Jeff Sadowski wrote:
>
>> I finally got to test it and it works OK
>> something really strange is occurring though
>>
>> It works good as follows except for groups but I'll look at that
latter
>> as I see others have mentioned some issues with groups
>> here is my /etc/samba/smb.conf
>>
>>    security = ads
>>    realm = DOMAIN.LONG
>>    workgroup = DOMAIN
>>    idmap config * : backend = tdb
>>    idmap config * : range = 900-999
>>    idmap config DOMAIN:backend = ad
>>    idmap config DOMAIN:range = 1000-99999
>>    idmap config DOMAIN:schema_mode = rfc2307   winbind nss info
>> rfc2307   winbind use default domain = yes
>>    # so that the users show up in getent
>>    winbind enum users = Yes
>>    # doesn't seem to do the same for groups :-/
>>    winbind enum groups = Yes
>>    restrict anonymous = 2
>>
>> What is strange is when I use the ranges like so
>>
>>    idmap config * : range = 1000-9999
>>    idmap config DOMAIN:range = 10000-99999
>>
>> only a small fraction of my users show up when I do a "getent
passwd"
>> they all seem to show up when I do a "wbinfo -u"
>> and all my users uids are over 10000
>>
>> when I set it back to
>>
>>    idmap config * : range = 900-999
>>    idmap config DOMAIN:range = 1000-99999
>>
>> I see all my users
>>
>>
>> So going further I find that when I run "id" as myuser I
didn't see all
>> my groups but if I ran "id myuser" I did see all my users
>> So I tried
>>
>>    idmap config * : range = 100000-1099999
>>    idmap config DOMAIN:range = 0-99999
>>
>> and now when I run "id" as myuser I see all my group
>>
>
> You posted that you were using Samba version 4.1.6, this usually means
> Ubuntu, in which case: 0-999 is reserved for the system users & groups
> (root etc), 1000 upwards is where you should be putting your local Unix
> users & groups. This means that you shouldn't really use any number
under a
> '1000' for AD users & groups and you should also leave a small
space for
> local users & groups, hence the advice on the wiki is to use
'2000-9999'
> for your builtin AD users & groups and to use '10000' upwards
for your AD
> users & groups.
>
> This means if you give 'Domain Users' the gidNumber of
'10000' and then
> give your users uidNumbers starting from '10000' and use the
'idmap config'
> block from the wiki, you will be able to see all your users & groups
via
> getent. Note that 'getent group' will not show anything, but
'getent group
> Domain\ Users' will.
>
> You can start both your user & group IDs from '10000', there is
no reason
> to use different ranges.
>
> using wbinfo to show users works differently to getent, using 'wbinfo
-u'
> to show your users ensures that winbind can connect to AD, you need to use
> getent to make sure that your OS can connect to AD, if getent doesn't
show
> your user or group, then the OS will not know about it.
>
> Rowland
>
>
>>
>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org
<mailto:
>> rpenny at samba.org>> wrote:
>>
>>     On 05/12/15 02:47, Jeff Sadowski wrote:
>>
>>         Thank you Rowland for looking at it.
>>         I did read the wiki here
>>         https://wiki.samba.org/index.php/Idmap_config_ad that is how I
>>         got as far as I did; that and the idmap_ad man page. I could
>>         not find how to use the loginShell is there a variable I can
>>         use for it in the template or an option to set to use it?
>>         loginShell and unixHomedir are not mentioned on the wiki that
>>         I could find. I'm good with the templated homedir but
curious
>>         how to use the unixHomedir. It seems that the schema_mode
>>         rfc2307 is the default as it works fine except for the default
>>         shells which I have the workaround for. I think I will move
>>         them out of their home directories and set them else ware,
>>         where users will need to ask to change the shell. I
>>         purposefully set rid as the default backend if one does not
>>         exist explicit for the domain as it worked better for me. What
>>         I did with the default backend should stop the login if the
>>         domain isn't explicitly defined.
>>
>>
>>
>>         On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>>         <rpenny at samba.org <mailto:rpenny at samba.org>
>>         <mailto:rpenny at samba.org <mailto:rpenny at
samba.org>>> wrote:
>>
>>             On 04/12/15 22:43, Jeff Sadowski wrote:
>>
>>                 We use power broker here at work and where wondering
>>         why we
>>                 need it.
>>
>>                 I was able to setup a new linux server using samba and
>>         am able
>>                 to login
>>                 with my active directory accounts but I couldn't
>>         figure out
>>                 how to set the
>>                 login shells.
>>                 I have a work around but would like feedback
>>                 in my /etc/samba/smb.conf I have the following
>>
>>                     security = ads
>>                     realm = DOMAIN.LONG
>>                     workgroup = DOMAIN
>>                     idmap config DOMAIN : backend = ad
>>                     idmap config DOMAIN : range = 1000-999999999
>>                     #should not get here
>>                     idmap config * : range = 999999998-999999999
>>                     idmap config * :backend      =rid
>>                     template homedir = /nfs/homes/%U
>>                     template shell = /nfs/homes/%U/.default_shell
>>                     winbind use default domain = yes
>>                     restrict anonymous = 2
>>
>>
>>             Have you considered reading the Samba wiki ?
>>             Your 'idmap config' block should look similar to
this:
>>
>>                  # Default idmap config used for BUILTIN and local
>>         accounts/groups
>>                    idmap config *:backend = tdb
>>                    idmap config *:range = 2000-9999
>>
>>                    # idmap config for domain SAMDOM
>>                    idmap config DOMAIN:backend = ad
>>                    idmap config DOMAIN:schema_mode = rfc2307
>>                    idmap config DOMAIN:range = 10000-99999
>>
>>                    # Use template settings for login shell and home
>>         directory
>>                    winbind nss info = template
>>                    template shell = /nfs/homes/%U/.default_shell
>>                    template homedir = /nfs/homes/%U
>>
>>             Though as you seem to be using uidNumber & gidNumber
>>         attributes,
>>             you could also store the loginShell and unixHomedir in AD
>>         as well.
>>
>>             Rowland
>>
>>
>>                 allowing users to pick their shell using
>>                 ln -s /bin/bash ~/.default_shell
>>                 or
>>                 ln -s /bin/tcsh ~/.default_shell
>>                 ...
>>
>>                 It will be easy to create the .default shell for each
user
>>                 using a simple
>>                 script I can run on a machine that has power broker
>>         but I am
>>                 wondering what
>>                 others have done to allow users to pick their shell
>>         using samba to
>>                 authenticate?
>>                 What are the downsides of doing it the way I did it?
>>
>>                 is there a way to use the loginShell provided by
>>         rfc2307 that
>>                 I haven't
>>                 found documented in samba?
>>
>>                 I'm using samba version 4.1.6 if that makes a
>>         difference. I
>>                 could probably
>>                 find a way to upgrade if there is support in newer
>>         versions.
>>
>>
>>
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>     Samba AD as standard comes with the ability to add RFC2307
>>     attributes to a user or group (see here for more info:
>>     https://www.ietf.org/rfc/rfc2307.txt)
>>     What this means is, if you give a user a uidNumber and at least
>>     'Domain Users' a gidNumber, then the user will become
visible on a
>>     Unix domain member (aka Unix workstation).
>>     If you study the list of attributes on the link above, you will
>>     find that there are more attributes available, amongst them are
>>     loginShell and homeDirectory. The first is where you can store the
>>     users login shell (obviously), but there is a problem with the
>>     second, AD already has an attribute with the same name to store
>>     the users windows home directory path, so this became
>>     unixHomeDirectory and is where you can store the users Unix home
>>     directory.
>>     If you require more info on the RFC2307 attributes, please ask.
>>
>>     Now, as for the 'idmap config' block and which to use, this
is
>>     down to the sysadmin (i.e. you) and is based on what you require.
>>     There are several backends available, but only two are regularly
>>     used, the 'ad' and 'rid' backends. Lets deal with
the 'rid'
>>     backend first, this is used if you don't want (or need) to add
>>     RFC2307 attributes to AD. Your users & groups will be mapped to
a
>>     number inside the range you set i.e. idmap config SAMDOM:range
>>     10000-99999. It uses an algorithm to create the IDs from the
>>     user/group RID and as long as you use the same 'idmap
config'
>>     block on every Unix machine, you will get the same Unix ID on
>>     every Unix machine. The downside is that you cannot set individual
>>     homedirs & shells for users and will have to use the template
>>     lines in smb.conf.
>>
>>     The 'ad' backend is different, it uses the RFC2307
attributes for
>>     the user/group IDs, this does of course mean that you have to add
>>     a uidNumber attribute containing a unique number to any users that
>>     you need to be visible to Unix *and* add a gidNumber to Domain
>>     Users at least. These numbers must be inside the range you set in
>>     smb.conf, any numbers outside the range will be ignored.
>>     You can go further with the 'ad' backend, you can add the
>>     loginShell attribute containing the users shell (/bin/bash for
>>     instance), you can also add the unixHomeDirectory attribute
>>     containing the path to the users home directory. To use these, you
>>     would also need to have the line 'winbind nss info =
rfc2307' in
>>     smb.conf. If you don't want to add these further attributes,
you
>>     can add 'winbind nss info = template' instead and also add
the
>>     template lines.
>>
>>     You need these lines in smb.conf:
>>     idmap config *:backend = tdb
>>     idmap config *:range = 2000-9999
>>
>>     These lines are where Samba will store the mappings for the
>>     builtin users & groups, without these, it is very unlikely
Samba
>>     will work correctly.
>>
>>     Again, any questions, please ask.
>>
>>     Rowland
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 07/12/15 18:49, Jeff Sadowski wrote:
> But that doesn't work for me. As I am saying
> If I set it like that I only see 7 domain users with getent passwd
> experimenting I see if I set
>
>  idmap config * : range = 2000-7999
>  idmap config DOMAIN:range = 8000-99999
>
> I see all my users.
>
> which is really odd because all my users have uids above 10000
>
> What other trouble shooting steps can I take to see why this is acting 
> this way?
>
> I edit /etc/samba/smb.conf
> I run a script with the following
>
> service winbind stop
> service samba stop
> net cache flush
> rm -f /var/lib/samba/*.tdb
> rm -f /var/lib/samba/group_mapping.ldb
> sleep 1
> service samba start
> service winbind start
>
> then I do
> getent passwd|wc -l
>
> ########################3
>
> when
>
>  idmap config DOMAIN:range = 10000-99999
>
> # getent passwd|wc -l
> 47
>
> when
>
>  idmap config DOMAIN:range = 9000-99999
>
> # getent passwd|wc -l
> 109
>
> when
>
>  idmap config DOMAIN:range = 8000-99999
>
> # getent passwd|wc -l
> 801
>
> that seems to be as many as I can get
> still doesn't add up as
>
> # cat /etc/passwd|wc -l
> 40
>
> # wbinfo -u|wc -l
> 798
>
> So I should have 838
> users.
> But no matter what I set idmap config DOMAIN:range to I don't see any 
> more than 801 users with getent passwd
>
>
OK, lets step back a bit here, can you confirm:
All your users have a uidNumber attribute containing a unique number 
between 10000 to 99999 ?
Does 'Domain Users' have a gidNumber attribute containing a number 
between 10000 to 99999 ?

Any user that doesn't have a uidNumber, or one outside the 10000-99999  
will be ignored, could this be your problem?

What OS is the client running on and what is the AD DC ?

Rowland

I had some users with bigger uids then 99999 so I bumped up DOMAIN:range to

idmap config DOMAIN:range = 8000-9999999

# getent passwd|wc -l
806

yeah I got 5 more users

I wrote a simple loop like so

wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt

puts out some nice errors

id: guest: no such user
id: administrator: no such user
...
I'm going to guess none have the uid variable in ad.


On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski <jeff.sadowski at
gmail.com>
wrote:
> But that doesn't work for me. As I am saying
> If I set it like that I only see 7 domain users with getent passwd
> experimenting I see if I set
>
>  idmap config * : range = 2000-7999
>  idmap config DOMAIN:range = 8000-99999
>
> I see all my users.
>
> which is really odd because all my users have uids above 10000
>
> What other trouble shooting steps can I take to see why this is acting
> this way?
>
> I edit /etc/samba/smb.conf
> I run a script with the following
>
> service winbind stop
> service samba stop
> net cache flush
> rm -f /var/lib/samba/*.tdb
> rm -f /var/lib/samba/group_mapping.ldb
> sleep 1
> service samba start
> service winbind start
>
> then I do
> getent passwd|wc -l
>
> ########################3
>
> when
>
>  idmap config DOMAIN:range = 10000-99999
>
> # getent passwd|wc -l
> 47
>
> when
>
>  idmap config DOMAIN:range = 9000-99999
>
> # getent passwd|wc -l
> 109
>
> when
>
>  idmap config DOMAIN:range = 8000-99999
>
> # getent passwd|wc -l
> 801
>
> that seems to be as many as I can get
> still doesn't add up as
>
> # cat /etc/passwd|wc -l
> 40
>
> # wbinfo -u|wc -l
> 798
>
> So I should have 838
> users.
> But no matter what I set idmap config DOMAIN:range to I don't see any
more
> than 801 users with getent passwd
>
>
> On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org>
wrote:
>
>> On 07/12/15 15:42, Jeff Sadowski wrote:
>>
>>> I finally got to test it and it works OK
>>> something really strange is occurring though
>>>
>>> It works good as follows except for groups but I'll look at
that latter
>>> as I see others have mentioned some issues with groups
>>> here is my /etc/samba/smb.conf
>>>
>>>    security = ads
>>>    realm = DOMAIN.LONG
>>>    workgroup = DOMAIN
>>>    idmap config * : backend = tdb
>>>    idmap config * : range = 900-999
>>>    idmap config DOMAIN:backend = ad
>>>    idmap config DOMAIN:range = 1000-99999
>>>    idmap config DOMAIN:schema_mode = rfc2307   winbind nss info
>>> rfc2307   winbind use default domain = yes
>>>    # so that the users show up in getent
>>>    winbind enum users = Yes
>>>    # doesn't seem to do the same for groups :-/
>>>    winbind enum groups = Yes
>>>    restrict anonymous = 2
>>>
>>> What is strange is when I use the ranges like so
>>>
>>>    idmap config * : range = 1000-9999
>>>    idmap config DOMAIN:range = 10000-99999
>>>
>>> only a small fraction of my users show up when I do a "getent
passwd"
>>> they all seem to show up when I do a "wbinfo -u"
>>> and all my users uids are over 10000
>>>
>>> when I set it back to
>>>
>>>    idmap config * : range = 900-999
>>>    idmap config DOMAIN:range = 1000-99999
>>>
>>> I see all my users
>>>
>>>
>>> So going further I find that when I run "id" as myuser I
didn't see all
>>> my groups but if I ran "id myuser" I did see all my users
>>> So I tried
>>>
>>>    idmap config * : range = 100000-1099999
>>>    idmap config DOMAIN:range = 0-99999
>>>
>>> and now when I run "id" as myuser I see all my group
>>>
>>
>> You posted that you were using Samba version 4.1.6, this usually means
>> Ubuntu, in which case: 0-999 is reserved for the system users &
groups
>> (root etc), 1000 upwards is where you should be putting your local Unix
>> users & groups. This means that you shouldn't really use any
number under a
>> '1000' for AD users & groups and you should also leave a
small space for
>> local users & groups, hence the advice on the wiki is to use
'2000-9999'
>> for your builtin AD users & groups and to use '10000'
upwards for your AD
>> users & groups.
>>
>> This means if you give 'Domain Users' the gidNumber of
'10000' and then
>> give your users uidNumbers starting from '10000' and use the
'idmap config'
>> block from the wiki, you will be able to see all your users &
groups via
>> getent. Note that 'getent group' will not show anything, but
'getent group
>> Domain\ Users' will.
>>
>> You can start both your user & group IDs from '10000',
there is no reason
>> to use different ranges.
>>
>> using wbinfo to show users works differently to getent, using
'wbinfo -u'
>> to show your users ensures that winbind can connect to AD, you need to
use
>> getent to make sure that your OS can connect to AD, if getent
doesn't show
>> your user or group, then the OS will not know about it.
>>
>> Rowland
>>
>>
>>>
>>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at
samba.org <mailto:
>>> rpenny at samba.org>> wrote:
>>>
>>>     On 05/12/15 02:47, Jeff Sadowski wrote:
>>>
>>>         Thank you Rowland for looking at it.
>>>         I did read the wiki here
>>>         https://wiki.samba.org/index.php/Idmap_config_ad that is
how I
>>>         got as far as I did; that and the idmap_ad man page. I
could
>>>         not find how to use the loginShell is there a variable I
can
>>>         use for it in the template or an option to set to use it?
>>>         loginShell and unixHomedir are not mentioned on the wiki
that
>>>         I could find. I'm good with the templated homedir but
curious
>>>         how to use the unixHomedir. It seems that the schema_mode
>>>         rfc2307 is the default as it works fine except for the
default
>>>         shells which I have the workaround for. I think I will move
>>>         them out of their home directories and set them else ware,
>>>         where users will need to ask to change the shell. I
>>>         purposefully set rid as the default backend if one does not
>>>         exist explicit for the domain as it worked better for me.
What
>>>         I did with the default backend should stop the login if the
>>>         domain isn't explicitly defined.
>>>
>>>
>>>
>>>         On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>>>         <rpenny at samba.org <mailto:rpenny at samba.org>
>>>         <mailto:rpenny at samba.org <mailto:rpenny at
samba.org>>> wrote:
>>>
>>>             On 04/12/15 22:43, Jeff Sadowski wrote:
>>>
>>>                 We use power broker here at work and where
wondering
>>>         why we
>>>                 need it.
>>>
>>>                 I was able to setup a new linux server using samba
and
>>>         am able
>>>                 to login
>>>                 with my active directory accounts but I
couldn't
>>>         figure out
>>>                 how to set the
>>>                 login shells.
>>>                 I have a work around but would like feedback
>>>                 in my /etc/samba/smb.conf I have the following
>>>
>>>                     security = ads
>>>                     realm = DOMAIN.LONG
>>>                     workgroup = DOMAIN
>>>                     idmap config DOMAIN : backend = ad
>>>                     idmap config DOMAIN : range = 1000-999999999
>>>                     #should not get here
>>>                     idmap config * : range = 999999998-999999999
>>>                     idmap config * :backend      =rid
>>>                     template homedir = /nfs/homes/%U
>>>                     template shell = /nfs/homes/%U/.default_shell
>>>                     winbind use default domain = yes
>>>                     restrict anonymous = 2
>>>
>>>
>>>             Have you considered reading the Samba wiki ?
>>>             Your 'idmap config' block should look similar
to this:
>>>
>>>                  # Default idmap config used for BUILTIN and local
>>>         accounts/groups
>>>                    idmap config *:backend = tdb
>>>                    idmap config *:range = 2000-9999
>>>
>>>                    # idmap config for domain SAMDOM
>>>                    idmap config DOMAIN:backend = ad
>>>                    idmap config DOMAIN:schema_mode = rfc2307
>>>                    idmap config DOMAIN:range = 10000-99999
>>>
>>>                    # Use template settings for login shell and home
>>>         directory
>>>                    winbind nss info = template
>>>                    template shell = /nfs/homes/%U/.default_shell
>>>                    template homedir = /nfs/homes/%U
>>>
>>>             Though as you seem to be using uidNumber &
gidNumber
>>>         attributes,
>>>             you could also store the loginShell and unixHomedir in
AD
>>>         as well.
>>>
>>>             Rowland
>>>
>>>
>>>                 allowing users to pick their shell using
>>>                 ln -s /bin/bash ~/.default_shell
>>>                 or
>>>                 ln -s /bin/tcsh ~/.default_shell
>>>                 ...
>>>
>>>                 It will be easy to create the .default shell for
each
>>> user
>>>                 using a simple
>>>                 script I can run on a machine that has power broker
>>>         but I am
>>>                 wondering what
>>>                 others have done to allow users to pick their shell
>>>         using samba to
>>>                 authenticate?
>>>                 What are the downsides of doing it the way I did
it?
>>>
>>>                 is there a way to use the loginShell provided by
>>>         rfc2307 that
>>>                 I haven't
>>>                 found documented in samba?
>>>
>>>                 I'm using samba version 4.1.6 if that makes a
>>>         difference. I
>>>                 could probably
>>>                 find a way to upgrade if there is support in newer
>>>         versions.
>>>
>>>
>>>
>>>             --     To unsubscribe from this list go to the
following
>>>         URL and read the
>>>             instructions:
https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>     Samba AD as standard comes with the ability to add RFC2307
>>>     attributes to a user or group (see here for more info:
>>>     https://www.ietf.org/rfc/rfc2307.txt)
>>>     What this means is, if you give a user a uidNumber and at least
>>>     'Domain Users' a gidNumber, then the user will become
visible on a
>>>     Unix domain member (aka Unix workstation).
>>>     If you study the list of attributes on the link above, you will
>>>     find that there are more attributes available, amongst them are
>>>     loginShell and homeDirectory. The first is where you can store
the
>>>     users login shell (obviously), but there is a problem with the
>>>     second, AD already has an attribute with the same name to store
>>>     the users windows home directory path, so this became
>>>     unixHomeDirectory and is where you can store the users Unix
home
>>>     directory.
>>>     If you require more info on the RFC2307 attributes, please ask.
>>>
>>>     Now, as for the 'idmap config' block and which to use,
this is
>>>     down to the sysadmin (i.e. you) and is based on what you
require.
>>>     There are several backends available, but only two are
regularly
>>>     used, the 'ad' and 'rid' backends. Lets deal
with the 'rid'
>>>     backend first, this is used if you don't want (or need) to
add
>>>     RFC2307 attributes to AD. Your users & groups will be
mapped to a
>>>     number inside the range you set i.e. idmap config SAMDOM:range
>>>     10000-99999. It uses an algorithm to create the IDs from the
>>>     user/group RID and as long as you use the same 'idmap
config'
>>>     block on every Unix machine, you will get the same Unix ID on
>>>     every Unix machine. The downside is that you cannot set
individual
>>>     homedirs & shells for users and will have to use the
template
>>>     lines in smb.conf.
>>>
>>>     The 'ad' backend is different, it uses the RFC2307
attributes for
>>>     the user/group IDs, this does of course mean that you have to
add
>>>     a uidNumber attribute containing a unique number to any users
that
>>>     you need to be visible to Unix *and* add a gidNumber to Domain
>>>     Users at least. These numbers must be inside the range you set
in
>>>     smb.conf, any numbers outside the range will be ignored.
>>>     You can go further with the 'ad' backend, you can add
the
>>>     loginShell attribute containing the users shell (/bin/bash for
>>>     instance), you can also add the unixHomeDirectory attribute
>>>     containing the path to the users home directory. To use these,
you
>>>     would also need to have the line 'winbind nss info =
rfc2307' in
>>>     smb.conf. If you don't want to add these further
attributes, you
>>>     can add 'winbind nss info = template' instead and also
add the
>>>     template lines.
>>>
>>>     You need these lines in smb.conf:
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = 2000-9999
>>>
>>>     These lines are where Samba will store the mappings for the
>>>     builtin users & groups, without these, it is very unlikely
Samba
>>>     will work correctly.
>>>
>>>     Again, any questions, please ask.
>>>
>>>     Rowland
>>>
>>>     --     To unsubscribe from this list go to the following URL
and
>>> read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On 07/12/15 19:13, Jeff Sadowski wrote:
> I had some users with bigger uids then 99999 so I bumped up 
> DOMAIN:range to
>
> idmap config DOMAIN:range = 8000-9999999
>
> # getent passwd|wc -l
> 806
>
> yeah I got 5 more users
>
> I wrote a simple loop like so
>
> wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
>
> puts out some nice errors
>
> id: guest: no such user
> id: administrator: no such user
> ...
> I'm going to guess none have the uid variable in ad.
Probably not, but the two above probably shouldn't have one anyway.

Rowland
>
>

wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2>
bad_list.txt

# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1
9102

# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1
8921272

seems to be my issue thank you.

# cat bad_list.txt |wc -l
32

looking through those users I found none had uids or gids but I don't care
about any of them

# cat users_list.txt | wc -l
766
# cat /etc/passwd|wc -l
40
# getent passwd|wc -l
806

yeah the numbers add up

also
# cat /etc/passwd|wc -l
40
# wbinfo -u|wc -l
798
# cat bad_list.txt |wc -l
32

798+40-32=806

All unseen users have no uids



On Mon, Dec 7, 2015 at 12:07 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 07/12/15 18:49, Jeff Sadowski wrote:
>
>> But that doesn't work for me. As I am saying
>> If I set it like that I only see 7 domain users with getent passwd
>> experimenting I see if I set
>>
>>  idmap config * : range = 2000-7999
>>  idmap config DOMAIN:range = 8000-99999
>>
>> I see all my users.
>>
>> which is really odd because all my users have uids above 10000
>>
>> What other trouble shooting steps can I take to see why this is acting
>> this way?
>>
>> I edit /etc/samba/smb.conf
>> I run a script with the following
>>
>> service winbind stop
>> service samba stop
>> net cache flush
>> rm -f /var/lib/samba/*.tdb
>> rm -f /var/lib/samba/group_mapping.ldb
>> sleep 1
>> service samba start
>> service winbind start
>>
>> then I do
>> getent passwd|wc -l
>>
>> ########################3
>>
>> when
>>
>>  idmap config DOMAIN:range = 10000-99999
>>
>> # getent passwd|wc -l
>> 47
>>
>> when
>>
>>  idmap config DOMAIN:range = 9000-99999
>>
>> # getent passwd|wc -l
>> 109
>>
>> when
>>
>>  idmap config DOMAIN:range = 8000-99999
>>
>> # getent passwd|wc -l
>> 801
>>
>> that seems to be as many as I can get
>> still doesn't add up as
>>
>> # cat /etc/passwd|wc -l
>> 40
>>
>> # wbinfo -u|wc -l
>> 798
>>
>> So I should have 838
>> users.
>> But no matter what I set idmap config DOMAIN:range to I don't see
any
>> more than 801 users with getent passwd
>>
>>
>>
> OK, lets step back a bit here, can you confirm:
> All your users have a uidNumber attribute containing a unique number
> between 10000 to 99999 ?
> Does 'Domain Users' have a gidNumber attribute containing a number
between
> 10000 to 99999 ?
>
> Any user that doesn't have a uidNumber, or one outside the 10000-99999
> will be ignored, could this be your problem?
>
> What OS is the client running on and what is the AD DC ?
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>