Am 2016-02-24 um 13:44 schrieb Sketch:> On Wed, 24 Feb 2016, Stefan G. Weichinger wrote: > [snip] >> idmap config CUST:range = 10000-99999 >> idmap config CUST:backend = ad >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb > > If your idmap backend is ad, you need to assign your users uids (and > gids for groups) in active directory. You don't mention if you did that > or not. Only users/groups with uids/gids will get mapped to linux users.In fact I didn't have any idmap-related lines in there before the problems arised today. It worked so far! Using "ad" backend was a step in panic today ... without any mapping, right! I set up a test VM now, same OS and software, with [global] workgroup = CUST realm = MABCD.CUST security = ADS load printers = No printcap name = /dev/null disable spoolss = Yes template homedir = /home/%U template shell = /sbin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap config CUST:range = 10000-99999 idmap config CUST:backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j This *seems* to work fine now there with some test-shares ... is it correct in general terms? If yes, I would take this config to the production server then later this evening. Thanks!
On 24/02/16 12:57, Stefan G. Weichinger wrote:> Am 2016-02-24 um 13:44 schrieb Sketch: >> On Wed, 24 Feb 2016, Stefan G. Weichinger wrote: >> [snip] >>> idmap config CUST:range = 10000-99999 >>> idmap config CUST:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap config * : backend = tdb >> If your idmap backend is ad, you need to assign your users uids (and >> gids for groups) in active directory. You don't mention if you did that >> or not. Only users/groups with uids/gids will get mapped to linux users. > In fact I didn't have any idmap-related lines in there before the > problems arised today. It worked so far! > > Using "ad" backend was a step in panic today ... without any mapping, right! > > I set up a test VM now, same OS and software, with > > [global] > workgroup = CUST > realm = MABCD.CUST > security = ADS > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template homedir = /home/%U > template shell = /sbin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind refresh tickets = Yes > idmap config CUST:range = 10000-99999 > idmap config CUST:backend = rid > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > > This *seems* to work fine now there with some test-shares ... is it > correct in general terms? > > If yes, I would take this config to the production server then later > this evening. > > Thanks! > >That seems to prove what Sketch said is true, you haven't got any uidNumber or gidNumber attributes in AD. The 'rid' backend calculates UIDs & GIDs from the user or group RID. Rowland
Am 2016-02-24 um 14:11 schrieb Rowland penny:> That seems to prove what Sketch said is true, you haven't got any > uidNumber or gidNumber attributes in AD. The 'rid' backend calculates > UIDs & GIDs from the user or group RID.So the "rid"-path is good to go? Do you still recommend the "few extra lines" from before with "rid" ?
On Wed, 24 Feb 2016, Stefan G. Weichinger wrote:> I set up a test VM now, same OS and software, with > > idmap config CUST:range = 10000-99999 > idmap config CUST:backend = rid > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > > This *seems* to work fine now there with some test-shares ... is it > correct in general terms?idmap_rid should be fine as long as you don't need trusted domains. Even still, I assume you could use it on your local domain and use other idmap methods for a trusted domain if that was ever necessary.
Am 2016-02-24 um 14:15 schrieb Sketch:> On Wed, 24 Feb 2016, Stefan G. Weichinger wrote: > >> I set up a test VM now, same OS and software, with >> >> idmap config CUST:range = 10000-99999 >> idmap config CUST:backend = rid >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb >> >> This *seems* to work fine now there with some test-shares ... is it >> correct in general terms? > > idmap_rid should be fine as long as you don't need trusted domains. > Even still, I assume you could use it on your local domain and use other > idmap methods for a trusted domain if that was ever necessary.oh my. we have one additional trusted domain there :-( They started a new domain years ago and never finished migration, so 2 incomplete domains in parallel. I don't know if it's relevant, but the testbox displays users of both these domains with wbinfo -u. But the trusted domain misses in getent passwd