Rowland penny
2016-Jun-14 15:40 UTC
[Samba] Samba4 Domain Member Server "Getent show diferents UID"
On 14/06/16 16:16, Juan Ignacio wrote:> Sorry, this is the Domain Member smb.con > Im using Debian last version. > Samba compiled from the sources. > > [global] > netbios name = XXXXX > security = ADS > workgroup = XXXXXX > realm = XXXXXXX > > log file = /var/log/samba/%m.log > log level = 1 > > # idmap config used for your domain. > # Click on the following links for more information > # on the available winbind idmap backends, > # Choose the one that fits your requirements > # then add the corresponding configuration. > > # Just adding the following three lines is not enough!! > # - idmap config ad > # - idmap config rid > # - idmap_config_autorid > > idmap config * : backend = tdb > idmap config * : range = 100000-299999 > idmap config XXXXXX : schema_mode = rfc2307 > idmap config XXXXXX : backend = rid > idmap config XXXXXX : range = 10000-99999 > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > > > [test] > read only = no > path = /testSamba > > > Analista Inf. > Juan Ignacio Pazos > <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> > > 2016-06-14 12:07 GMT-03:00 Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>>: > > On 14/06/16 15:36, Juan Ignacio wrote: > > I go to answer all, here I go. > > Have you given your users a uidNumber attribute ? > > Not all, but im set it in my user and not work. > > Have you given 'Domain Users' (at least) a gidNumber attribute ? > > Not all, but im set it in my user and not work. > > If you have done the above, have you run 'net cache flush' on > the DC ? > > Yes :-( > > Is PAM set up correctly on the DC and domain member ? > Yes. > > The smb.conf on the DC. > > [global] > netbios name = XXXXXX > security = ADS > workgroup = XXXXXXX > realm = XXXXXXX > > log file = /var/log/samba/%m.log > log level = 1 > > # idmap config used for your domain. > # Click on the following links for more information > # on the available winbind idmap backends, > # Choose the one that fits your requirements > # then add the corresponding configuration. > > # Just adding the following three lines is not enough!! > # - idmap config ad > # - idmap config rid > # - idmap_config_autorid > > idmap config * : backend = tdb > idmap config * : range = 100000-299999 > idmap config TEST : backend = rid > idmap config TEST : range = 10000-99999 > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > > > [test] > read only = no > path = /testSamba > ~ > > The smb.conf in the AD DC. > > Global parameters > [global] > workgroup = XXXXX > realm = XXXXXXXX > netbios name = XXXXXXX > server role = active directory domain controller > dns forwarder = xxx.xx.xxx.xxx > allow dns updates = nonsecure and secure > #server services = rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, > samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, > browser, eventlog6, backupkey, dnsserver, winreg, srvsvc > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl,winbind, ntp_signd, kcc, dnsupdate, dns > idmap_ldb:use rfc2307 = yes > #winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > #winbind nested groups = yes > log level = 3 > log file = /var/log/samba/samba.log > # unix charset = ISO8859-1 > > #[netlogon antes] > #path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts > #read only = No > > > > > Analista Inf. > Juan Ignacio Pazos > <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> > > 2016-06-13 16:22 GMT-03:00 Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org> <mailto:rpenny at samba.org > <mailto:rpenny at samba.org>>>: > > > On 13/06/16 20:14, Rowland penny wrote: > > On 13/06/16 19:37, Juan Ignacio wrote: > > Rowland: > > I'll use this email from now, the other does not > work well. > > A few years ago around 2. > > We did everything that could be used for NIX and > it worked. > The main DC_AD had been provisioned without > rfc2307 and we > did later. > > The problem is that at that time by not having > infrastructure had to be used as fileserver and > this was a > problem because all directories are UID of 3000000 > onwards. > > Now I installed a new server following the > procedure here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > All seems to work well but UIDs are different when for > example I run > wbinfo --user-info = uanaco > > Primary AD-DC > ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / > ADDC1 / > uanaco: / bin / false > > member Server > uanaco: *: 100642: 100008: uanaco: / home / ADDC1 / > uanaco: / bin / false > > This is a problem because my intention is to use > this file > server and testify pass all directories Primary > AD-DC to > Member Server. > > Is there any way the member server read the same > UID as > the primary- > > Thank Rowland. > > > Yes, but what does 'getent passwd ADDC1\uanaco' on the > DC show ??? > if it shows '3000783' as the users UID, then, unless > you have > set the users uidNumber attribute to 3000783, you are not > using RFC2307 attributes. This is further backed up by the > fact that the same user may get '100642' as its UID on the > domain member. > > Few questions: > Have you given your users a uidNumber attribute ? > Have you given 'Domain Users' (at least) a gidNumber > attribute ? > If you have done the above, have you run 'net cache > flush' on > the DC ? > Is PAM set up correctly on the DC and domain member ? > > Rowland > > > Also can you post (as I asked) the smb.conf from the > domain member. > > > Rowland > > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > For the third time, will you please post the smb.conf from your > domain member, not the one from your DC. > > What OS are you using ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, you are using the winbind 'rid' backend on the domain member, this means your users will get a UID based on their 'RID' using this algorithm: ID = RID - BASE_RID + LOW_RANGE_ID The BASE_RID is usually '0' unless you explicitly set it in smb.conf you have set the LOW_RANGE_ID to '10000' So the algorithm becomes this: ID = RID - 0 + 10000 If your users RID is 1002, the users UID will be calculated from this: ID = 1002 -0 + 10000 ID = 11002 The problem is that a Samba 4 AD DC uses something similar, but a different method is used to allocate the UID, this is done by starting the range from 3000000 and they seem to be allocated on a first come basis (this is the reason why sysvol can have different numbers on each DC) So, if you use 'rid' on domain members and idmap.ldb on DCs, you cannot get the same UIDs & GIDs everywhere, the only way is to use RFC2307 attributes and set the domain members & DCs to use them. Rowland
Juan Ignacio
2016-Jun-14 16:32 UTC
[Samba] Samba4 Domain Member Server "Getent show diferents UID"
Rowland, a question. "is to copy idmap.ldap from the first DC to all others and then keep them in sync, the other is to use RFC2307 attributes." I can do the same with my member server? Maybe it works, or not for beign a member server. Maybe i can change my Member Server to a Domain Controller and after use idmap, sync. Its ok? Analista Inf. Juan Ignacio Pazos <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> 2016-06-14 12:40 GMT-03:00 Rowland penny <rpenny at samba.org>:> On 14/06/16 16:16, Juan Ignacio wrote: > >> Sorry, this is the Domain Member smb.con >> Im using Debian last version. >> Samba compiled from the sources. >> >> [global] >> netbios name = XXXXX >> security = ADS >> workgroup = XXXXXX >> realm = XXXXXXX >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> # idmap config used for your domain. >> # Click on the following links for more information >> # on the available winbind idmap backends, >> # Choose the one that fits your requirements >> # then add the corresponding configuration. >> >> # Just adding the following three lines is not enough!! >> # - idmap config ad >> # - idmap config rid >> # - idmap_config_autorid >> >> idmap config * : backend = tdb >> idmap config * : range = 100000-299999 >> idmap config XXXXXX : schema_mode = rfc2307 >> idmap config XXXXXX : backend = rid >> idmap config XXXXXX : range = 10000-99999 >> winbind separator = + >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind refresh tickets = yes >> >> >> [test] >> read only = no >> path = /testSamba >> >> >> Analista Inf. >> Juan Ignacio Pazos < >> http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> >> >> 2016-06-14 12:07 GMT-03:00 Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>>: >> >> >> On 14/06/16 15:36, Juan Ignacio wrote: >> >> I go to answer all, here I go. >> >> Have you given your users a uidNumber attribute ? >> >> Not all, but im set it in my user and not work. >> >> Have you given 'Domain Users' (at least) a gidNumber attribute ? >> >> Not all, but im set it in my user and not work. >> >> If you have done the above, have you run 'net cache flush' on >> the DC ? >> >> Yes :-( >> >> Is PAM set up correctly on the DC and domain member ? >> Yes. >> >> The smb.conf on the DC. >> >> [global] >> netbios name = XXXXXX >> security = ADS >> workgroup = XXXXXXX >> realm = XXXXXXX >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> # idmap config used for your domain. >> # Click on the following links for more information >> # on the available winbind idmap backends, >> # Choose the one that fits your requirements >> # then add the corresponding configuration. >> >> # Just adding the following three lines is not enough!! >> # - idmap config ad >> # - idmap config rid >> # - idmap_config_autorid >> >> idmap config * : backend = tdb >> idmap config * : range = 100000-299999 >> idmap config TEST : backend = rid >> idmap config TEST : range = 10000-99999 >> winbind separator = + >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind refresh tickets = yes >> >> >> [test] >> read only = no >> path = /testSamba >> ~ >> >> The smb.conf in the AD DC. >> >> Global parameters >> [global] >> workgroup = XXXXX >> realm = XXXXXXXX >> netbios name = XXXXXXX >> server role = active directory domain controller >> dns forwarder = xxx.xx.xxx.xxx >> allow dns updates = nonsecure and secure >> #server services = rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, >> samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >> browser, eventlog6, backupkey, dnsserver, winreg, srvsvc >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl,winbind, ntp_signd, kcc, dnsupdate, dns >> idmap_ldb:use rfc2307 = yes >> #winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> #winbind nested groups = yes >> log level = 3 >> log file = /var/log/samba/samba.log >> # unix charset = ISO8859-1 >> >> #[netlogon antes] >> #path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts >> #read only = No >> >> >> >> >> Analista Inf. >> Juan Ignacio Pazos >> < >> http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> >> >> 2016-06-13 16:22 GMT-03:00 Rowland penny <rpenny at samba.org >> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org >> >> <mailto:rpenny at samba.org>>>: >> >> >> On 13/06/16 20:14, Rowland penny wrote: >> >> On 13/06/16 19:37, Juan Ignacio wrote: >> >> Rowland: >> >> I'll use this email from now, the other does not >> work well. >> >> A few years ago around 2. >> >> We did everything that could be used for NIX and >> it worked. >> The main DC_AD had been provisioned without >> rfc2307 and we >> did later. >> >> The problem is that at that time by not having >> infrastructure had to be used as fileserver and >> this was a >> problem because all directories are UID of 3000000 >> onwards. >> >> Now I installed a new server following the >> procedure here: >> >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> All seems to work well but UIDs are different when for >> example I run >> wbinfo --user-info = uanaco >> >> Primary AD-DC >> ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / >> ADDC1 / >> uanaco: / bin / false >> >> member Server >> uanaco: *: 100642: 100008: uanaco: / home / ADDC1 / >> uanaco: / bin / false >> >> This is a problem because my intention is to use >> this file >> server and testify pass all directories Primary >> AD-DC to >> Member Server. >> >> Is there any way the member server read the same >> UID as >> the primary- >> >> Thank Rowland. >> >> >> Yes, but what does 'getent passwd ADDC1\uanaco' on the >> DC show ??? >> if it shows '3000783' as the users UID, then, unless >> you have >> set the users uidNumber attribute to 3000783, you are not >> using RFC2307 attributes. This is further backed up by the >> fact that the same user may get '100642' as its UID on the >> domain member. >> >> Few questions: >> Have you given your users a uidNumber attribute ? >> Have you given 'Domain Users' (at least) a gidNumber >> attribute ? >> If you have done the above, have you run 'net cache >> flush' on >> the DC ? >> Is PAM set up correctly on the DC and domain member ? >> >> Rowland >> >> >> Also can you post (as I asked) the smb.conf from the >> domain member. >> >> >> Rowland >> >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> For the third time, will you please post the smb.conf from your >> domain member, not the one from your DC. >> >> What OS are you using ? >> >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, you are using the winbind 'rid' backend on the domain member, this > means your users will get a UID based on their 'RID' using this algorithm: > > ID = RID - BASE_RID + LOW_RANGE_ID > > The BASE_RID is usually '0' unless you explicitly set it in smb.conf > you have set the LOW_RANGE_ID to '10000' > > So the algorithm becomes this: > > ID = RID - 0 + 10000 > > If your users RID is 1002, the users UID will be calculated from this: > > > ID = 1002 -0 + 10000 > ID = 11002 > > The problem is that a Samba 4 AD DC uses something similar, but a > different method is used to allocate the UID, this is done by starting the > range from 3000000 and they seem to be allocated on a first come basis > (this is the reason why sysvol can have different numbers on each DC) > > So, if you use 'rid' on domain members and idmap.ldb on DCs, you cannot > get the same UIDs & GIDs everywhere, the only way is to use RFC2307 > attributes and set the domain members & DCs to use them. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Jun-14 16:50 UTC
[Samba] Samba4 Domain Member Server "Getent show diferents UID"
On 14/06/16 17:32, Juan Ignacio wrote:> Rowland, a question. > > > "is to copy idmap.ldap from the first DC to all others and then keep > them in sync, the other is to use RFC2307 attributes." > > I can do the same with my member server? Maybe it works, or not for > beign a member server. > > Maybe i can change my Member Server to a Domain Controller and after > use idmap, sync. > > Its ok? > > Analista Inf. > Juan Ignacio Pazos > <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> >If you want to have the same UIDs & GIDs everywhere, the only option is to use RFC2307 attributes and the winbind 'ad' backend on Unix domain members (note: a 'member server' is just a domain member that serves files, printers etc) You only need to give your users & groups a uidNumber or gidNumber attribute, there is no need to give the BUILTIN users & groups a uidNumber or gidNumber. Rowland
Possibly Parallel Threads
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"