... no, no sssd. Basically we had : id -a "localuser" uid=17057 id -a "ABC+aduser" uid=17057 ... file ownership started getting wrecked so we are looking for a way to correct. On Thu, Jul 14, 2016 at 2:26 PM, Rowland penny <rpenny at samba.org> wrote:> On 14/07/16 11:01, Shaun Glass wrote: > > ... as follows : > > rpm -qa | grep samba > samba-3.6.23-35.el6_8.x86_64 > samba-common-3.6.23-35.el6_8.x86_64 > samba-winbind-clients-3.6.23-35.el6_8.x86_64 > samba-winbind-3.6.23-35.el6_8.x86_64 > > [global] > workgroup = ABC > realm = ABC.COM > security = ADS > restrict anonymous = 1 > log file = /var/log/samba/log.%m > max log size = 50 > client signing = required > server signing = Yes > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > dns proxy = No > wins server = x.x.x.x > socket address = x.x.x.x > winbind separator = + > winbind enum users = Yes > winbind enum groups = Yes > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > > On Thu, Jul 14, 2016 at 11:47 AM, Rowland penny <rpenny at samba.org> wrote: > >> On 14/07/16 09:34, Shaun Glass wrote: >> >>> Good Day All, >>> >>> We have an issue where the following in smb.conf : >>> >>> idmap uid = 10000-20000 >>> >>> ... it is resulting in assigned id's clashing with id's in passwd. What >>> are >>> the repercussions should we change to say the following : >>> >>> idmap uid = 20000-30000 >>> >>> Many thanks. >>> >>> Regards >>> >>> Shaun >>> >> >> What version of Samba ? >> idmap uid (and gid) are depreciated in later versions of Samba, it may >> help if you post the entire [global] section of your smb.conf. >> >> What ever the version of Samba, raising the lower level wouldn't really >> be a good idea, any saved files belonging to an ID in the range 10000-20000 >> would lose their owners. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > You initially asked about 'idmap uid', but I don't see it in your > smb.conf, what I do see is: > > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > > The '*' is for the BUILTIN users & groups etc > I don't see anything for the Domain users & groups, are you also running > sssd ? > If so, you don't need winbind. > > Rowland > >
On 14/07/16 13:33, Shaun Glass wrote:> ... no, no sssd. > > Basically we had : > > id -a "localuser" > uid=17057 > > id -a "ABC+aduser" > uid=17057 > > ... file ownership started getting wrecked so we are looking for a way > to correct. > > On Thu, Jul 14, 2016 at 2:26 PM, Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>> wrote: > > On 14/07/16 11:01, Shaun Glass wrote: >> ... as follows : >> >> rpm -qa | grep samba >> samba-3.6.23-35.el6_8.x86_64 >> samba-common-3.6.23-35.el6_8.x86_64 >> samba-winbind-clients-3.6.23-35.el6_8.x86_64 >> samba-winbind-3.6.23-35.el6_8.x86_64 >> >> [global] >> workgroup = ABC >> realm = ABC.COM <http://ABC.COM> >> security = ADS >> restrict anonymous = 1 >> log file = /var/log/samba/log.%m >> max log size = 50 >> client signing = required >> server signing = Yes >> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 >> dns proxy = No >> wins server = x.x.x.x >> socket address = x.x.x.x >> winbind separator = + >> winbind enum users = Yes >> winbind enum groups = Yes >> idmap config * : range = 10000-20000 >> idmap config * : backend = tdb >> >> On Thu, Jul 14, 2016 at 11:47 AM, Rowland penny <rpenny at samba.org >> <mailto:rpenny at samba.org>> wrote: >> >> On 14/07/16 09:34, Shaun Glass wrote: >> >> Good Day All, >> >> We have an issue where the following in smb.conf : >> >> idmap uid = 10000-20000 >> >> ... it is resulting in assigned id's clashing with id's >> in passwd. What are >> the repercussions should we change to say the following : >> >> idmap uid = 20000-30000 >> >> Many thanks. >> >> Regards >> >> Shaun >> >> >> What version of Samba ? >> idmap uid (and gid) are depreciated in later versions of >> Samba, it may help if you post the entire [global] section of >> your smb.conf. >> >> What ever the version of Samba, raising the lower level >> wouldn't really be a good idea, any saved files belonging to >> an ID in the range 10000-20000 would lose their owners. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > You initially asked about 'idmap uid', but I don't see it in your > smb.conf, what I do see is: > > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > > The '*' is for the BUILTIN users & groups etc > I don't see anything for the Domain users & groups, are you also > running sssd ? > If so, you don't need winbind. > > Rowland > >With AD, you do not need local Unix users and in fact, you cannot have a user in AD and /etc/passwd (same goes for groups) It would seem that you have a large number of local Unix users in /etc/passwd and your computer is joined to AD and as you have discovered, giving a user an ID based around a range that is also in use by the local computer is bound to cause problems. Can I suggest you move to the 'idmap config' setup using the 'rid' backend, see here for info: https://wiki.samba.org/index.php/Idmap_config_rid Just change the 'SAMDOM' range to suit your computer i.e. find out the highest UID & GID, and then make sure sure the range starts well above this. If you have any users in /etc/passwd that are also in AD i.e if you have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in AD, then sorry, but one of them will have to go, they would be treated as the same user. If there are any files etc owned by a local Unix user and they should be owned by an AD user (and visa-versa), you will need to sort them out after you sort the user problem out. Rowland
Thanks very much ... On Thu, Jul 14, 2016 at 2:50 PM, Rowland penny <rpenny at samba.org> wrote:> On 14/07/16 13:33, Shaun Glass wrote: > > ... no, no sssd. > > Basically we had : > > id -a "localuser" > uid=17057 > > id -a "ABC+aduser" > uid=17057 > > ... file ownership started getting wrecked so we are looking for a way to > correct. > > On Thu, Jul 14, 2016 at 2:26 PM, Rowland penny <rpenny at samba.org> wrote: > >> On 14/07/16 11:01, Shaun Glass wrote: >> >> ... as follows : >> >> rpm -qa | grep samba >> samba-3.6.23-35.el6_8.x86_64 >> samba-common-3.6.23-35.el6_8.x86_64 >> samba-winbind-clients-3.6.23-35.el6_8.x86_64 >> samba-winbind-3.6.23-35.el6_8.x86_64 >> >> [global] >> workgroup = ABC >> realm = ABC.COM >> security = ADS >> restrict anonymous = 1 >> log file = /var/log/samba/log.%m >> max log size = 50 >> client signing = required >> server signing = Yes >> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 >> dns proxy = No >> wins server = x.x.x.x >> socket address = x.x.x.x >> winbind separator = + >> winbind enum users = Yes >> winbind enum groups = Yes >> idmap config * : range = 10000-20000 >> idmap config * : backend = tdb >> >> On Thu, Jul 14, 2016 at 11:47 AM, Rowland penny < <rpenny at samba.org> >> rpenny at samba.org> wrote: >> >>> On 14/07/16 09:34, Shaun Glass wrote: >>> >>>> Good Day All, >>>> >>>> We have an issue where the following in smb.conf : >>>> >>>> idmap uid = 10000-20000 >>>> >>>> ... it is resulting in assigned id's clashing with id's in passwd. What >>>> are >>>> the repercussions should we change to say the following : >>>> >>>> idmap uid = 20000-30000 >>>> >>>> Many thanks. >>>> >>>> Regards >>>> >>>> Shaun >>>> >>> >>> What version of Samba ? >>> idmap uid (and gid) are depreciated in later versions of Samba, it may >>> help if you post the entire [global] section of your smb.conf. >>> >>> What ever the version of Samba, raising the lower level wouldn't really >>> be a good idea, any saved files belonging to an ID in the range 10000-20000 >>> would lose their owners. >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> You initially asked about 'idmap uid', but I don't see it in your >> smb.conf, what I do see is: >> >> idmap config * : range = 10000-20000 >> idmap config * : backend = tdb >> >> The '*' is for the BUILTIN users & groups etc >> I don't see anything for the Domain users & groups, are you also running >> sssd ? >> If so, you don't need winbind. >> >> Rowland >> >> > > With AD, you do not need local Unix users and in fact, you cannot have a > user in AD and /etc/passwd (same goes for groups) > It would seem that you have a large number of local Unix users in > /etc/passwd and your computer is joined to AD and as you have discovered, > giving a user an ID based around a range that is also in use by the local > computer is bound to cause problems. > > Can I suggest you move to the 'idmap config' setup using the 'rid' > backend, see here for info: > > https://wiki.samba.org/index.php/Idmap_config_rid > > Just change the 'SAMDOM' range to suit your computer i.e. find out the > highest UID & GID, and then make sure sure the range starts well above this. > > If you have any users in /etc/passwd that are also in AD i.e if you have > user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in AD, then > sorry, but one of them will have to go, they would be treated as the same > user. > > If there are any files etc owned by a local Unix user and they should be > owned by an AD user (and visa-versa), you will need to sort them out after > you sort the user problem out. > > Rowland > >
Rowland penny schreef op 14-07-2016 14:50:> If you have any users in /etc/passwd that are also in AD i.e if you > have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in > AD, then sorry, but one of them will have to go, they would be treated > as the same user.Are you entirely sure this is true? I don't yet know how ID mapping works in Samba. But. Is the whole idea of IDmapping not importing from a remote server? (or service?). Then, should the two groups not always be treated as separate? Why can't you perform ID mapping only for the remote users? (AD). That seems to be the whole point of it, right?