On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 9 Aug 2016 09:37:13 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > Thanks for the detailed response. > > > > It is very extensive for my purposes, but it still feels over > > analytical for what we need. I believe the Unix UID doesn't exceed > > 65534. If this is a constant, why don't we just produce an example > > for that? Out of the box, this is what many users will want to use. > > > > I don't understand when we want values to never overlap and when > > we want them to be in a matching range. > > > > I would think this setting would work for everyone not using NIS or > > LDAP in nsswitch: > > > > idmap config *:backend = tdb > > idmap config *:range = 100001-110000 > > idmap config MYDOM : backend = rid > > idmap config MYDOM : range = 65535-100000 > > The only problem with that is, what happens if you do manage to get to > user '100001' in 'MYDOM' ? > > This would probably be better: > idmap config *:backend = tdb > idmap config *:range = 65535-100000 > idmap config MYDOM : backend = rid > idmap config MYDOM : range = 100001-110000 > > This way, if you ever get to 'MYDOM' user '110001', you can just extend > the range in smb.conf. > > However, a better way would be to find out who set nobody/nogroup to > '65534' (there was probably a logical reason at the time it was set) > and get it changed to '499' or whatever. Anybody know who to contact ? >I'm entertaining all your suggestions of workarounds and values. I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups It had no conflicts with another user. However nobody doesn't exist in AD. Now testparam reports: # testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] workgroup = MYDOM realm = AD.MYDOM.CA server string = Debian2 Server security = ADS log file = /var/log/samba/%m.log max log size = 50 unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes dns proxy = No winbind use default domain = Yes idmap config mydom : range = 100001-110000 idmap config mydom : backend = rid idmap config *:range = 65535-100000 idmap config * : backend = tbd nt acl support = No printing = bsd [homes] comment = Home Directories path = %H read only = No create mask = 0700 directory mask = 0700 browseable = No wide links = Yes Restarted smbd and winbind. $ smbclient -L //debian2 -U username Enter username's password: session setup failed: NT_STATUS_UNSUCCESSFUL Logfile for client's IP ends: [2016/08/09 11:48:32.793696, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216) failed [2016/08/09 11:48:32.793746, 3] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) Failed to finalize nt token There don't seem to be any values which can dodge this bug. Maybe there were for awhile, but in the meantime, security patches have changed things.> > > > I've set that and restarted nmbd, smbd and winbind services > > > > When I do a wbinfo look up on my user with a UID of 1000, it has this: > > > > theusername:*:16777216:16777220:The > > Username:/home/MYDOM/theusername:/bin/false > > Those numbers look suspiciously like what I used to get out of sssd, > are you also running this ? > >There is no sssd. No process, no package installed.
On Tue, 9 Aug 2016 11:58:42 -0300 francis picabia <fpicabia at gmail.com> wrote:> > $ smbclient -L //debian2 -U username > Enter username's password: > session setup failed: NT_STATUS_UNSUCCESSFUL >> > > When I do a wbinfo look up on my user with a UID of 1000, it has > > > this: > > > > > > theusername:*:16777216:16777220:The > > > Username:/home/MYDOM/theusername:/bin/false > >I think I might have spotted something here, your user doesn't seem to exist on the client and you are relying on wbinfo to tell you it exists. Only problem with that, wbinfo checks AD but this doesn't mean the local Unix OS knows the user. What does 'getent passwd username' show when run on 'debian2'? Until it produces something like this: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash it will not work. Rowland
On Tue, Aug 9, 2016 at 12:29 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 9 Aug 2016 11:58:42 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > > > $ smbclient -L //debian2 -U username > > Enter username's password: > > session setup failed: NT_STATUS_UNSUCCESSFUL > > > > > > > When I do a wbinfo look up on my user with a UID of 1000, it has > > > > this: > > > > > > > > theusername:*:16777216:16777220:The > > > > Username:/home/MYDOM/theusername:/bin/false > > > > > I think I might have spotted something here, your user doesn't seem to > exist on the client and you are relying on wbinfo to tell you it exists. > Only problem with that, wbinfo checks AD but this doesn't mean the > local Unix OS knows the user. > > What does 'getent passwd username' show when run on 'debian2'? > > Until it produces something like this: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > it will not work. > <https://lists.samba.org/mailman/options/samba> >getent passwd username (or "theusername") is not the literal command. I substitute 'username' here to protect the user id. genent passwd on the user does work and it returns uid and gui of 1000, exactly what we see in the /etc/passwd file. It is the same output as grep 'username' on /etc/passwd Remember, when winbind is off, it works. This is certainly bug 10604 by all measures.
On 2016-08-09 at 11:58 -0300, francis picabia via samba wrote:> On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote: > > > On Tue, 9 Aug 2016 09:37:13 -0300 > > francis picabia <fpicabia at gmail.com> wrote: > > > > > Thanks for the detailed response. > > > > > > It is very extensive for my purposes, but it still feels over > > > analytical for what we need. I believe the Unix UID doesn't exceed > > > 65534. If this is a constant, why don't we just produce an example > > > for that? Out of the box, this is what many users will want to use. > > > > > > I don't understand when we want values to never overlap and when > > > we want them to be in a matching range. > > > > > > I would think this setting would work for everyone not using NIS or > > > LDAP in nsswitch: > > > > > > idmap config *:backend = tdb > > > idmap config *:range = 100001-110000 > > > idmap config MYDOM : backend = rid > > > idmap config MYDOM : range = 65535-100000 > > > > The only problem with that is, what happens if you do manage to get to > > user '100001' in 'MYDOM' ? > > > > This would probably be better: > > idmap config *:backend = tdb > > idmap config *:range = 65535-100000 > > idmap config MYDOM : backend = rid > > idmap config MYDOM : range = 100001-110000 > > > > This way, if you ever get to 'MYDOM' user '110001', you can just extend > > the range in smb.conf. > > > > However, a better way would be to find out who set nobody/nogroup to > > '65534' (there was probably a logical reason at the time it was set) > > and get it changed to '499' or whatever. Anybody know who to contact ? > > > > I'm entertaining all your suggestions of workarounds and values. > > I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups > It had no conflicts with another user. However nobody doesn't exist in AD.Why are you so keen on starting a range directly above the smallest used id number from the files? The main thing is not to overlap. It is OK to have gaps! :-) Also, afaik, nothing prvents you from adding a user of uid 1000000 into your passwd file. There is just *no* recipe that fits everyone. Hence the general instructions in the manpage... I personally like to give winbind high up ranges starting in the 100s of 1000s or even in the millions.> Now testparam reports: > > # testparm /etc/samba/smb.conf > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = MYDOM > realm = AD.MYDOM.CA > server string = Debian2 Server > security = ADS > log file = /var/log/samba/%m.log > max log size = 50 > unix extensions = No > load printers = No > printcap name = /dev/null > disable spoolss = Yes > dns proxy = No > winbind use default domain = YesRecommendation: avoid this by all means if possible. It typically only creates problems by introducing abiguity.> idmap config mydom : range = 100001-110000 > idmap config mydom : backend = rid > idmap config *:range = 65535-100000 > idmap config * : backend = tbdTypo in the config? tdb <--> tbd ? Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/5ab1bf42/signature.sig>
On Tue, Aug 9, 2016 at 2:48 PM, Michael Adam <obnox at samba.org> wrote:> On 2016-08-09 at 11:58 -0300, francis picabia via samba wrote: > > On Tue, Aug 9, 2016 at 10:21 AM, Rowland Penny <rpenny at samba.org> wrote: > > > > > On Tue, 9 Aug 2016 09:37:13 -0300 > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > Thanks for the detailed response. > > > > > > > > It is very extensive for my purposes, but it still feels over > > > > analytical for what we need. I believe the Unix UID doesn't exceed > > > > 65534. If this is a constant, why don't we just produce an example > > > > for that? Out of the box, this is what many users will want to use. > > > > > > > > I don't understand when we want values to never overlap and when > > > > we want them to be in a matching range. > > > > > > > > I would think this setting would work for everyone not using NIS or > > > > LDAP in nsswitch: > > > > > > > > idmap config *:backend = tdb > > > > idmap config *:range = 100001-110000 > > > > idmap config MYDOM : backend = rid > > > > idmap config MYDOM : range = 65535-100000 > > > > > > The only problem with that is, what happens if you do manage to get to > > > user '100001' in 'MYDOM' ? > > > > > > This would probably be better: > > > idmap config *:backend = tdb > > > idmap config *:range = 65535-100000 > > > idmap config MYDOM : backend = rid > > > idmap config MYDOM : range = 100001-110000 > > > > > > This way, if you ever get to 'MYDOM' user '110001', you can just extend > > > the range in smb.conf. > > > > > > However, a better way would be to find out who set nobody/nogroup to > > > '65534' (there was probably a logical reason at the time it was set) > > > and get it changed to '499' or whatever. Anybody know who to contact ? > > > > > > > I'm entertaining all your suggestions of workarounds and values. > > > > I've changed nobody to UID and GID 499 in /etc/passwd and /etc/groups > > It had no conflicts with another user. However nobody doesn't exist in > AD. > > Why are you so keen on starting a range directly above the > smallest used id number from the files? >I'd like to see it documented in plain terms, not formula where few people know what "rid in sid" means. It seems to me if it were documented for the type security = ads case for Linux, this would be a template to start with, and not looking for magic values as many users have come to rely on (see the Samba and Debian bug reports for people who think the range beginning at 1000 was some magic solution). Look, you get into your car, and do you look at an RPM value and gear indicator, compute the tire size P215R16 and figure out the speed? No, there is a calibrated instrument for it. Well, what is sitting in front of us, a frigging computer! Why can't samba/winbind look at nsswitch, determine there is nothing like NIS and LDAP, lookup the UID values in /etc/passwd, and make ranges on the fly? The end user does not care what their values are - they only want "Map Network Drive" to work and get something done. I suspect the computer on Apollo missions could have achieved this range computation.> > The main thing is not to overlap. > It is OK to have gaps! :-) > > Also, afaik, nothing prvents you from adding > a user of uid 1000000 into your passwd file. >> There is just *no* recipe that fits everyone. > Hence the general instructions in the manpage... > > I personally like to give winbind high up ranges > starting in the 100s of 1000s or even in the millions. > > > Now testparam reports: > > > > # testparm /etc/samba/smb.conf > > Load smb config files from /etc/samba/smb.conf > > Processing section "[homes]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > workgroup = MYDOM > > realm = AD.MYDOM.CA > > server string = Debian2 Server > > security = ADS > > log file = /var/log/samba/%m.log > > max log size = 50 > > unix extensions = No > > load printers = No > > printcap name = /dev/null > > disable spoolss = Yes > > dns proxy = No > > winbind use default domain = Yes > > Recommendation: avoid this by all means if possible. > It typically only creates problems by introducing > abiguity. >Avoid the use of the * plus domain name? I'd agree, but this is how it is documented, so I'm trying to play along and see if magic beans fall out of the sky and it works, like it does for the other users who have found magic solutions.> > idmap config mydom : range = 100001-110000 > > idmap config mydom : backend = rid > > idmap config *:range = 65535-100000 > > idmap config * : backend = tbd > > Typo in the config? tdb <--> tbd ? >I've tried with only the rid backend and always the same behaviour. It is a documented bug.> > Cheers - Michael >