On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba wrote:> Hi Rowland, > > Just to let you know, we removed all the idmap entries we had on > the smb.conf of our > two DCs and the ids reported by getent passwd at the DCs were in the > 3.000.000 range, as > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get the > user listing with > the original numbers on the DCs. > > Here's what we commented out on the configurationfiles. > > # Default idmap config used for BUILTIN and local > accounts/groups > #idmap config *:backend = ad > #idmap config *:range = 2000-9999 > > # idmap config for domain E-TRUST > #idmap config E-TRUST:backend = ad > #idmap config E-TRUST:schema_mode = rfc2307 > #idmap config E-TRUST:range = 10000-40000 > #idmap cache time = 1 > #idmap negative cache time = 1 > #winbind cache time = 1 > idmap_ldb:use rfc2307 = yes > > Regards, > Vinicius.Can you confirm that it still fails with that configuration? You may need to flush the caches. 'net cache flush'. I certainly can see how having those set would have broken things, because we now enforce the range if set whereas 4.4 just ignored them. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sat, 29 Oct 2016 22:31:22 +1300 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba > wrote: > > Hi Rowland, > > > > Just to let you know, we removed all the idmap entries we had > > on the smb.conf of our > > two DCs and the ids reported by getent passwd at the DCs were in the > > 3.000.000 range, as > > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get > > the user listing with > > the original numbers on the DCs. > > > > Here's what we commented out on the configurationfiles. > > > > # Default idmap config used for BUILTIN and local > > accounts/groups > > #idmap config *:backend = ad > > #idmap config *:range = 2000-9999 > > > > # idmap config for domain E-TRUST > > #idmap config E-TRUST:backend = ad > > #idmap config E-TRUST:schema_mode = rfc2307 > > #idmap config E-TRUST:range = 10000-40000 > > #idmap cache time = 1 > > #idmap negative cache time = 1 > > #winbind cache time = 1 > > idmap_ldb:use rfc2307 = yes > > > > Regards, > > Vinicius. > > Can you confirm that it still fails with that configuration? > > You may need to flush the caches. 'net cache flush'. > > I certainly can see how having those set would have broken things, > because we now enforce the range if set whereas 4.4 just ignored > them. > > Thanks, > > Andrew BartlettAre you saying that the 'idmap config' lines as used on a domain member are now supposed to work on a DC ? From my testing on version 4.5.0, they still do nothing, either the xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added to a user/group, this will be used instead. Rowland
Thank you for the replies, but at 1800hrs Thursday night I wiped everything and started with a fresh build of 4.4 stable. By 2300hrs I had a stable AD setup. I will wait until 4.5 is worked out a bit more before upgrading, and I will probably test it in a virtual environment via VirtualBox first. Andrew, thank you for taking the time to respond. I expect issues from time to time. You guys are an open-source community and the odds that you can test every configuration of hardware, OS, and software is virtually non-existent. I do appreciate the effort you and the Samba team, as well as the member who help on this list (Rowland seems to be on here almost 24hrs a day) put into the project. Thanks! Finally, I too would like to know if the settings are going to be honored in 4.5 and beyond. If so, how would the migration from 4.4 to a newer version go if we do not have those lines in our current configuration file? Lead IT/IS Specialist Reach Technology FP, Inc On 10/29/2016 06:24 AM, Rowland Penny via samba wrote:> On Sat, 29 Oct 2016 22:31:22 +1300 > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > >> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba >> wrote: >>> Hi Rowland, >>> >>> Just to let you know, we removed all the idmap entries we had >>> on the smb.conf of our >>> two DCs and the ids reported by getent passwd at the DCs were in the >>> 3.000.000 range, as >>> you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get >>> the user listing with >>> the original numbers on the DCs. >>> >>> Here's what we commented out on the configurationfiles. >>> >>> # Default idmap config used for BUILTIN and local >>> accounts/groups >>> #idmap config *:backend = ad >>> #idmap config *:range = 2000-9999 >>> >>> # idmap config for domain E-TRUST >>> #idmap config E-TRUST:backend = ad >>> #idmap config E-TRUST:schema_mode = rfc2307 >>> #idmap config E-TRUST:range = 10000-40000 >>> #idmap cache time = 1 >>> #idmap negative cache time = 1 >>> #winbind cache time = 1 >>> idmap_ldb:use rfc2307 = yes >>> >>> Regards, >>> Vinicius. >> >> Can you confirm that it still fails with that configuration? >> >> You may need to flush the caches. 'net cache flush'. >> >> I certainly can see how having those set would have broken things, >> because we now enforce the range if set whereas 4.4 just ignored >> them. >> >> Thanks, >> >> Andrew Bartlett > > Are you saying that the 'idmap config' lines as used on a domain member > are now supposed to work on a DC ? > From my testing on version 4.5.0, they still do nothing, either the > xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added to > a user/group, this will be used instead. > > Rowland > > >
On Sat, 2016-10-29 at 11:24 +0100, Rowland Penny via samba wrote:> On Sat, 29 Oct 2016 22:31:22 +1300 > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > > > On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba > > wrote: > > > > > > Hi Rowland, > > > > > > Just to let you know, we removed all the idmap entries we > > > had > > > on the smb.conf of our > > > two DCs and the ids reported by getent passwd at the DCs were in > > > the > > > 3.000.000 range, as > > > you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get > > > the user listing with > > > the original numbers on the DCs. > > > > > > Here's what we commented out on the configurationfiles. > > > > > > # Default idmap config used for BUILTIN and local > > > accounts/groups > > > #idmap config *:backend = ad > > > #idmap config *:range = 2000-9999 > > > > > > # idmap config for domain E-TRUST > > > #idmap config E-TRUST:backend = ad > > > #idmap config E-TRUST:schema_mode = rfc2307 > > > #idmap config E-TRUST:range = 10000-40000 > > > #idmap cache time = 1 > > > #idmap negative cache time = 1 > > > #winbind cache time = 1 > > > idmap_ldb:use rfc2307 = yes > > > > > > Regards, > > > Vinicius. > > > > Can you confirm that it still fails with that configuration? > > > > You may need to flush the caches. 'net cache flush'. > > > > I certainly can see how having those set would have broken things, > > because we now enforce the range if set whereas 4.4 just ignored > > them. > > > > Thanks, > > > > Andrew Bartlett > > Are you saying that the 'idmap config' lines as used on a domain > member > are now supposed to work on a DC ?No. But a patch for this bug was landed: https://bugzilla.samba.org/show_bug.cgi?id=12155> From my testing on version 4.5.0, they still do nothing, either the > xidNumbers from idmap.ldb are used, or, if a uid/gidNumber is added > to > a user/group, this will be used instead.The impact of this, if I read the code correctly, is a frustrating intersection of enforcing the range, but only in addition to what is otherwise configured in the databases. We will know more when (for example) a user finds that reverting this patch fixes things, or applying it to 4.4 breaks it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I'm not sure I understood the question. Uncommenting the lines or commenting them yelds the same results, as long as "idmap_ldb:use rfc2307 = yes" is kept in place. Commenting it as well changes the ids to the 3 million range. Cleaning the caches did not affect the results. Em 29/10/2016 07:31, Andrew Bartlett via samba escreveu:> On Thu, 2016-10-27 at 17:23 -0200, Vinicius Bones Silva via samba > wrote: >> Hi Rowland, >> >> Just to let you know, we removed all the idmap entries we had on >> the smb.conf of our >> two DCs and the ids reported by getent passwd at the DCs were in the >> 3.000.000 range, as >> you said. We had to add back 'idmap_ldb:use rfc2307 = yes' to get the >> user listing with >> the original numbers on the DCs. >> >> Here's what we commented out on the configurationfiles. >> >> # Default idmap config used for BUILTIN and local >> accounts/groups >> #idmap config *:backend = ad >> #idmap config *:range = 2000-9999 >> >> # idmap config for domain E-TRUST >> #idmap config E-TRUST:backend = ad >> #idmap config E-TRUST:schema_mode = rfc2307 >> #idmap config E-TRUST:range = 10000-40000 >> #idmap cache time = 1 >> #idmap negative cache time = 1 >> #winbind cache time = 1 >> idmap_ldb:use rfc2307 = yes >> >> Regards, >> Vinicius. > Can you confirm that it still fails with that configuration? > > You may need to flush the caches. 'net cache flush'. > > I certainly can see how having those set would have broken things, > because we now enforce the range if set whereas 4.4 just ignored them. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > >-- Vinicius Silva SOC BRA: + 55 51 2117.1000 | 55 11 5521.2021 USA: + 1 888 259.5801 vbs at e-trust.com.br skype: vinicius.bones.silva Smiley face www.e-trust.com.br <http://www.e-trust.com.br/> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br. This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.
On Tue, 1 Nov 2016 10:52:27 -0200 Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:> I'm not sure I understood the question. Uncommenting the lines or > commenting them yelds the same results, as long as "idmap_ldb:use > rfc2307 = yes" is kept in place. Commenting it as well changes the > ids to the 3 million range. Cleaning the caches did not affect the > results. >I am glad someone else has confirmed what I have been saying for a long time, adding the 'idmap config' lines to the smb.conf on a DC, does nothing. When you setup the first DC, it will use the 'xidNumber' attributes in idmap.ldb and these are allocated on a first come basis. If you then give users a uidNumber, these will be used instead. So, as standard, users get an xidNumber in the '3000000' range, you could decide to give users a uidNumber in the range '10000-20000' and these numbers would be used instead of the xidNumbers. You could then add a line such as this 'idmap config DOMAIN : range 30000-40000' to smb.conf, the users on the DC would still use the uidNumber you set in the '10000-20000' range. Rowland