samba - Mar 2017 - Allow user without uidNumber to access to a Samba member file server

Le mercredi 15 mars 2017 à 13:17 +0000, Rowland Penny via samba a
écrit :
> On Wed, 15 Mar 2017 14:23:23 +0200
> Arnaud Cruzel via samba <samba at lists.samba.org> wrote:
> 
> > Hi everybody,
> > 
> > I have a samba server member for file sharing configured like
> > below. 
> > Domains controllers are on samba too. 
> > Every servers are on samba 4.5.3.
> > When I created the domain I activated rfc2307.
> > 
> > Now I think rfc2307 was a bad idea...
> > 
> 
> You could use the winbind 'rid' backend instead, this will mean
that
> your users will get different 'IDs', so you will have to change the
> ownership of any files and directories stored on the fileserver.
> 
> You will also have to use 'template' lines in smb.conf for Unix
home
> dirs and shell.
> 
> Rowland 
> 
Thanks for your answer.

OK, I tried that. After what there is no long problems for access to file server
by an user without uidNumber.
But now it's impossible for unix client to access to samba shares on this
server. I think because of uid are differents.
For information I didn't have to change shares owner, the server kept the
same uids for users (I think because of caching ?)

What I did :

# diff smb.conf.ad smb.conf.rid 
37,39c37,39
<        idmap config IFPOAD:backend = ad
<        idmap config IFPOAD:schema_mode = rfc2307
<        idmap config IFPOAD:range = 10000-99999
---
> #       idmap config IFPOAD:backend = ad
> #       idmap config IFPOAD:schema_mode = rfc2307
> #       idmap config IFPOAD:range = 10000-99999
41,42c41,42
< #       idmap config IFPOAD : backend = rid
< #       idmap config IFPOAD : range = 10000-999999
---
>        idmap config IFPOAD : backend = rid
>        idmap config IFPOAD : range = 10000-999999
45,46c45,46
< #       winbind nss info = template
< #       template shell = /bin/bash
---
>        winbind nss info = template
>        template shell = /bin/bash
47a48,50
>        template homedir = /Users/%U
> 
> #       winbind nss info = rfc2307
49d51
<        winbind nss info = rfc2307
61c63
<        unix extensions = no
---
> #       unix extensions = no
75c77
<         #username map = /usr/local/samba/etc/user.map
---
>         username map = /usr/local/samba/etc/user.map

On Wed, 15 Mar 2017 17:13:43 +0200
Arnaud Cruzel <a.cruzel at ifporient.org> wrote:

> 
> OK, I tried that. After what there is no long problems for access to
> file server by an user without uidNumber. But now it's impossible for
> unix client to access to samba shares on this server. 
You never mentioned Unix users

The 'rid' backend works by calculating the users ID from its Windows
RID, Unix users do not have a RID, so they don't get an ID.

If you have Unix users, you will have to create the users in AD,
set the Unix machines up as a domain member (info available on the Samba wiki)
and remove the users from the Unix machine (they cannot be
in /etc/passwd and AD). You could also return to using the 'ad'
backend, but you would still have to make the Unix machines domain
members. 
 
> I think because of uid are differents. For information I didn't have
>to change shares
> owner, the server kept the same uids for users (I think because of
> caching ?)
Wait until the cache expires and wait for the screams :-)

Rowland

Le mercredi 15 mars 2017 à 16:08 +0000, Rowland Penny via samba a
écrit :
> On Wed, 15 Mar 2017 17:13:43 +0200
> Arnaud Cruzel <a.cruzel at ifporient.org> wrote:
> 
> 
> > 
> > OK, I tried that. After what there is no long problems for access
> > to
> > file server by an user without uidNumber. But now it's impossible
> > for
> > unix client to access to samba shares on this server. 
> 
> You never mentioned Unix users
> 
> The 'rid' backend works by calculating the users ID from its
Windows
> RID, Unix users do not have a RID, so they don't get an ID.
> 
> If you have Unix users, you will have to create the users in AD,
> set the Unix machines up as a domain member (info available on the
> Samba wiki)
> and remove the users from the Unix machine (they cannot be
> in /etc/passwd and AD). You could also return to using the 'ad'
> backend, but you would still have to make the Unix machines domain
> members. 
Sorry I said Unix client, but I'd like to say unix machine. 
An active directory user connected on an unix machine member of domain
seem to be unable to access to shares when the share server have idmap
set with rid.

>  
> > I think because of uid are differents. For information I didn't
> > have
> > to change shares
> > owner, the server kept the same uids for users (I think because of
> > caching ?)
> 
> Wait until the cache expires and wait for the screams :-)
Yes I heard them... from unix and Mac OSx domains users :D.
I locked my office door !
Windows users kept cool.

So I think I have no choice in a mixed environment Mac OSx, Windows and
Linux, I have to set uidNumber...
Arghhh

But You told about a patch in your other mail for setting automatically
 uidNumbers ?? Where is it ? I want it. 

Thanks

> 
> Rowland
> 
> 
>