Hi Rowland, On 27 May 2017 11:39:> Hmm, you mention: > > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber' > > Is this on a DC or a Unix domain member ?This is on a DC. I only have two centOS7 AD DC's in my environment.. Tim
Edit2: Getting Closer! After removing all the idmap entries in my smb.conf files, I'm now getting this error (which looks a little less distressing!): [homes] share not available for user LAMBROOK\tim.odriscoll because it was not found or created at session setup time I've got my 'template homedir' set correctly on both my DCs.. Any pointers on where to go next? Many thanks, Tim From: samba <samba-bounces at lists.samba.org> on behalf of Tim ODriscoll via samba <samba at lists.samba.org> Sent: 27 May 2017 12:02 To: Rowland Penny; samba at lists.samba.org Subject: Re: [Samba] idmap woes after upgrade Hi Rowland, On 27 May 2017 11:39:> Hmm, you mention: > > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber' > > Is this on a DC or a Unix domain member ?This is on a DC. I only have two centOS7 AD DC's in my environment.. Tim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Sat, 27 May 2017 11:02:36 +0000 Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:> Hi Rowland, > > On 27 May 2017 11:39: > > Hmm, you mention: > > > > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber' > > > > Is this on a DC or a Unix domain member ? > > This is on a DC. I only have two centOS7 AD DC's in my environment.. >OK, you posted that you have these lines in your smb.conf: idmap_ldb:use rfc2307 = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config LAMBROOK:backend = ad idmap config LAMBROOK:schema_mode = rfc2307 idmap config LAMBROOK:range = 10000-99999 idmap config LAMBROOK:unix_nss_info = yes idmap config LAMBROOK : unix_primary_group = yes winbind nss info = rfc2307 You might as well remove all of them except: idmap_ldb:use rfc2307 = yes The other lines never did anything on a DC. Unless you manually add uidNumber attributes to users and gidNumber attributes to groups, id mapping on a DC is done in idmap.ldb and results in ID numbers in the 3000000 range. If you rely on idmap.ldb for your ID mappings, you will need to keep idmap.ldb in sync on both DCs, otherwise you are very likely to get different user & group IDs on each DC. This is only a concern if you use the DCs as a fileserver. You also mentioned [homes], this does not work on a DC, see here: https://wiki.samba.org/index.php/User_Home_Folders When you upgraded Samba, did libnss_winbind.so get upgraded as well ? Rowland
On 27 May 2017 12:45: On Sat, 27 May 2017 11:02:36 +0000 Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:> The other lines never did anything on a DC.Thank you, I've removed them now..> Unless you manually add uidNumber attributes to users and gidNumber > attributes to groups, id mapping on a DC is done in idmap.ldb and > results in ID numbers in the 3000000 range.My add_user script keeps track of uidNumber's and makes sure they're unique.> If you rely on idmap.ldb for your ID mappings, you will need to keep > idmap.ldb in sync on both DCs, otherwise you are very likely to get > different user & group IDs on each DC. This is only a concern if you > use the DCs as a fileserver.I do use the DCs as fileservers using glusterfs, but I only map one DC's share keeping the other as a cold-spare. I'd like to improve that so that I can hot-swap the logon scripts to make users map shares on different servers. This is the last piece now - gettting the uid's showing up on the file system so I can use usernames instead of uidNumbers. I can add idmap.ldb syncing into my add_user script, but at the moment the filesystem is showing uid's from uidNumber, not the xidNumber in idmap.ldb. Which way is correct?> You also mentioned [homes], this does not work on a DC, see here:Thank you - I missed that. I've now got my 'users' share working and I can see my files!> When you upgraded Samba, did libnss_winbind.so get upgraded as well ?Yes, I believe it did. I've done the 'ldconfig -v | grep winbind' and then checked the timestamp of libnss_winbind.so and it's recent. Thank you very much for your input, Tim