samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

On Tue, 11 Jul 2017 12:58:14 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 12:51 schrieb Rowland Penny:
> 
> > Well, that explains where '11029' is coming from, you are
using the
> > 'rid' backend. The users (or group) ID will be calculated
using this
> > formula:
> > 
> > ID = RID - BASE_RID + LOW_RANGE_ID
> > 
> > BASE_RID is by default '0', so it becomes:
> > 
> > ID = RID + LOW_RANGE_ID
> > 
> > So, in your case it becomes
> > 
> > 11029 = 1029 + 10000
> 
> wow
> 
> Does that explain in some way why some users work and others not?
> And why that worked yesterday?
Could be.
> 
> > Of course, using the 'rid' backend means that you do not need
to add
> > anything to AD and you do not need this line in smb.conf:
> > 
> >   idmap config BUERO:schema_mode = rfc2307
> > 
> > Or you could just change 'idmap config BUERO:backend = rid' to
> > 'idmap config BUERO:backend = ad' and use the rfc2307
attributes in
> > AD.
> 
> I would prefer not to have to decide this. You understand? ;-)
I think the decision has been made for you, if anything has been stored
on the DM, it will belong to the IDs that the 'rid' backend has
created/allocated to your users & groups.
> 
> What's the recommendation here, I don't have a clue, I would just
like
> to be able to change this to a working config without doing damage to
> active sessions, if possible. This is productive environment right
> now.
If you want to use the 'ad' backend, you are going to have to do some
work. You will have to find out what is stored on the DM and who owns
it. You will then have to find (from AD) the correct ID number. Stop
Samba, change smb.conf, restart Samba then change the ownership of the
files etc.
> 
> To me it sounds preferable to have everything in AD, right? At least
> that is what I expect from having all that: all in one place somehow
Having everything in AD, gives you the possibility of using different
Unix home dirs etc per person.
> 
> -
> 
> Can't remember exactly where rid comes from, I think it was a
> recommendation by Louis for my test VM (which then was migrated to
> this DC).
It should work, but only if the users or groups RID + 10000 is inside
the range you have set in smb.conf (in your case 10000-99999)

You can change the upper number in the range to a higher number without
affecting anything else, but you will need to reload or restart Samba
> 
> Pls also advise if there are any additional steps needed for any of
> these solutions. I always feel unsure if and if not to add some ids
> and mappings somewhere ....
> 
You could ensure that winbind is installed and running (I know it
probably is, but...)

Rowland

Am 2017-07-11 um 13:28 schrieb Rowland Penny:
>>> Of course, using the 'rid' backend means that you do not
need to add
>>> anything to AD and you do not need this line in smb.conf:
>>>
>>>   idmap config BUERO:schema_mode = rfc2307
>>>
>>> Or you could just change 'idmap config BUERO:backend = rid'
to
>>> 'idmap config BUERO:backend = ad' and use the rfc2307
attributes in
>>> AD.
>>
>> I would prefer not to have to decide this. You understand? ;-)
> 
> I think the decision has been made for you, if anything has been stored
> on the DM, it will belong to the IDs that the 'rid' backend has
> created/allocated to your users & groups.
and:

After browsing

https://wiki.samba.org/index.php/Idmap_config_ad

and

https://wiki.samba.org/index.php/Idmap_config_rid

I would prefer "rid" to be honest ... ;-)


It's a "one fileserver" environment for now and will be for a long
time,
so I think rid does fulfill the requirements.

So it would be simply:

* remove line "idmap config BUERO:schema_mode = rfc2307" on DM

* reload/restart smbd/nmbd/winbind on DM

?

Would that affect sessions?
Should I order all users to log out first or so?

>> What's the recommendation here, I don't have a clue, I would
just like
>> to be able to change this to a working config without doing damage to
>> active sessions, if possible. This is productive environment right
>> now.
> 
> If you want to use the 'ad' backend, you are going to have to do
some
> work. You will have to find out what is stored on the DM and who owns
> it. You will then have to find (from AD) the correct ID number. Stop
> Samba, change smb.conf, restart Samba then change the ownership of the
> files etc.
No, see above. I think I go "rid".
>> To me it sounds preferable to have everything in AD, right? At least
>> that is what I expect from having all that: all in one place somehow
> 
> Having everything in AD, gives you the possibility of using different
> Unix home dirs etc per person.
Not needed. I am the only UNIX user there.

I only need separate [home] dirs for a group of users:

some customers of my customer come by to do some work with a specific
software and I want to connect them to a specific user-folder on the
server, using the [homes] mechanism.

? Would that be impossible then ?
>> Can't remember exactly where rid comes from, I think it was a
>> recommendation by Louis for my test VM (which then was migrated to
>> this DC).
> 
> It should work, but only if the users or groups RID + 10000 is inside
> the range you have set in smb.conf (in your case 10000-99999)
> 
> You can change the upper number in the range to a higher number without
> affecting anything else, but you will need to reload or restart Samba
ok

The mentioned user with 10029 was within that range (*scratch*), did the
schema mode make things crash here?
>> Pls also advise if there are any additional steps needed for any of
>> these solutions. I always feel unsure if and if not to add some ids
>> and mappings somewhere ....
>>
> 
> You could ensure that winbind is installed and running (I know it
> probably is, but...)
It is, it is.

thanks a lot for your help and patience.
But be honest: all that ain't easy stuff, right?

:-)

Am 2017-07-11 um 13:37 schrieb Stefan G. Weichinger:
>> Having everything in AD, gives you the possibility of using different
>> Unix home dirs etc per person.
> 
> Not needed. I am the only UNIX user there.
> 
> I only need separate [home] dirs for a group of users:
> 
> some customers of my customer come by to do some work with a specific
> software and I want to connect them to a specific user-folder on the
> server, using the [homes] mechanism.
> 
> ? Would that be impossible then ?
I think I have it:

template homedir = /home/%U

works for me in this context, right?