Hi Rowland,
Thank you for your answer.
I think I have found a solution which could solve the issue until the next
migration step. It tested it on another server which is not critital :
* Joining the server as a member and setup the shares as you suggest
* Use nss_ldap instead of nss_winbind (idmap) which will pick my unix ids
In this setup it seems I can access to the shares with any DNS aliases/CNAME
I know it is not a very proper setup but it seem to work and we can do it
quickly
What is your mind about this ?
Thanks
----- Mail original -----
De: "Rowland Penny via samba" <samba at lists.samba.org>
À: samba at lists.samba.org
Envoyé: Mercredi 30 Août 2017 10:06:20
Objet : Re: [Samba] Shares not accessible when using FQDN
On Wed, 30 Aug 2017 09:35:29 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Hi Rowland,
>
>
> The reason is long to explain but shortly it was about huge amount of
> data ~20TB stored on that server with unix user ID (comming from a
> S3/LDAP setup).
> On a DC mode it seems unix ID are in use instead of idmap id.
No, not really, it is just a different way of doing things. On a DC
idmap.ldb is used, this allocates IDs in the '3000000' range on a first
come basis, this means that users (and groups) can have different IDs
on different DCs. This can be overridden by giving users a uidNumber
attribute containing whatever ID you require, the same goes for groups,
but with gidNumber attributes.
> CNAME is in added indeed. Regarding the migration as said
> we came from S3/LDAP and go to 4.6. The entire future structure is
> not fixed yet but at this time we have a DC, a Fileserver and 3 other
> servers which should be simple fileservers (member) but currently are
> DC
If you were only a small organisation, you could use a DC as a
fileserver, but you have to be aware of the limitations and backup
everything on a regular basis, just how regular depends on how often
you change AD, if you change it hourly, you should back it up hourly.
However you seem to have large and complex requirements, so you
should have at least two DCs with as many Unix domain members running
as fileservers as you require.
With multiple DCs, you only need to backup one DC, usually the
one holding the FSMO roles. You will only need to backup the smb.conf
from the fileservers and any data etc that they hold, you do not need
to backup any other of the Samba files. You can (and should) use the
same smb.conf on all Unix domain members, just don't set the 'netbios
name' in any of them, Samba will fill this for you.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Wed, 30 Aug 2017 10:43:39 +0200 (CEST) Gaetan SLONGO <gslongo at it-optics.com> wrote:> Hi Rowland, > > > Thank you for your answer. > I think I have found a solution which could solve the issue until the > next migration step. It tested it on another server which is not > critital : > > > > > * Joining the server as a member and setup the shares as you > suggest > * Use nss_ldap instead of nss_winbind (idmap) which will pick my > unix idsWell 'nss_ldap' is not supported by Samba and normally anything that it can do, can also be done by winbind. What I am wondering about is what you are calling 'unix ids', where are these coming from ? are they from 'uidNumber' & 'gidNumber' attributes stored in AD or from /etc/passwd & /etc/group ? If the later, are you aware that you cannot have a user with the same name in AD and /etc/passwd. I think you may be trying to 'bend' AD to fit in with the old way Samba worked as a PDC or standalone, this is doomed to ultimate failure in my opinion. You need to work with AD, this will make things easier in the long run.> > > In this setup it seems I can access to the shares with any DNS > aliases/CNAMEYou should be able do this using winbind.> > > I know it is not a very proper setup but it seem to work and we can > do it quicklyYes, but will it be reliable in the long run ? Rowland
Rowland, Yes, I mean uidNumber and gidNumber. I'm aware I need to work with AD but at this time I need my unix IDs (on NSS) to keep services working. Not only for files ownership, but also for some other services. Yeah, that's complex... If I undestand well, the best way to do is to join the server using "net ads join" and use nss_winbind. This what I do but I only use the NSS LDAP backend instead of NSS (to keep correct ownership). This will be cleaned in the future (within next migration steps) but for now I think I have no other choice beacause it seems I cannot obtain unix IDs through Winbind on a domain member (or maybe I missed the solution??). Thanks ----- Mail original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> À: samba at lists.samba.org Envoyé: Mercredi 30 Août 2017 11:00:18 Objet : Re: [Samba] Shares not accessible when using FQDN On Wed, 30 Aug 2017 10:43:39 +0200 (CEST) Gaetan SLONGO <gslongo at it-optics.com> wrote:> Hi Rowland, > > > Thank you for your answer. > I think I have found a solution which could solve the issue until the > next migration step. It tested it on another server which is not > critital : > > > > > * Joining the server as a member and setup the shares as you > suggest > * Use nss_ldap instead of nss_winbind (idmap) which will pick my > unix idsWell 'nss_ldap' is not supported by Samba and normally anything that it can do, can also be done by winbind. What I am wondering about is what you are calling 'unix ids', where are these coming from ? are they from 'uidNumber' & 'gidNumber' attributes stored in AD or from /etc/passwd & /etc/group ? If the later, are you aware that you cannot have a user with the same name in AD and /etc/passwd. I think you may be trying to 'bend' AD to fit in with the old way Samba worked as a PDC or standalone, this is doomed to ultimate failure in my opinion. You need to work with AD, this will make things easier in the long run.> > > In this setup it seems I can access to the shares with any DNS > aliases/CNAMEYou should be able do this using winbind.> > > I know it is not a very proper setup but it seem to work and we can > do it quicklyYes, but will it be reliable in the long run ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba