samba - Aug 2017 - Shares not accessible when using FQDN

Rowland, 


Yes, I mean uidNumber and gidNumber. 
I'm aware I need to work with AD but at this time I need my unix IDs (on
NSS) to keep services working. Not only for files ownership, but also for some
other services. Yeah, that's complex...
If I undestand well, the best way to do is to join the server using "net
ads join" and use nss_winbind. This what I do but I only use the NSS LDAP
backend instead of NSS (to keep correct ownership).
This will be cleaned in the future (within next migration steps) but for now I
think I have no other choice beacause it seems I cannot obtain unix IDs through
Winbind on a domain member (or maybe I missed the solution??).


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 30 Août 2017 11:00:18 
Objet : Re: [Samba] Shares not accessible when using FQDN 

On Wed, 30 Aug 2017 10:43:39 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 
> Hi Rowland, 
> 
> 
> Thank you for your answer. 
> I think I have found a solution which could solve the issue until the 
> next migration step. It tested it on another server which is not 
> critital : 
> 
> 
> 
> 
> * Joining the server as a member and setup the shares as you 
> suggest 
> * Use nss_ldap instead of nss_winbind (idmap) which will pick my 
> unix ids 
Well 'nss_ldap' is not supported by Samba and normally anything that it 
can do, can also be done by winbind. What I am wondering about is what 
you are calling 'unix ids', where are these coming from ? are they 
from 'uidNumber' & 'gidNumber' attributes stored in AD or 
from /etc/passwd & /etc/group ? 
If the later, are you aware that you cannot have a user with the same 
name in AD and /etc/passwd. 

I think you may be trying to 'bend' AD to fit in with the old way 
Samba worked as a PDC or standalone, this is doomed to ultimate 
failure in my opinion. You need to work with AD, this will make things 
easier in the long run. 
> 
> 
> In this setup it seems I can access to the shares with any DNS 
> aliases/CNAME 
You should be able do this using winbind. 
> 
> 
> I know it is not a very proper setup but it seem to work and we can 
> do it quickly 
Yes, but will it be reliable in the long run ? 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

2017-08-30 11:25 GMT+02:00 Gaetan SLONGO via samba <samba at
lists.samba.org>:
> Rowland,
>
>
> Yes, I mean uidNumber and gidNumber.
> I'm aware I need to work with AD but at this time I need my unix IDs
(on
> NSS) to keep services working. Not only for files ownership, but also for
> some other services. Yeah, that's complex...
> If I undestand well, the best way to do is to join the server using
"net
> ads join" and use nss_winbind. This what I do but I only use the NSS
LDAP
> backend instead of NSS (to keep correct ownership).
>
The best way to do is to chose correctly UID/GID and how you will manage to
have this UIDF/GID and not others UID/GID.
Two main choices:
- using uidNumber and gidNumber LDAP attributes in AD LDAP tree
- using idmap-rid which relies on Microsoft RID to generate UID/GID.

As you have some historical UID/GID usage, I would chose usage of uidNumber
and gidNumber in which you can set any number you want. As you can chose
what UID/GID you give to every AD object, you will certainly be able to
re-attribute UID/GID which are already in use.
Plus using uidNumber and gidNumber you give same UID or GID to several
different objects.

To be able to use uidNumber and gidNumber in LDAP tree you have several
choices:
- Winbind
- sssd
- nslcd
- certainly others but these 3 should be sufficient for you have what you
want.

Usage of nss_ldap and pam_ldap in old fashion don't use Kerberos...

Winbind is certainly the simpler way to proceed... if you can modify AD
schema (if not already done) to have access to "UNIX attributes" tab
in
ADUC (when accessing to user properties).

If no modification of the schema is possible and you have Samba 4 DC you
can avoid modifying the schema adding "idmap_ldb:use rfc2307 = yes" in
smb.conf on your Samba DC. Please note that without modifying the schema
ADUC tool won't work when accessing to "UNIX attributes" tab in
user
properties.
If no modification of the schema is possible and you have only Microsoft DC
you will have to use SSSD.


> This will be cleaned in the future (within next migration steps) but for
> now I think I have no other choice beacause it seems I cannot obtain unix
> IDs through Winbind on a domain member (or maybe I missed the solution??).
>
>
> Thanks
>
> ----- Mail original -----
>
> De: "Rowland Penny via samba" <samba at lists.samba.org>
> À: samba at lists.samba.org
> Envoyé: Mercredi 30 Août 2017 11:00:18
> Objet : Re: [Samba] Shares not accessible when using FQDN
>
> On Wed, 30 Aug 2017 10:43:39 +0200 (CEST)
> Gaetan SLONGO <gslongo at it-optics.com> wrote:
>
> > Hi Rowland,
> >
> >
> > Thank you for your answer.
> > I think I have found a solution which could solve the issue until the
> > next migration step. It tested it on another server which is not
> > critital :
> >
> >
> >
> >
> > * Joining the server as a member and setup the shares as you
> > suggest
> > * Use nss_ldap instead of nss_winbind (idmap) which will pick my
> > unix ids
>
> Well 'nss_ldap' is not supported by Samba and normally anything
that it
> can do, can also be done by winbind. What I am wondering about is what
> you are calling 'unix ids', where are these coming from ? are they
> from 'uidNumber' & 'gidNumber' attributes stored in AD
or
> from /etc/passwd & /etc/group ?
> If the later, are you aware that you cannot have a user with the same
> name in AD and /etc/passwd.
>
> I think you may be trying to 'bend' AD to fit in with the old way
> Samba worked as a PDC or standalone, this is doomed to ultimate
> failure in my opinion. You need to work with AD, this will make things
> easier in the long run.
>
> >
> >
> > In this setup it seems I can access to the shares with any DNS
> > aliases/CNAME
>
> You should be able do this using winbind.
>
> >
> >
> > I know it is not a very proper setup but it seem to work and we can
> > do it quickly
>
> Yes, but will it be reliable in the long run ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 30 Aug 2017 11:25:04 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Rowland, 
> 
> 
> Yes, I mean uidNumber and gidNumber. 
> I'm aware I need to work with AD but at this time I need my unix IDs
> (on NSS) to keep services working. Not only for files ownership, but
> also for some other services. Yeah, that's complex... If I undestand
> well, the best way to do is to join the server using "net ads
join"
> and use nss_winbind. This what I do but I only use the NSS LDAP
> backend instead of NSS (to keep correct ownership). This will be
> cleaned in the future (within next migration steps) but for now I
> think I have no other choice beacause it seems I cannot obtain unix
> IDs through Winbind on a domain member (or maybe I missed the
> solution??). 
> 
> 
If you have users in AD and if you examine a typical users object in AD
and have something like this:

uidNumber: 10000

Then yes, I would say that you have missed the solution, this is from a
Unix domain member using the winbind 'ad' backend:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
            ^
Notice this |

I wonder where that comes from ?
Oh I know 'uidNumber: 10000' ;-)

I think your problem may be a very common one, the 'Domain Users' group
in AD hasn't got a gidNumber attribute, if it has, then you haven't set
smb.conf up correctly, in which case post your smb.conf

Rowland

Hi Rowland My test SMB have several test lines and is dirty, for sure not
correct :-)
Could you share your setup to achieve this ? 


Thank you ! 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 30 Août 2017 11:56:46 
Objet : Re: [Samba] Shares not accessible when using FQDN 

On Wed, 30 Aug 2017 11:25:04 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 
> Rowland, 
> 
> 
> Yes, I mean uidNumber and gidNumber. 
> I'm aware I need to work with AD but at this time I need my unix IDs 
> (on NSS) to keep services working. Not only for files ownership, but 
> also for some other services. Yeah, that's complex... If I undestand 
> well, the best way to do is to join the server using "net ads
join"
> and use nss_winbind. This what I do but I only use the NSS LDAP 
> backend instead of NSS (to keep correct ownership). This will be 
> cleaned in the future (within next migration steps) but for now I 
> think I have no other choice beacause it seems I cannot obtain unix 
> IDs through Winbind on a domain member (or maybe I missed the 
> solution??). 
> 
> 
If you have users in AD and if you examine a typical users object in AD 
and have something like this: 

uidNumber: 10000 

Then yes, I would say that you have missed the solution, this is from a 
Unix domain member using the winbind 'ad' backend: 

getent passwd rowland 
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash 
^ 
Notice this | 

I wonder where that comes from ? 
Oh I know 'uidNumber: 10000' ;-) 

I think your problem may be a very common one, the 'Domain Users' group 
in AD hasn't got a gidNumber attribute, if it has, then you haven't set 
smb.conf up correctly, in which case post your smb.conf 

Rowland 



-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 


-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail
-

Thank you for your answer Mathias. 


Unix attributes are OK in the Samba 4 DB ("Unix Attributes" tab also
OK in ADUC). What I cannot do is to ask to winbind to use uidNumber and
gidNumber on a member server setup (in DC mode it is OK) instead of "mapped
ids" (idmap range)


Regards, 




----- Mail original -----

De: "mathias dufresne" <infractory at gmail.com> 
À: "Gaetan SLONGO" <gslongo at it-optics.com> 
Cc: "Rowland Penny" <rpenny at samba.org>, "samba"
<samba at lists.samba.org>
Envoyé: Mercredi 30 Août 2017 11:54:07 
Objet : Re: [Samba] Shares not accessible when using FQDN 






2017-08-30 11:25 GMT+02:00 Gaetan SLONGO via samba < samba at lists.samba.org
> :


Rowland, 


Yes, I mean uidNumber and gidNumber. 
I'm aware I need to work with AD but at this time I need my unix IDs (on
NSS) to keep services working. Not only for files ownership, but also for some
other services. Yeah, that's complex...
If I undestand well, the best way to do is to join the server using "net
ads join" and use nss_winbind. This what I do but I only use the NSS LDAP
backend instead of NSS (to keep correct ownership).





The best way to do is to chose correctly UID/GID and how you will manage to have
this UIDF/GID and not others UID/GID.

Two main choices: 
- using uidNumber and gidNumber LDAP attributes in AD LDAP tree 

- using idmap-rid which relies on Microsoft RID to generate UID/GID. 


As you have some historical UID/GID usage, I would chose usage of uidNumber and
gidNumber in which you can set any number you want. As you can chose what
UID/GID you give to every AD object, you will certainly be able to re-attribute
UID/GID which are already in use.

Plus using uidNumber and gidNumber you give same UID or GID to several different
objects.


To be able to use uidNumber and gidNumber in LDAP tree you have several choices:

- Winbind 

- sssd 

- nslcd 

- certainly others but these 3 should be sufficient for you have what you want. 


Usage of nss_ldap and pam_ldap in old fashion don't use Kerberos... 


Winbind is certainly the simpler way to proceed... if you can modify AD schema
(if not already done) to have access to "UNIX attributes" tab in ADUC
(when accessing to user properties).



If no modification of the schema is possible and you have Samba 4 DC you can
avoid modifying the schema adding "idmap_ldb:use rfc2307 = yes" in
smb.conf on your Samba DC. Please note that without modifying the schema ADUC
tool won't work when accessing to "UNIX attributes" tab in user
properties.

If no modification of the schema is possible and you have only Microsoft DC you
will have to use SSSD.




<blockquote>
This will be cleaned in the future (within next migration steps) but for now I
think I have no other choice beacause it seems I cannot obtain unix IDs through
Winbind on a domain member (or maybe I missed the solution??).

</blockquote>

<blockquote>


Thanks 

----- Mail original ----- 

De: "Rowland Penny via samba" < samba at lists.samba.org > 
À: samba at lists.samba.org 
Envoyé: Mercredi 30 Août 2017 11:00:18 
Objet : Re: [Samba] Shares not accessible when using FQDN 



On Wed, 30 Aug 2017 10:43:39 +0200 (CEST) 
Gaetan SLONGO < gslongo at it-optics.com > wrote: 
> Hi Rowland, 
> 
> 
> Thank you for your answer. 
> I think I have found a solution which could solve the issue until the 
> next migration step. It tested it on another server which is not 
> critital : 
> 
> 
> 
> 
> * Joining the server as a member and setup the shares as you 
> suggest 
> * Use nss_ldap instead of nss_winbind (idmap) which will pick my 
> unix ids 
Well 'nss_ldap' is not supported by Samba and normally anything that it 
can do, can also be done by winbind. What I am wondering about is what 
you are calling 'unix ids', where are these coming from ? are they 
from 'uidNumber' & 'gidNumber' attributes stored in AD or 
from /etc/passwd & /etc/group ? 
If the later, are you aware that you cannot have a user with the same 
name in AD and /etc/passwd. 

I think you may be trying to 'bend' AD to fit in with the old way 
Samba worked as a PDC or standalone, this is doomed to ultimate 
failure in my opinion. You need to work with AD, this will make things 
easier in the long run. 
> 
> 
> In this setup it seems I can access to the shares with any DNS 
> aliases/CNAME 
You should be able do this using winbind. 
> 
> 
> I know it is not a very proper setup but it seem to work and we can 
> do it quickly 
Yes, but will it be reliable in the long run ? 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 
</blockquote>