OS:fedora-26 SAMBA:4.6.8 [root at squints ~]# cat /etc/samba/smb.conf [global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain [root at squints ~]# getent passwd jsadowski jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false however from an ubuntu machine with the same smb.conf it looks like so OS:ubuntu-16.04 SAMBA:4.3.11 root at daddles:~# getent passwd jsadowski jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash which is how AD shows it as well. Did something change in newer versions of samba that I need to add more config options?
On Mon, 30 Oct 2017 09:49:24 -0600 Jeff Sadowski via samba <samba at lists.samba.org> wrote:> OS:fedora-26 > SAMBA:4.6.8 > [root at squints ~]# cat /etc/samba/smb.conf > [global] > security = ads > realm = MIND.UNM.EDU > workgroup = MIND > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > # so that the users show up in getent > winbind enum users = yes > # so that the groups show up in getent > winbind enum groups = yes > restrict anonymous = 2 > #added the following 2 for the Badlock updates that change the > defaults #to no longer work with my domain controllers > ldap server require strong auth = no > client ldap sasl wrapping = plain > > [root at squints ~]# getent passwd jsadowski > jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false > > however from an ubuntu machine with the same smb.conf it looks like so > OS:ubuntu-16.04 > SAMBA:4.3.11 > root at daddles:~# getent passwd jsadowski > jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash > > which is how AD shows it as well. > > Did something change in newer versions of samba that I need to add > more config options? >Yes, there have been changes and no, you don't have to use them and they wouldn't cause your problem. Your smb.conf shows you are using the 'ad' backend and you say you are using the same smb.conf on both machines. So, why are there these different: jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash Which RFC2307 attributes have you added to AD ? The above user seems to have the same uidNumber, but Domain Users seems to have two different gidNumbers (8513 and 8000), the unixHomeDirectory also has two identities, as does loginShell Rowland
I found what I needed to do
DOMAIN=MIND.UNM.EDU
SHORT=MIND
authconfig --enablekrb5 --krb5kdc=${DOMAIN}
--krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
--enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
--smbservers=${DOMAIN} --smbworkgroup=${SHORT}
--winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
--enablemkhomedir --enablewinbindusedefaultdomain --update
this worked
On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
<samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 09:49:24 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
>> OS:fedora-26
>> SAMBA:4.6.8
>> [root at squints ~]# cat /etc/samba/smb.conf
>> [global]
>> security = ads
>> realm = MIND.UNM.EDU
>> workgroup = MIND
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-7999
>> idmap config MIND:backend = ad
>> idmap config MIND:schema_mode = rfc2307
>> idmap config MIND:range = 8000-9999999
>> winbind nss info = rfc2307
>> winbind use default domain = yes
>> # so that the users show up in getent
>> winbind enum users = yes
>> # so that the groups show up in getent
>> winbind enum groups = yes
>> restrict anonymous = 2
>> #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>> ldap server require strong auth = no
>> client ldap sasl wrapping = plain
>>
>> [root at squints ~]# getent passwd jsadowski
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>
>> however from an ubuntu machine with the same smb.conf it looks like so
>> OS:ubuntu-16.04
>> SAMBA:4.3.11
>> root at daddles:~# getent passwd jsadowski
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> which is how AD shows it as well.
>>
>> Did something change in newer versions of samba that I need to add
>> more config options?
>>
>
> Yes, there have been changes and no, you don't have to use them and
> they wouldn't cause your problem.
>
> Your smb.conf shows you are using the 'ad' backend and you say you
are
> using the same smb.conf on both machines.
>
> So, why are there these different:
>
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> Which RFC2307 attributes have you added to AD ?
> The above user seems to have the same uidNumber, but Domain Users
> seems to have two different gidNumbers (8513 and 8000), the
> unixHomeDirectory also has two identities, as does loginShell
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
On 30/10/2017 16:49, Jeff Sadowski via samba wrote:> [root at squints ~]# getent passwd jsadowski > jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false > > however from an ubuntu machine with the same smb.conf it looks like so > OS:ubuntu-16.04 > SAMBA:4.3.11 > root at daddles:~# getent passwd jsadowski > jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash > > which is how AD shows it as well.I have the same issue on debian stretch (package 4.6.8), on time per month max. I was thinking more on a network issue with the DCs (Windows domain, not a samba one). Emmanuel
On Tue, 31 Oct 2017 11:04:17 +0100 Blindauer Emmanuel via samba <samba at lists.samba.org> wrote:> On 30/10/2017 16:49, Jeff Sadowski via samba wrote: > > [root at squints ~]# getent passwd jsadowski > > jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false > > > > however from an ubuntu machine with the same smb.conf it looks like > > so OS:ubuntu-16.04 > > SAMBA:4.3.11 > > root at daddles:~# getent passwd jsadowski > > jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash > > > > which is how AD shows it as well. > > > I have the same issue on debian stretch (package 4.6.8), on time per > month max. I was thinking more on a network issue with the DCs > (Windows domain, not a samba one). > > Emmanuel >Provided that smb.conf is set up correctly and there are the required RFC2307 attributes in AD, you should get the same IDs everywhere and they should be consistent. Rowland