Thanks for your reply Rowland.> The id ranges are what you choose, reading this may help: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File > > >/Is there any working way of controlling those ranges, />/given idmap breaks stuff? / > What do you mean 'idmap breaks things' ? >Sorry, should have made it clearer that my SAMBA is configured as AD Primary Domain Controller; According to https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File, idmapping does not work for AD Domain Controllers. Other pages suggest many of the winbind parameters are simply ignored and I can confirm this is the case. Ranges are clearly being set; if I create a user with uidNumber in the 30xxxxxx range, the user can log in to the linux shell correctly and her details are clearly visible in linux using the id command. If I use a lower uidNumber of say 3000, she can log in in to linux, but the prompt shows "This user has no name!" and the id command fails to resolve her uid. There are ranges there but I have no control over them. Setting the correct domain specific settings in smb.conf appear to have no effect. I have tried.> If you mean make the Unix OS know who the AD users and groups are, then > yes.Specifically, what I need is my Linux clients to be able to both log in locally and also connect to NFS shares on the server, authenticating using either LDAP or NIS, but in both cases using the same logins and passwords as the Windows clients who will be connecting to SMB shares using SMB protocols. So far I have the auth working just locally on the server. If I join my win clients to the domain, I believe that will also work, though I will try that last to avoid any catastrophes should I need to change the domain setup. However, linux client logins client to server NIS/LDAP/NFS connections are in the wind currently. I will trawl through the wiki again later, but what I am missing is full context. What is often not clear from the docs is whether or not what is documented there applies to / work with my specific set up, e.g. whether it works when you are using AD and a Samba PDC; whether it applies to clients local linux log on, etc. regards Stephen
On Thu, 16 Nov 2017 10:08:32 +0000 Stephen Parry via samba <samba at lists.samba.org> wrote:> Thanks for your reply Rowland. > > > The id ranges are what you choose, reading this may help: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File > > > > >/Is there any working way of controlling those ranges, />/given > > >idmap breaks stuff? / > > What do you mean 'idmap breaks things' ? > > > Sorry, should have made it clearer that my SAMBA is configured as AD > Primary Domain Controller; According to > https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File, > idmapping does not work for AD Domain Controllers.It does ;-)>Other pages > suggest many of the winbind parameters are simply ignored and I can > confirm this is the case.This is the main problem with using a Samba AD DC as a fileserver, you can only use the uidNumber & gidNumber attributes.> > Ranges are clearly being set; if I create a user with uidNumber in > the 30xxxxxx range,Do you mean the '30000000' range as found on the DC ? If so these numbers are 'xidNumber' attributes and are only used on a DC.>the user can log in to the linux shell correctly > and her details are clearly visible in linux using the id command. If > I use a lower uidNumber of say 3000, she can log in in to linux, but > the prompt shows "This user has no name!" and the id command fails to > resolve her uid. There are ranges there but I have no control over > them. Setting the correct domain specific settings in smb.conf appear > to have no effect. I have tried.If you have given a user a uidNumber attribute this should be used instead of the xidNumber. On a DC: getent passwd rowland SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash On a Unix domain member: getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> > > If you mean make the Unix OS know who the AD users and groups are, > > then yes. > Specifically, what I need is my Linux clients to be able to both log > in locally and also connect to NFS shares on the server, > authenticating using either LDAP or NIS, but in both cases using the > same logins and passwords as the Windows clients who will be > connecting to SMB shares using SMB protocols.Forget ldap, forget nis, use winbind. I am typing this on a Unix domain member, so I can assure you that it works.> So far I have the auth working just locally on the server.If you have the auth working, but cannot log in, it sounds like you do not have libnss_winbind and/or nsswitch set up correctly.>If I join my win clients to the domain, I believe that will also > work, though I will try that last to avoid any catastrophes should > I need to change the domain setup. However, linux client logins client > to server NIS/LDAP/NFS connections are in the wind currently. > > I will trawl through the wiki again later, but what I am missing is > full context. What is often not clear from the docs is whether or not > what is documented there applies to / work with my specific set up, > e.g. whether it works when you are using AD and a Samba PDC; whether > it applies to clients local linux log on, etc.If you can point to something in the wiki that is ambiguous, I will try to explain it to you and if required, rewrite that part of the wiki. Rowland
>> idmapping does not work for AD Domain Controllers. > >It does ;-) >Does that mean that the warning in the docs is out of date? Does it work on the version of Samba in the Stretch repository (Samba 4.5.12), or do I need to find a repo with a more recent build?>>Other pages >> suggest many of the winbind parameters are simply ignored and I can >> confirm this is the case. > >This is the main problem with using a Samba AD DC as a fileserver, you >can only use the uidNumber & gidNumber attributes.I am already using the uidNumber and gidNumber, as set up using samba-tool user add --uid-number and visible with ldbsearch, both on the DC. I provisioned it with rfc2307 flags. If I specify --uid-numbers in the range 30,000,000+ they map and work. If I use 3000, which is what I am used to from LDAP, they don't. If I try to set the ranges in the smb.conf they still only work in the 30,000,000+ range. When I get home later I will post some sample commands and config to clarify.> >If you have given a user a uidNumber attribute this should be used >instead of the xidNumber. > >On a DC: >getent passwd rowland >SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >On a Unix domain member: > >getent passwd rowland >rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >> >> > If you mean make the Unix OS know who the AD users and groups are, >> > then yes. >> Specifically, what I need is my Linux clients to be able to both log >> in locally and also connect to NFS shares on the server, >> authenticating using either LDAP or NIS, but in both cases using the >> same logins and passwords as the Windows clients who will be >> connecting to SMB shares using SMB protocols. > >Forget ldap, forget nis, use winbind. I am typing this on a Unix domain >member, so I can assure you that it works. >By unix domain member do you mean Unix member of NIS domain or Unix member of Samba AD domain? I do not want to make my Linux boxes members of the samba domain period. I am trying to use as little Microsoft related tech on the Linux clients as possible; I just want to share credentials with the Microsoft side of the network.>> So far I have the auth working just locally on the server. > >If you have the auth working, but cannot log in, it sounds like you do >not have libnss_winbind and/or nsswitch set up correctly. >No by auth, I meant including local login, which works.>>If I join my win clients to the domain, I believe that will also >> work, though I will try that last to avoid any catastrophes should >> I need to change the domain setup. However, linux client logins >client >> to server NIS/LDAP/NFS connections are in the wind currently. >> >> I will trawl through the wiki again later, but what I am missing is >> full context. What is often not clear from the docs is whether or not >> what is documented there applies to / work with my specific set up, >> e.g. whether it works when you are using AD and a Samba PDC; whether >> it applies to clients local linux log on, etc. > >If you can point to something in the wiki that is ambiguous, I will >try to explain it to you and if required, rewrite that part of the >wiki. > >Rowland-- Sent from my Android device with K-9 Mail. Please excuse my brevity.