Sina Owolabi
2017-Nov-19 09:16 UTC
[Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails
Hi List
Absolute confused newb here. Again.
I noticed that the user gid and uids on my DCs were different from the
uids and gids I would find on the domain member file server. ( I
created users with samba-tool). User UIDs on the DCs would start in
the 30000XX range, while on the file server, the uid would start in
the 1000XX range.
In an attempt to rectify this, I changed the smb.conf from
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.TESTING.COM
server string = Samba Server Version %v
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
template homedir = /share/%U
to (after reading the wiki):
workgroup = SAMDOM
security = ADS
realm = SAMDOM.TESTING.COM
server string = Samba Server Version %v
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-9999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : unix_nss_info = yes
idmap config SAMDOM: schema_mode = rfc2307
idmap config SAMDOM : range = 3000000-9999999
template shell = /bin/bash
template homedir = /share/%U
Now getent is no longer retrieving domain users and groups.
I know I have messed up, please how can I fix it?
Rowland Penny
2017-Nov-19 10:00 UTC
[Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails
On Sun, 19 Nov 2017 10:16:53 +0100 Sina Owolabi via samba <samba at lists.samba.org> wrote:> Hi List > > Absolute confused newb here. Again. > > I noticed that the user gid and uids on my DCs were different from the > uids and gids I would find on the domain member file server. ( I > created users with samba-tool). User UIDs on the DCs would start in > the 30000XX range, while on the file server, the uid would start in > the 1000XX range. > In an attempt to rectify this, I changed the smb.conf from > > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.TESTING.COM > > server string = Samba Server Version %v > > winbind use default domain = yes > winbind expand groups = 4 > winbind refresh tickets = Yes > > idmap config *:backend = tdb > idmap config *:range = 3000-9999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 > template shell = /bin/bash > template homedir = /share/%U > > to (after reading the wiki): > > workgroup = SAMDOM > security = ADS > realm = SAMDOM.TESTING.COM > > server string = Samba Server Version %v > > winbind use default domain = yes > winbind expand groups = 4 > winbind refresh tickets = Yes > > idmap config *:backend = tdb > idmap config *:range = 3000-9999 > idmap config SAMDOM : backend = ad > idmap config SAMDOM : unix_nss_info = yes > idmap config SAMDOM: schema_mode = rfc2307 > idmap config SAMDOM : range = 3000000-9999999 > template shell = /bin/bash > template homedir = /share/%U > > Now getent is no longer retrieving domain users and groups. > I know I have messed up, please how can I fix it? >Fairly obvious, put the smb.conf back to what it was ;-) The IDs you are getting on the DC are 'xidNumbers' and are only used on the DC (and unless you sync idmap.ldb to other DCs, used only on that DC) You have moved from the winbind 'ad' backend on the Unix domain member to the 'ad' backend and I am willing to wager a large amount that you have not added anything to AD. The only way to get the same IDs everywhere is to add uidNumber attributes to your user objects in AD and a gidNumber to Domain Users (at least). These uidNumber and gidNumber attributes must contain numbers inside the range you set in smb.conf and shouldn't be in the '3000000' range. Rowland
Sina Owolabi
2017-Nov-22 05:57 UTC
[Samba] Samba to Domain Member Server Configs Messed Up, Now getent fails
:-o :-D Thanks. Nothing was in AD. Changed back to idmap config SAMDOM : backend = rid and getent worked again. As an aside, does anyone know where I can find windows kvm images? Where the servers are hosted is remote and no gui access. On Sun, Nov 19, 2017 at 11:00 AM, Rowland Penny <rpenny at samba.org> wrote:> On Sun, 19 Nov 2017 10:16:53 +0100 > Sina Owolabi via samba <samba at lists.samba.org> wrote: > >> Hi List >> >> Absolute confused newb here. Again. >> >> I noticed that the user gid and uids on my DCs were different from the >> uids and gids I would find on the domain member file server. ( I >> created users with samba-tool). User UIDs on the DCs would start in >> the 30000XX range, while on the file server, the uid would start in >> the 1000XX range. >> In an attempt to rectify this, I changed the smb.conf from >> >> [global] >> workgroup = SAMDOM >> security = ADS >> realm = SAMDOM.TESTING.COM >> >> server string = Samba Server Version %v >> >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind refresh tickets = Yes >> >> idmap config *:backend = tdb >> idmap config *:range = 3000-9999 >> idmap config SAMDOM : backend = rid >> idmap config SAMDOM : range = 10000-999999 >> template shell = /bin/bash >> template homedir = /share/%U >> >> to (after reading the wiki): >> >> workgroup = SAMDOM >> security = ADS >> realm = SAMDOM.TESTING.COM >> >> server string = Samba Server Version %v >> >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind refresh tickets = Yes >> >> idmap config *:backend = tdb >> idmap config *:range = 3000-9999 >> idmap config SAMDOM : backend = ad >> idmap config SAMDOM : unix_nss_info = yes >> idmap config SAMDOM: schema_mode = rfc2307 >> idmap config SAMDOM : range = 3000000-9999999 >> template shell = /bin/bash >> template homedir = /share/%U >> >> Now getent is no longer retrieving domain users and groups. >> I know I have messed up, please how can I fix it? >> > > Fairly obvious, put the smb.conf back to what it was ;-) > > The IDs you are getting on the DC are 'xidNumbers' and are only used on > the DC (and unless you sync idmap.ldb to other DCs, used only on that > DC) > You have moved from the winbind 'ad' backend on the Unix domain member > to the 'ad' backend and I am willing to wager a large amount that you > have not added anything to AD. > The only way to get the same IDs everywhere is to add uidNumber > attributes to your user objects in AD and a gidNumber to Domain Users > (at least). These uidNumber and gidNumber attributes must contain > numbers inside the range you set in smb.conf and shouldn't be in the > '3000000' range. > > Rowland