Thank you for reply Rowland.
Sorry for my typo. I intended to change sm--to-->test but i forget to
change other lines.
So my original config is below:
workgroup = sm> realm = sm.pvt
> server string = %h Test Host
> security = ads
> encrypt passwords = yes
> idmap config sm.pvt : backend = ad
> idmap config sm.pvt : range = 10000-20000
> idmap config sm.pvt : schema_mode = rfc2307
> idmap config * : range = 8000-9000
Honestly I am not sure about using ads backend at all. I have read samba
documents. As rid backend use local database and it may get corrupted, I
chose ad backend.
On the other hand I should not install any extensions on Windows Active
Directory server. Samba documents tells something about installing unix
extensions but as far as I see this is not a must for ads.
So it would be best if someone could help me understanding about rid vs
ads. I suspect my problem depends on it.
Regards.
2018-02-13 14:47 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 13 Feb 2018 14:23:32 +0200
> Özkan Göksu <ozkan.goksu at usishi.com> wrote:
>
> > > [Global]
> > > netbios name = DEV2
> > > workgroup = test
> > > realm = test.pvt
> > > server string = %h Test Host
> > > security = ads
> > > encrypt passwords = yes
> > > idmap config sm.pvt : backend = ad
> > > idmap config sm.pvt : range = 10000-20000
> > > idmap config sm.pvt : schema_mode = rfc2307
> > > idmap config * : range = 8000-9000
>
> Hmm, the WORKGROUP is 'test', the REALM is 'test.pvt' and
'idmap
> config' is 'sm.pvt', I would have expected that 'idmap
config' to be
> 'TEST'
>
> Your original post referred to user ID '8003' and this user must
come
> from the '*' domain, so fixing the 'idmap config' name
might fix this,
> as long as you have added uidNumber & gidNumber attributes to AD.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Tue, 13 Feb 2018 15:52:13 +0200 Özkan Göksu <ozkan.goksu at usishi.com> wrote:> Thank you for reply Rowland. > > Sorry for my typo. I intended to change sm--to-->test but i forget to > change other lines. > So my original config is below: > > workgroup = sm > > realm = sm.pvt > > server string = %h Test Host > > security = ads > > encrypt passwords = yes > > idmap config sm.pvt : backend = ad > > idmap config sm.pvt : range = 10000-20000 > > idmap config sm.pvt : schema_mode = rfc2307 > > idmap config * : range = 8000-9000 > > > Honestly I am not sure about using ads backend at all. I have read > samba documents. As rid backend use local database and it may get > corrupted, I chose ad backend. > On the other hand I should not install any extensions on Windows > Active Directory server. Samba documents tells something about > installing unix extensions but as far as I see this is not a must for > ads. > > So it would be best if someone could help me understanding about rid > vs ads. I suspect my problem depends on it. >OK, if you cannot add anything to AD, then you cannot use the winbind 'ad' backend, so you will have to use the 'rid' backend. The 'rid' backend does not use a local database, it use the AD database. The users (or groups) ID is calculated from the AD objectsid, this will be in the form: S-1-5-21-1768301897-3342589593-1064908849-2130 The last portion is the RID '2130' and is unique in the domain, the rest identifies the domain. The winbind 'rid' calculates the ID from the RID and the lower range you set in AD with this calculation: ID = RID - BASE_RID + LOW_RANGE_ID BASE_RID is 0, so it is really: ID = RID + LOW_RANGE_ID So, using your lower range and the RID from above, it becomes ID = 2130 + 10000 ID = 12130 If you use the same smb.conf on all Unix domain members in the domain, you will always get the same Unix ID. Rowland
RID solved my problem. But while reading docs I saw new things and I
changed my smb.conf completely.
I have read almost every parameter but i'm still not %100 sure.
Can you do me a last favor?
Please can you tell me do I have any problem with new smb.conf?
Kernel: Linux 4.14.13-1-ARCH
Filesystem: zfs-linux 0.7.5.4.14.13.1-1
Thank you so much for your help.
---------------------
[global]
netbios name = DEV1
server string = %h Test Host
workgroup = SM
realm = SM.PVT
security = ADS
server role = member server
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config SM: backend = rid
idmap config SM: range = 20000-90000000
encrypt passwords = yes
dns proxy = no
strict locking = Auto
oplocks = yes
deadtime = 15
logging = file
max log size = 51200
log level = 2
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
unix charset = UTF-8
case sensitive = auto
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
ntlm auth = no
allow trusted domains = no
client ntlmv2 auth = yes
kernel change notify = yes
panic action = /usr/bin/samba-backtrace
dns update command = /usr/sbin/samba_dnsupdate
acl allow execute always = true
dos filemode = yes
multicast dns register = no
domain logons = no
client use spnego = yes
local master = no
domain master = no
preferred master = no
template shell = /bin/sh
template homedir = /home/%D/%U
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
min receivefile size = 16384
max xmit = 65536
max open files = 232040
strict sync = no
[test]
comment = test
path = /ssdhavuz/test
guest ok =no
browseable = yes
writeable = yes
hide dot files = yes
veto files = /.snapshot/.windows/.mac/.zfs/
use sendfile = no
acl group control = yes
map acl inherit = yes
inherit owner = yes
inherit permissions = yes
inherit acls = yes
vfs objects = acl_xattr streams_xattr aio_pthread
acl_xattr:ignore system acls = yes
aio_pthread:aio num threads = 500
2018-02-13 16:20 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 13 Feb 2018 15:52:13 +0200
> Özkan Göksu <ozkan.goksu at usishi.com> wrote:
>
> > Thank you for reply Rowland.
> >
> > Sorry for my typo. I intended to change sm--to-->test but i forget
to
> > change other lines.
> > So my original config is below:
> >
> > workgroup = sm
> > > realm = sm.pvt
> > > server string = %h Test Host
> > > security = ads
> > > encrypt passwords = yes
> > > idmap config sm.pvt : backend = ad
> > > idmap config sm.pvt : range = 10000-20000
> > > idmap config sm.pvt : schema_mode = rfc2307
> > > idmap config * : range = 8000-9000
> >
> >
> > Honestly I am not sure about using ads backend at all. I have read
> > samba documents. As rid backend use local database and it may get
> > corrupted, I chose ad backend.
> > On the other hand I should not install any extensions on Windows
> > Active Directory server. Samba documents tells something about
> > installing unix extensions but as far as I see this is not a must for
> > ads.
> >
> > So it would be best if someone could help me understanding about rid
> > vs ads. I suspect my problem depends on it.
> >
>
> OK, if you cannot add anything to AD, then you cannot use the winbind
> 'ad' backend, so you will have to use the 'rid' backend.
>
> The 'rid' backend does not use a local database, it use the AD
> database. The users (or groups) ID is calculated from the AD objectsid,
> this will be in the form:
>
> S-1-5-21-1768301897-3342589593-1064908849-2130
>
> The last portion is the RID '2130' and is unique in the domain, the
> rest identifies the domain.
>
> The winbind 'rid' calculates the ID from the RID and the lower
range
> you set in AD with this calculation:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> BASE_RID is 0, so it is really:
>
> ID = RID + LOW_RANGE_ID
>
> So, using your lower range and the RID from above, it becomes
>
> ID = 2130 + 10000
>
> ID = 12130
>
> If you use the same smb.conf on all Unix domain members in the domain,
> you will always get the same Unix ID.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>