samba - Feb 2018 - wbinfo -U id gives different users on same dc

RID solved my problem. But while reading docs I saw new things and I
changed my smb.conf completely.
I have read almost every parameter but i'm still not %100 sure.
Can you do me a last favor?
Please can you tell me do I have any problem with new smb.conf?

Kernel: Linux 4.14.13-1-ARCH
Filesystem: zfs-linux 0.7.5.4.14.13.1-1

Thank you so much for your help.

---------------------
[global]
    netbios name = DEV1
    server string = %h Test Host
    workgroup = SM
    realm = SM.PVT
    security = ADS
    server role = member server

    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000

    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes

    idmap config SM: backend = rid
    idmap config SM: range = 20000-90000000

    encrypt passwords = yes
    dns proxy = no
    strict locking = Auto
    oplocks = yes
    deadtime = 15

    logging = file
    max log size = 51200
    log level = 2

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    unix charset = UTF-8
    case sensitive = auto

    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    ntlm auth = no
    allow trusted domains = no
    client ntlmv2 auth = yes

    kernel change notify = yes
    panic action = /usr/bin/samba-backtrace
    dns update command = /usr/sbin/samba_dnsupdate
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = no
    domain logons = no
    client use spnego = yes

    local master = no
    domain master = no
    preferred master = no

    template shell = /bin/sh
    template homedir = /home/%D/%U


    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
    min receivefile size = 16384

    max xmit = 65536
    max open files = 232040
    strict sync = no

[test]
    comment = test
    path = /ssdhavuz/test
    guest ok =no
    browseable = yes
    writeable = yes
    hide dot files = yes
    veto files = /.snapshot/.windows/.mac/.zfs/
    use sendfile = no
    acl group control = yes
    map acl inherit = yes
    inherit owner = yes
    inherit permissions = yes
    inherit acls = yes
    vfs objects = acl_xattr streams_xattr aio_pthread
    acl_xattr:ignore system acls = yes
    aio_pthread:aio num threads = 500





2018-02-13 16:20 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 13 Feb 2018 15:52:13 +0200
> Özkan Göksu <ozkan.goksu at usishi.com> wrote:
>
> > Thank you for reply Rowland.
> >
> > Sorry for my typo. I intended to change  sm--to-->test but i forget
to
> > change other lines.
> > So my original config is below:
> >
> >         workgroup = sm
> > >         realm = sm.pvt
> > >         server string = %h Test Host
> > >         security = ads
> > >         encrypt passwords = yes
> > >         idmap config sm.pvt : backend = ad
> > >         idmap config sm.pvt : range = 10000-20000
> > >         idmap config sm.pvt : schema_mode = rfc2307
> > >         idmap config * : range = 8000-9000
> >
> >
> > Honestly I am not sure about using ads backend at all. I have read
> > samba documents. As rid backend use local database and it may get
> > corrupted, I chose ad backend.
> > On the other hand I should not install any extensions on Windows
> > Active Directory server. Samba documents tells something about
> > installing unix extensions but as far as I see this is not a must for
> > ads.
> >
> > So it would be best if someone could help me understanding about rid
> > vs ads. I suspect my problem depends on it.
> >
>
> OK, if you cannot add anything to AD, then you cannot use the winbind
> 'ad' backend, so you will have to use the 'rid' backend.
>
> The 'rid' backend does not use a local database, it use the AD
> database. The users (or groups) ID is calculated from the AD objectsid,
> this will be in the form:
>
> S-1-5-21-1768301897-3342589593-1064908849-2130
>
> The last portion is the RID '2130' and is unique in the domain, the
> rest identifies the domain.
>
> The winbind 'rid' calculates the ID from the RID and the lower
range
> you set in AD with this calculation:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> BASE_RID is 0, so it is really:
>
> ID = RID + LOW_RANGE_ID
>
> So, using your lower range and the RID from above, it becomes
>
> ID = 2130 + 10000
>
> ID = 12130
>
> If you use the same smb.conf on all Unix domain members in the domain,
> you will always get the same Unix ID.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 14 Feb 2018 16:30:07 +0200
Özkan Göksu <ozkan.goksu at usishi.com> wrote:
> RID solved my problem. But while reading docs I saw new things and I
> changed my smb.conf completely.
> I have read almost every parameter but i'm still not %100 sure.
> Can you do me a last favor?
> Please can you tell me do I have any problem with new smb.conf?
> 
No problems as such, but you don't need these because they are default
settings:

    winbind nested groups = yes
    encrypt passwords = yes
    strict locking = Auto
    oplocks = yes
    deadtime = 15
    unix charset = UTF-8
    case sensitive = auto
    guest account = nobody
    ntlm auth = no
    client ntlmv2 auth = yes
    kernel change notify = yes
    domain logons = no
    client use spnego = yes
    strict sync = no

All the next two lines do is make 'getent passwd' & 'getent
group'
display a list of all users or groups AND slow things down, you do not
need them:

    winbind enum users = yes
    winbind enum groups = yes

The next line is only any good on a Samba DC:

    dns update command = /usr/sbin/samba_dnsupdate

You shouldn't really mess with the socket options, that's the kernels
job:

    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE

Rowland

Thanks for helping me out. It is really appreciated. It is not easy to find
out good online information about samba :(

My original idea was to keep my understanding of important default options
written in smb.conf after full reading of https://www.samba.org/
samba/docs/4.7/man-html/smb.conf.5.html.

For the "winbind enum users/group" options I added them since
smb.conf(5)
states some programs behaves oddly if they are not enabled:
https://www.samba.org/samba/docs/4.7/man-html/smb.conf.5.html#
winbindenumgroups. However I am removing them as you say.

For the "dns update command” setting I thought it would solve my dns update
problem whenever I try to join Active Directory. My samba version is 4.7.4.

[root at AA-SM2 ]# net ads join -U administrator
Enter administrator's password:
Using short domain name -- AA
Joined 'AA-SM2' to dns domain 'aa.local'
No DNS domain configured for aa-sm2. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

For the "socket options” setting I read it on the internet which is
somewhat considered to be a best practice for samba performance. I am
removing it also.

BTW there is a long standing issue of mine which I haven’t found an answer.
I always see limit warning at smbd service start up. It does no help no
matter I set "max open files = 232040” in smb.conf nor /etc/security/limits
settings.

[2018/02/15 10:39:02.985913,  2] ../source3/param/loadparm.c:
321(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2018/02/15 10:39:02.986630,  2] ../source3/param/loadparm.c:
2791(lp_do_section)
  Processing section "[yenitest]"
[2018/02/15 10:39:02.987321,  2] ../source3/lib/interface.c:
345(add_interface)
  added interface vlan11 ip=192.168.11.3 bcast=192.168.11.255
netmask=255.255.255.0
[2018/02/15 10:39:02.987391,  2] ../source3/lib/interface.c:
345(add_interface)
  added interface vlan50 ip=10.0.50.4 bcast=10.0.50.255
netmask=255.255.255.0
[2018/02/15 10:39:02.987439,  2] ../source3/lib/interface.c:
345(add_interface)
  added interface enp2s0f0 ip=10.1.60.3 bcast=10.1.60.255
netmask=255.255.255.0
[2018/02/15 10:39:02.987484,  2] ../source3/lib/interface.c:
345(add_interface)
  added interface enp2s0f0 ip=10.1.60.5 bcast=10.1.60.255
netmask=255.255.255.0
[2018/02/15 10:39:02.987611,  1] ../source3/profile/profile_
dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2018/02/15 10:39:02.989393,  2] ../source3/passdb/pdb_
interface.c:161(make_pdb_method_name)
  No builtin backend found, trying to load plugin
[2018/02/15 10:39:03.006312,  1] ../source3/smbd/files.c:218(
file_init_global)
  file_init_global: Information only: requested 232040 open files, 59392
are available.
[2018/02/15 10:39:03.009324,  0] ../lib/util/become_daemon.c:
124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve
connections
[2018/02/15 10:39:03.009569,  2] ../source3/smbd/server.c:1395(
smbd_parent_loop)
  waiting for connections

Here are my settings in /etc/security/limits.

* soft nofile  99000
* hard nofile 999000
* - memlock unlimited
* - nofile 100000
* - nproc 32768
* - as unlimited

@root soft nofile 99000
@root hard nofile 999000
@root - memlock unlimited
@root - nofile 100000
@root - nproc 32768
@root - as unlimited


Again thanks for you help,

Ozkan


*Özkan GÖKSU* | *Tekn. Geliştirme* | ozkan.goksu at usishi.com
<goktug.yildirim at usishi.com>
C : +90 555 449 88 71 | T : +90 (216) 442 7070 |
http://www.usishi.com


2018-02-14 17:26 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 14 Feb 2018 16:30:07 +0200
> Özkan Göksu <ozkan.goksu at usishi.com> wrote:
>
> > RID solved my problem. But while reading docs I saw new things and I
> > changed my smb.conf completely.
> > I have read almost every parameter but i'm still not %100 sure.
> > Can you do me a last favor?
> > Please can you tell me do I have any problem with new smb.conf?
> >
>
> No problems as such, but you don't need these because they are default
> settings:
>
>     winbind nested groups = yes
>     encrypt passwords = yes
>     strict locking = Auto
>     oplocks = yes
>     deadtime = 15
>     unix charset = UTF-8
>     case sensitive = auto
>     guest account = nobody
>     ntlm auth = no
>     client ntlmv2 auth = yes
>     kernel change notify = yes
>     domain logons = no
>     client use spnego = yes
>     strict sync = no
>
> All the next two lines do is make 'getent passwd' & 'getent
group'
> display a list of all users or groups AND slow things down, you do not
> need them:
>
>     winbind enum users = yes
>     winbind enum groups = yes
>
> The next line is only any good on a Samba DC:
>
>     dns update command = /usr/sbin/samba_dnsupdate
>
> You shouldn't really mess with the socket options, that's the
kernels
> job:
>
>     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Sure there is, 
Install debian, follow my howto and you will have success. 

Just, your using an .local domain, and thats a reserved name for apples mDNS
(zeroconf)
And should not be used. ( same for .lan ) 
https://wiki.samba.org/index.php/FAQ#Can_I_Use_the_.local_Top-level_Domain_for_My_AD_DNS_Zone.3F
So the info is good, thats not the problem, finding it, is. 

Can you post your /etc/hosts and resolv.conf also to be sure these are ok. 
And whats the running OS, thats a nice to know. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Özkan Göksu via samba
> Verzonden: donderdag 15 februari 2018 9:19
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] wbinfo -U id gives different users on same dc
> 
> Thanks for helping me out. It is really appreciated. It is 
> not easy to find
> out good online information about samba :(
> 
> My original idea was to keep my understanding of important 
> default options
> written in smb.conf after full reading of https://www.samba.org/
> samba/docs/4.7/man-html/smb.conf.5.html.
> 
> For the "winbind enum users/group" options I added them since 
> smb.conf(5)
> states some programs behaves oddly if they are not enabled:
> https://www.samba.org/samba/docs/4.7/man-html/smb.conf.5.html#
> winbindenumgroups. However I am removing them as you say.
> 
> For the "dns update command? setting I thought it would solve 
> my dns update
> problem whenever I try to join Active Directory. My samba 
> version is 4.7.4.
> 
> [root at AA-SM2 ]# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- AA
> Joined 'AA-SM2' to dns domain 'aa.local'
> No DNS domain configured for aa-sm2. Unable to perform DNS Update.
> DNS update failed: NT_STATUS_INVALID_PARAMETER
> 
> For the "socket options? setting I read it on the internet which is
> somewhat considered to be a best practice for samba performance. I am
> removing it also.
> 
> BTW there is a long standing issue of mine which I haven?t 
> found an answer.
> I always see limit warning at smbd service start up. It does 
> no help no
> matter I set "max open files = 232040? in smb.conf nor 
> /etc/security/limits
> settings.
> 
> [2018/02/15 10:39:02.985913,  2] ../source3/param/loadparm.c:
> 321(max_open_files)
>   rlimit_max: increasing rlimit_max (1024) to minimum Windows 
> limit (16384)
> [2018/02/15 10:39:02.986630,  2] ../source3/param/loadparm.c:
> 2791(lp_do_section)
>   Processing section "[yenitest]"
> [2018/02/15 10:39:02.987321,  2] ../source3/lib/interface.c:
> 345(add_interface)
>   added interface vlan11 ip=192.168.11.3 bcast=192.168.11.255
> netmask=255.255.255.0
> [2018/02/15 10:39:02.987391,  2] ../source3/lib/interface.c:
> 345(add_interface)
>   added interface vlan50 ip=10.0.50.4 bcast=10.0.50.255
> netmask=255.255.255.0
> [2018/02/15 10:39:02.987439,  2] ../source3/lib/interface.c:
> 345(add_interface)
>   added interface enp2s0f0 ip=10.1.60.3 bcast=10.1.60.255
> netmask=255.255.255.0
> [2018/02/15 10:39:02.987484,  2] ../source3/lib/interface.c:
> 345(add_interface)
>   added interface enp2s0f0 ip=10.1.60.5 bcast=10.1.60.255
> netmask=255.255.255.0
> [2018/02/15 10:39:02.987611,  1] ../source3/profile/profile_
> dummy.c:30(set_profile_level)
>   INFO: Profiling support unavailable in this build.
> [2018/02/15 10:39:02.989393,  2] ../source3/passdb/pdb_
> interface.c:161(make_pdb_method_name)
>   No builtin backend found, trying to load plugin
> [2018/02/15 10:39:03.006312,  1] ../source3/smbd/files.c:218(
> file_init_global)
>   file_init_global: Information only: requested 232040 open 
> files, 59392
> are available.
> [2018/02/15 10:39:03.009324,  0] ../lib/util/become_daemon.c:
> 124(daemon_ready)
>   STATUS=daemon 'smbd' finished starting up and ready to 
> serve connections
> [2018/02/15 10:39:03.009569,  2] ../source3/smbd/server.c:1395(
> smbd_parent_loop)
>   waiting for connections
> 
> Here are my settings in /etc/security/limits.
> 
> * soft nofile  99000
> * hard nofile 999000
> * - memlock unlimited
> * - nofile 100000
> * - nproc 32768
> * - as unlimited
> 
> @root soft nofile 99000
> @root hard nofile 999000
> @root - memlock unlimited
> @root - nofile 100000
> @root - nproc 32768
> @root - as unlimited
> 
> 
> Again thanks for you help,
> 
> Ozkan
> 
> 
> *Özkan GÖKSU* | *Tekn. Geli??tirme* | ozkan.goksu at usishi.com
> <goktug.yildirim at usishi.com>
> C : +90 555 449 88 71 | T : +90 (216) 442 7070 |
> http://www.usishi.com
> 
> 
> 2018-02-14 17:26 GMT+02:00 Rowland Penny via samba 
> <samba at lists.samba.org>:
> 
> > On Wed, 14 Feb 2018 16:30:07 +0200
> > Özkan Göksu <ozkan.goksu at usishi.com> wrote:
> >
> > > RID solved my problem. But while reading docs I saw new 
> things and I
> > > changed my smb.conf completely.
> > > I have read almost every parameter but i'm still not %100
sure.
> > > Can you do me a last favor?
> > > Please can you tell me do I have any problem with new smb.conf?
> > >
> >
> > No problems as such, but you don't need these because they 
> are default
> > settings:
> >
> >     winbind nested groups = yes
> >     encrypt passwords = yes
> >     strict locking = Auto
> >     oplocks = yes
> >     deadtime = 15
> >     unix charset = UTF-8
> >     case sensitive = auto
> >     guest account = nobody
> >     ntlm auth = no
> >     client ntlmv2 auth = yes
> >     kernel change notify = yes
> >     domain logons = no
> >     client use spnego = yes
> >     strict sync = no
> >
> > All the next two lines do is make 'getent passwd' &
'getent group'
> > display a list of all users or groups AND slow things down, 
> you do not
> > need them:
> >
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >
> > The next line is only any good on a Samba DC:
> >
> >     dns update command = /usr/sbin/samba_dnsupdate
> >
> > You shouldn't really mess with the socket options, that's 
> the kernels
> > job:
> >
> >     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>