2018-07-19 23:59 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> > Please see inline comments. > > On Thu, 19 Jul 2018 23:44:48 +0800 > d tbsky <tbskyd at gmail.com> wrote: > >> thanks a lot for the quick help. I remember in old days it happened >> sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and >> samba DC 4.7/4.8 it now happens every time. >> below is the smb.conf configuration from member server >> >> [global] >> workgroup = SAMDOM >> netbios name = backup >> realm = AD.SAMDOM.EXAMPLE.COM >> security = ads >> >> idmap backend = tdb > > Remove the above line > >> idmap config *:backend = tdb >> idmap config *:range = 1000000-1999999 >> >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:default = yes > > You do not need the above line. > >> idmap config SAMDOM:range = 1000-999999 >> idmap config SAMDOM:schema_mode = rfc2307 >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind nested groups = no >> winbind use default domain = yes >> winbind offline logon = no > > You do not need the above line. > > I know you said in your other email that you are using samba-tool to > create the users, but how, please provide an example. >Hi: sorry for the late reply. I was busy downgrade/upgrade samba versions of dc and member servers. try to tune the configuration and watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and recompile samba of member servers myself. both 4.7.1 and 4.7.8 are working fine. so there are some problems with recent RHEL samba packages, although they work fine years ago. maybe mit kerberos or some other issue I don't know(is samba file server without ad-dc also infected by kerberos type?). I will try to report to RedHat bugzilla. thanks a lot for your help!
2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>:> 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>: >> >> Please see inline comments. >> >> On Thu, 19 Jul 2018 23:44:48 +0800 >> d tbsky <tbskyd at gmail.com> wrote: >> >>> thanks a lot for the quick help. I remember in old days it happened >>> sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and >>> samba DC 4.7/4.8 it now happens every time. >>> below is the smb.conf configuration from member server >>> >>> [global] >>> workgroup = SAMDOM >>> netbios name = backup >>> realm = AD.SAMDOM.EXAMPLE.COM >>> security = ads >>> >>> idmap backend = tdb >> >> Remove the above line >> >>> idmap config *:backend = tdb >>> idmap config *:range = 1000000-1999999 >>> >>> idmap config SAMDOM:backend = ad >>> idmap config SAMDOM:default = yes >> >> You do not need the above line. >> >>> idmap config SAMDOM:range = 1000-999999 >>> idmap config SAMDOM:schema_mode = rfc2307 >>> >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind nested groups = no >>> winbind use default domain = yes >>> winbind offline logon = no >> >> You do not need the above line. >> >> I know you said in your other email that you are using samba-tool to >> create the users, but how, please provide an example. >> > > Hi: > sorry for the late reply. I was busy downgrade/upgrade samba > versions of dc and member servers. try to tune the configuration and > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are > working fine. > > so there are some problems with recent RHEL samba packages, > although they work fine years ago. maybe mit kerberos or some other > issue I don't know(is samba file server without ad-dc also infected by > kerberos type?). I will try to report to RedHat bugzilla. > > thanks a lot for your help!Hi: after more testing, my previous conclusion is wrong. it's not RHEL package problem, but a samba bug/feature. I have tried samba 4.7.1 and 4.7.8. with configuration below(which is a new config option after samba 4.6), then everything is fine. without the configuration, samba 4.6/4.7 seems can not find primary group id, although they are already set and shows correctly if the user try to authenticate. idmap config SAMDOM:unix_primary_group = yes
On Mon, 23 Jul 2018 14:48:00 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>: > > 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba > > <samba at lists.samba.org>: > >> > >> Please see inline comments. > >> > >> On Thu, 19 Jul 2018 23:44:48 +0800 > >> d tbsky <tbskyd at gmail.com> wrote: > >> > >>> thanks a lot for the quick help. I remember in old days it > >>> happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x > >>> to 4.7.1) and samba DC 4.7/4.8 it now happens every time. > >>> below is the smb.conf configuration from member server > >>> > >>> [global] > >>> workgroup = SAMDOM > >>> netbios name = backup > >>> realm = AD.SAMDOM.EXAMPLE.COM > >>> security = ads > >>> > >>> idmap backend = tdb > >> > >> Remove the above line > >> > >>> idmap config *:backend = tdb > >>> idmap config *:range = 1000000-1999999 > >>> > >>> idmap config SAMDOM:backend = ad > >>> idmap config SAMDOM:default = yes > >> > >> You do not need the above line. > >> > >>> idmap config SAMDOM:range = 1000-999999 > >>> idmap config SAMDOM:schema_mode = rfc2307 > >>> > >>> winbind enum users = yes > >>> winbind enum groups = yes > >>> winbind nested groups = no > >>> winbind use default domain = yes > >>> winbind offline logon = no > >> > >> You do not need the above line. > >> > >> I know you said in your other email that you are using samba-tool > >> to create the users, but how, please provide an example. > >> > > > > Hi: > > sorry for the late reply. I was busy downgrade/upgrade samba > > versions of dc and member servers. try to tune the configuration and > > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and > > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are > > working fine. > > > > so there are some problems with recent RHEL samba packages, > > although they work fine years ago. maybe mit kerberos or some other > > issue I don't know(is samba file server without ad-dc also infected > > by kerberos type?). I will try to report to RedHat bugzilla. > > > > thanks a lot for your help! > > Hi: > after more testing, my previous conclusion is wrong. it's not RHEL > package problem, but a samba bug/feature. I have tried samba 4.7.1 and > 4.7.8. > with configuration below(which is a new config option after samba > 4.6), then everything is fine. without the configuration, samba > 4.6/4.7 seems can not find primary group id, although they are already > set and shows correctly if the user try to authenticate. > > idmap config SAMDOM:unix_primary_group = yesThat isn't a bug, it is a feature ;-) Before 4.6.0 everyone got 'Domain Users' as their primary Unix group, but from 4.6.0, you can give users a gidNumber attribute and, with the line above, this will be used for the users primary Unix group. Whatever gidNumber is used, this must point to a group i.e. the group must have the same gidNumber. If the line doesn't exist, it falls back to using Domain Users, so Domain Users must have a gidNUmber. Rowland