2018-07-24 23:26 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 24 Jul 2018 22:50:16 +0200 > Michal <Michal67M at seznam.cz> wrote: > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > > Do the users have a gidNumber attribute containing the gidNumber of > > > the required group and if so, is the gidNumber inside the range set > > > in smb.conf and is the version of Samba >= 4.6.0 > > > > su - amistest > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > $ id > > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > pacs_diagnostik),10001(BUILTIN\users) > > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is a > stupid name) range, but I think it shows something strange, if I run > 'id rowland' on a Unix domain member, I get: >Yes, I know, but the name came from "Nemocnicni Informacni System", which means "hospital information system" in Czech, many years ago.. The user and group uid numbers was taken from our hp-ux, which was primary source of users and groups when we started with LDAP. The gid of 20 is "users" in hp-ux. And it was inserted into AD from LDAP during "samba classicupgrade".> > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > users),102(netdev),1001(unixtest),10002(unixgroup), > 10010(group12),10024(unix > admins),10004(testgroup),10011(printeradmin),2001( > BUILTIN\users),2000(BUILTIN\administrators) > > My 'idmap config' lines are similar to yours, but, as you can see, the > users 'gid' is 'gid=10000(domain users)', yours is 'gid=20(games)', how > is this possible ? '20' is outside the '100-9999' range. >I forgot we have gid 20 :-(> > Do you have users & groups in AD and in /etc/passwd & /etc/group ? > > What is the OS > What is the Active directory DC ? > >It is linux, samba 4.8.3: [global] netbios name = AD1 realm = UHN.NEMUH.CZ server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = NIS idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only = No [sysvol] path = /usr/local/samba.ad/var/locks/sysvol read only = No Michal> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 25 Jul 2018 00:12:17 +0200 Michal <Michal67M at seznam.cz> wrote:> 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Tue, 24 Jul 2018 22:50:16 +0200 > > Michal <Michal67M at seznam.cz> wrote: > > > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > > <samba at lists.samba.org>: > > > > > > > > Do the users have a gidNumber attribute containing the > > > > gidNumber of the required group and if so, is the gidNumber > > > > inside the range set in smb.conf and is the version of Samba >> > > > 4.6.0 > > > > > > su - amistest > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > > $ id > > > uid=6603(NIS\amistest) gid=20(games) > > > groups=20(games),513(NIS\domain > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > > pacs_diagnostik),10001(BUILTIN\users) > > > > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is > > a stupid name) range, but I think it shows something strange, if I > > run 'id rowland' on a Unix domain member, I get: > > > > Yes, I know, but the name came from "Nemocnicni Informacni System", > which means "hospital information system" in Czech, many years ago..I understand the problem, but have you ever heard of nis also known as yellow pages or yp ;-)> The user and group uid numbers was taken from our hp-ux, which was > primary source of users and groups when we started with LDAP. The gid > of 20 is "users" in hp-ux.and 'users' is generally '100' on Linux> And it was inserted into AD from LDAP during "samba > classicupgrade". >I am beginning to hate 'classicupgrade', yes it upgrades you to an AD domain, but it keeps all the mistakes of the past.> > > > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > > users),102(netdev),1001(unixtest),10002(unixgroup), > > 10010(group12),10024(unix > > admins),10004(testgroup),10011(printeradmin),2001( > > BUILTIN\users),2000(BUILTIN\administrators) > > > > My 'idmap config' lines are similar to yours, but, as you can see, > > the users 'gid' is 'gid=10000(domain users)', yours is > > 'gid=20(games)', how is this possible ? '20' is outside the > > '100-9999' range. > > > > I forgot we have gid 20 :-(Yes, but why is it being shown ? and why is being shown as 'games' and not 'users'. what is in /etc/nsswitch.conf ?> > > > > > Do you have users & groups in AD and in /etc/passwd & /etc/group ?You haven't answered this.> > > > What is the OS > > What is the Active directory DC ? > > > > > It is linux, samba 4.8.3:Yes, but what 'Linux' ?> > [global] > netbios name = AD1 > realm = UHN.NEMUH.CZ > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = NIS > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only > = No > > [sysvol] > path = /usr/local/samba.ad/var/locks/sysvol > read only = No > >Yes, that is a vanilla smb.conf for when you are using Bind9, so I suppose the next question is, how have you set up Bind9 and what version is it. Rowland
---------- Forwarded message ---------- From: Majkl Majkl <themajklthe at gmail.com> Date: 2018-07-25 22:28 GMT+02:00 Subject: Re: [Samba] Force set group id on samba domain member To: Rowland Penny <rpenny at samba.org> Cc: "samba at lists.samba.org" <samba at lists.samba.org> 2018-07-25 9:19 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 25 Jul 2018 00:12:17 +0200 > Michal <Michal67M at seznam.cz> wrote: > > > 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > On Tue, 24 Jul 2018 22:50:16 +0200 > > > Michal <Michal67M at seznam.cz> wrote: > > > > > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > > > <samba at lists.samba.org>: > > > > > > > > > > Do the users have a gidNumber attribute containing the > > > > > gidNumber of the required group and if so, is the gidNumber > > > > > inside the range set in smb.conf and is the version of Samba >> > > > > 4.6.0 > > > > > > > > su - amistest > > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > > > $ id > > > > uid=6603(NIS\amistest) gid=20(games) > > > > groups=20(games),513(NIS\domain > > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > > > pacs_diagnostik),10001(BUILTIN\users) > > > > > > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is > > > a stupid name) range, but I think it shows something strange, if I > > > run 'id rowland' on a Unix domain member, I get: > > > > > > > Yes, I know, but the name came from "Nemocnicni Informacni System", > > which means "hospital information system" in Czech, many years ago.. > > I understand the problem, but have you ever heard of nis also known as > yellow pages or yp ;-) >Yes.. That's why I agree it is a stupid name for domain :-) But we have been using the abbreviation for about 25 years, many years before than I found there exists something like NIS/YP :-) Bad luck. Yes, it is confusing for an IT people, but users do not care and they are used to it.> > The user and group uid numbers was taken from our hp-ux, which was > > primary source of users and groups when we started with LDAP. The gid > > of 20 is "users" in hp-ux. > > and 'users' is generally '100' on Linux > > > And it was inserted into AD from LDAP during "samba > > classicupgrade". > > > > I am beginning to hate 'classicupgrade', yes it upgrades you to an AD > domain, but it keeps all the mistakes of the past. > >Maybe more checks or options to classicupgrade process would prevent keeping such mistakes?> > > > > > > > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > > > users),102(netdev),1001(unixtest),10002(unixgroup), > > > 10010(group12),10024(unix > > > admins),10004(testgroup),10011(printeradmin),2001( > > > BUILTIN\users),2000(BUILTIN\administrators) > > > > > > My 'idmap config' lines are similar to yours, but, as you can see, > > > the users 'gid' is 'gid=10000(domain users)', yours is > > > 'gid=20(games)', how is this possible ? '20' is outside the > > > '100-9999' range. > > > > > > > I forgot we have gid 20 :-( > > Yes, but why is it being shown ? and why is being shown as 'games' and > not 'users'. > > what is in /etc/nsswitch.conf ? >Because of passwd: files winbind group: files winbind in nsswitch.conf (I believe I followed samba wiki) and there is games:20 in /etc/group I am talking about Linux DM (fileserver) configuration now, it is NOT nsswitch.conf on AD DC. But as I have said, there is no real need for users in AD to have primary group of 20, I can change it to "Domain users", if it helps. (Ok, in this case, the next question will be how to do it for one user from command line, because I have 1000+ users, so no GUI mouse clicking action wanted.)> > > > > > > > > > > Do you have users & groups in AD and in /etc/passwd & /etc/group ? > > You haven't answered this. >(Sorry, answered this in separate post too, ignore the answer there, please.)>OK, lets try this, on a Linux machine, 0-999 is reserved for system >users & groups, 1000 upwards is for normal users and groups. You then >have users & groups in AD, these have RID's that start at 1000 (but you >can ignore the RID's as far as Unix goes), to make the AD users and >groups known to AD, you have to add uidNumber & gidNumber attributes.All our AD users have both uidNumbers and gidNumbers according to our hp-ux unix. Users had been created on hp-ux primary. History and long story.> >So, what I was trying to get at was: >Do you have any users or groups that are in /etc/passwd or /etc/group >that are also in AD ? >e.g. is user 'fred' also in AD ?I am not sure for 100%, because I have not checked local passwd vs AD user unix attributes, but AFAIK domain users' idnumbers and usernames are only in AD. They should be only in AD, I do not have intent to have AD users in local system files.> > > > > > What is the OS > > > What is the Active directory DC ? > > > > > > > > It is linux, samba 4.8.3: > > Yes, but what 'Linux' ? > >[root at ad1 ~]# uname -a Linux ad1 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root at ad1 ~]# cat /etc/centos-release CentOS Linux release 7.5.1804 (Core) [root at samba4 ~]# uname -a Linux samba4 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root at samba4 ~]# cat /etc/centos-release CentOS Linux release 7.5.1804 (Core) Both AD DC (ad1) and DM (samba4) are identical OS. in a fact, I created both of them from template in our vmware and I did not bother what Centos version it is. I did not think it might matter.> > > > [global] > > netbios name = AD1 > > realm = UHN.NEMUH.CZ > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = NIS > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path > > = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only > > = No > > > > [sysvol] > > path = /usr/local/samba.ad/var/locks/sysvol > > read only = No > > > > > > Yes, that is a vanilla smb.conf for when you are using Bind9, so I > suppose the next question is, how have you set up Bind9 and what > version is it. > >Yes, I believe I copied it from samba wiki and I did my best to follow it (samba wiki) also in bind configuration. DNS resolving seems to be working and newly added machines are inserted into AD DNS zone. bind.x86_64 32:9.9.4-61.el7 @base Thank you very much for your interest and patience, really :-) Michal> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Jul-25 20:57 UTC
[Samba] Fwd: Force set group id on samba domain member
On Wed, 25 Jul 2018 22:40:25 +0200 Michal via samba <samba at lists.samba.org> wrote:> ---------- Forwarded message ---------- > From: Majkl Majkl <themajklthe at gmail.com> > Date: 2018-07-25 22:28 GMT+02:00 > Subject: Re: [Samba] Force set group id on samba domain member > To: Rowland Penny <rpenny at samba.org> > Cc: "samba at lists.samba.org" <samba at lists.samba.org> > > > 2018-07-25 9:19 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Wed, 25 Jul 2018 00:12:17 +0200 > > Michal <Michal67M at seznam.cz> wrote: > > > > > 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba > > > <samba at lists.samba.org>: > > > > > > > On Tue, 24 Jul 2018 22:50:16 +0200 > > > > Michal <Michal67M at seznam.cz> wrote: > > > > > > > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > > > > <samba at lists.samba.org>: > > > > > > > > > > > > Do the users have a gidNumber attribute containing the > > > > > > gidNumber of the required group and if so, is the gidNumber > > > > > > inside the range set in smb.conf and is the version of > > > > > > Samba >= 4.6.0 > > > > > > > > > > su - amistest > > > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > > > > $ id > > > > > uid=6603(NIS\amistest) gid=20(games) > > > > > groups=20(games),513(NIS\domain > > > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > > > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > > > > pacs_diagnostik),10001(BUILTIN\users) > > > > > > > > Your ranges are really wrong, '100-9999' for the 'NIS' (and > > > > this is a stupid name) range, but I think it shows something > > > > strange, if I run 'id rowland' on a Unix domain member, I get: > > > > > > > > > > Yes, I know, but the name came from "Nemocnicni Informacni > > > System", which means "hospital information system" in Czech, many > > > years ago.. > > > > I understand the problem, but have you ever heard of nis also known > > as yellow pages or yp ;-) > > > > Yes.. That's why I agree it is a stupid name for domain :-) But we > have been using the abbreviation for about 25 years, many years > before than I found there exists something like NIS/YP :-) Bad luck. > Yes, it is confusing for an IT people, but users do not care and they > are used to it. > > > > > The user and group uid numbers was taken from our hp-ux, which > > > was primary source of users and groups when we started with LDAP. > > > The gid of 20 is "users" in hp-ux. > > > > and 'users' is generally '100' on Linux > > > > > And it was inserted into AD from LDAP during "samba > > > classicupgrade". > > > > > > > I am beginning to hate 'classicupgrade', yes it upgrades you to an > > AD domain, but it keeps all the mistakes of the past. > > > > > Maybe more checks or options to classicupgrade process would prevent > keeping such mistakes? > > > > > > > > > > > > > > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > > > > users),102(netdev),1001(unixtest),10002(unixgroup), > > > > 10010(group12),10024(unix > > > > admins),10004(testgroup),10011(printeradmin),2001( > > > > BUILTIN\users),2000(BUILTIN\administrators) > > > > > > > > My 'idmap config' lines are similar to yours, but, as you can > > > > see, the users 'gid' is 'gid=10000(domain users)', yours is > > > > 'gid=20(games)', how is this possible ? '20' is outside the > > > > '100-9999' range. > > > > > > > > > > I forgot we have gid 20 :-( > > > > Yes, but why is it being shown ? and why is being shown as 'games' > > and not 'users'. > > > > what is in /etc/nsswitch.conf ? > > > > Because of > passwd: files winbind > group: files winbind > > in nsswitch.conf (I believe I followed samba wiki) > > and there is games:20 in /etc/group > > I am talking about Linux DM (fileserver) configuration now, it is NOT > nsswitch.conf on AD DC. > > But as I have said, there is no real need for users in AD to have > primary group of 20, I can change it to "Domain users", if it helps. > (Ok, in this case, the next question will be how to do it for one > user from command line, because I have 1000+ users, so no GUI mouse > clicking action wanted.) > > > > > > > > > > > > > > > > > > Do you have users & groups in AD and in /etc/passwd > > > > & /etc/group ? > > > > You haven't answered this. > > > > (Sorry, answered this in separate post too, ignore the answer there, > please.)> > >OK, lets try this, on a Linux machine, 0-999 is reserved for system > >users & groups, 1000 upwards is for normal users and groups. You then > >have users & groups in AD, these have RID's that start at 1000 (but > >you can ignore the RID's as far as Unix goes), to make the AD users > >and groups known to AD, you have to add uidNumber & gidNumber > >attributes. > > All our AD users have both uidNumbers and gidNumbers according to our > hp-ux unix. Users had been created on hp-ux primary. History and long > story. > > > > >So, what I was trying to get at was: > >Do you have any users or groups that are in /etc/passwd or /etc/group > >that are also in AD ? > >e.g. is user 'fred' also in AD ? > > I am not sure for 100%, because I have not checked local passwd vs AD > user unix attributes, but AFAIK domain users' idnumbers and usernames > are only in AD. They should be only in AD, I do not have intent to > have AD users in local system files. > > > > > > > > > > > What is the OS > > > > What is the Active directory DC ? > > > > > > > > > > > It is linux, samba 4.8.3: > > > > Yes, but what 'Linux' ? > > > > > [root at ad1 ~]# uname -a > Linux ad1 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC > 2018 x86_64 x86_64 x86_64 GNU/Linux > [root at ad1 ~]# cat /etc/centos-release > CentOS Linux release 7.5.1804 (Core) > > [root at samba4 ~]# uname -a > Linux samba4 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC > 2018 x86_64 x86_64 x86_64 GNU/Linux > [root at samba4 ~]# cat /etc/centos-release > CentOS Linux release 7.5.1804 (Core) > > Both AD DC (ad1) and DM (samba4) are identical OS. in a fact, I > created both of them from template in our vmware and I did not bother > what Centos version it is. I did not think it might matter. > > > > > > > > [global] > > > netbios name = AD1 > > > realm = UHN.NEMUH.CZ > > > server role = active directory domain controller > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > workgroup = NIS > > > idmap_ldb:use rfc2307 = yes > > > > > > [netlogon] > > > path > > > = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read > > > only = No > > > > > > [sysvol] > > > path = /usr/local/samba.ad/var/locks/sysvol > > > read only = No > > > > > > > > > > Yes, that is a vanilla smb.conf for when you are using Bind9, so I > > suppose the next question is, how have you set up Bind9 and what > > version is it. > > > > > Yes, I believe I copied it from samba wiki and I did my best to > follow it (samba wiki) also in bind configuration. DNS resolving > seems to be working and newly added machines are inserted into AD DNS > zone. > > bind.x86_64 > 32:9.9.4-61.el7 @base > > Thank you very much for your interest and patience, really :-) > > Michal > > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >I am getting a bit confused here, two people seem to be responding, but I get the feeling they are the same person. If so, can you stick to one email address and username please ;-) Let me ask me question re /etc/passwd & /etc/group and AD in another way. Do you have the same ID numbers in /etc/passwd & /etc/group in AD as uidNumber & gidNumber attributes ? I am trying to understand how the user you referenced with 'id' had the primary group '20' when the DOMAIN range you have in smb.conf starts at '100', this very fact is hard to understand because winbind should ignore everything outside the range. Rowland