Hi, I have a question again about my test environment. I have dc1, dc2, fileserver1, and dc3. dc3 is on an another site, and is functioning as fileserver too. As I read in the documentation, I cannot (shouldn't) use idmap config parameters in the smb.conf on my dc3. Unfortunately, first I copied that parameters too from fileserver1 (I use rid backend on fileserver1). So, I removed the idmap config lines from the dc3 smb.conf. When I create a file from Windows on a dc3 share, the owner is ok (DOMAIN\user), but the group is users. From the dc3 command line, I can set user, and group ownership correctly. How can I correct the setup on dc3? dc3: [global] bind interfaces only = Yes dns forwarder = 208.67.220.220 dos charset = CP852 interfaces = lo enp0s3 logon path = "" name resolve order = lmhosts host bcast netbios name = DC3 realm = A.B.HU server role = active directory domain controller template homedir = /home/%D/users/%U template shell = /bin/bash unix charset = UTF8 username map = /etc/samba/user.map workgroup = A idmap_ldb:use rfc2307 = yes csc policy = disable
On 08/08/2019 13:37, Pisch Tam?s via samba wrote:> Hi, > > I have a question again about my test environment. I have dc1, dc2, > fileserver1, and dc3. dc3 is on an another site, and is functioning as > fileserver too. As I read in the documentation, I cannot (shouldn't) use > idmap config parameters in the smb.conf on my dc3. Unfortunately, first I > copied that parameters too from fileserver1 (I use rid backend on > fileserver1). So, I removed the idmap config lines from the dc3 smb.conf. > When I create a file from Windows on a dc3 share, the owner is ok > (DOMAIN\user), but the group is users. From the dc3 command line, I can set > user, and group ownership correctly. > How can I correct the setup on dc3? > dc3: > [global] > bind interfaces only = Yes > dns forwarder = 208.67.220.220 > dos charset = CP852 > interfaces = lo enp0s3 > logon path = "" > name resolve order = lmhosts host bcast > netbios name = DC3 > realm = A.B.HU > server role = active directory domain controller > template homedir = /home/%D/users/%U > template shell = /bin/bash > unix charset = UTF8 > username map = /etc/samba/user.map > workgroup = A > idmap_ldb:use rfc2307 = yes > csc policy = disableNothing to do with your problem, but remove these lines from the smb.conf: logon path = "" username map = /etc/samba/user.map The first is doing nothing and the second is probably interfering with the user mapping in idmap.ldb. It is probably a bit late to change now, but there is only one way to get the same numeric ID everywhere and that is to use the 'ad' winbind backend. The required uidNumber & gidNumber attributes will override the xidNumber attributes used on a DC e.g. if you give Domain Users the gidNumber '10000', then all DCs will use '10000' for Domain Users and if you use the 'ad' backend on the fileserver, Domain Users will have the ID '10000' Rowland
> > Hi, > > > > I have a question again about my test environment. I have dc1, dc2, > > fileserver1, and dc3. dc3 is on an another site, and is functioning as > > fileserver too. As I read in the documentation, I cannot (shouldn't) use > > idmap config parameters in the smb.conf on my dc3. Unfortunately, first I > > copied that parameters too from fileserver1 (I use rid backend on > > fileserver1). So, I removed the idmap config lines from the dc3 smb.conf. > > When I create a file from Windows on a dc3 share, the owner is ok > > (DOMAIN\user), but the group is users. From the dc3 command line, I can set > > user, and group ownership correctly. > > How can I correct the setup on dc3? > > dc3: > > [global] > > bind interfaces only = Yes > > dns forwarder = 208.67.220.220 > > dos charset = CP852 > > interfaces = lo enp0s3 > > logon path = "" > > name resolve order = lmhosts host bcast > > netbios name = DC3 > > realm = A.B.HU > > server role = active directory domain controller > > template homedir = /home/%D/users/%U > > template shell = /bin/bash > > unix charset = UTF8 > > username map = /etc/samba/user.map > > workgroup = A > > idmap_ldb:use rfc2307 = yes > > csc policy = disable > Nothing to do with your problem, but remove these lines from the smb.conf: > logon path = ""It disables roaming profile> username map = /etc/samba/user.map > The first is doing nothing and the second is probably interfering with > the user mapping in idmap.ldb. > It is probably a bit late to change now, but there is only one way to > get the same numeric ID everywhere and that is to use the 'ad' winbind > backend.According to https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC: "Identity Mapping works different on a Samba domain controller (DC) than on a domain member. For example, setting up an ID mapping back end, such as ad (RFC2307) or rid, in the smb.conf file is not supported an can cause the samba service to fail. For details, see Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails." (At the and, it is a wrong link, but there is a paragraph related this topic: https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File) This is why I removed the idmap config entries from the dc3 smb.conf. "On a Samba Active Directory DC, Winbindd always reads the user IDs (UID) and group IDs (GID) from the values set in the uidNumber and gidNumber attributes set in the AD objects. For users and groups not having a UID or GID assigned, an ID is generated locally on the DC and stored in the /usr/local/samba/private/idmap.ldb file." There isn't uidNumber, and gidNumber in my users' objects. If you are correct, then the documentation is wrong/outdated.> The required uidNumber & gidNumber attributes will override the > xidNumber attributes used on a DC e.g. if you give Domain Users the > gidNumber '10000', then all DCs will use '10000' for Domain Users and if > you use the 'ad' backend on the fileserver, Domain Users will have the > ID '10000'
On 08/08/2019 14:47, Pisch Tam?s via samba wrote:>>> Hi, >>> >>> I have a question again about my test environment. I have dc1, dc2, >>> fileserver1, and dc3. dc3 is on an another site, and is functioning as >>> fileserver too. As I read in the documentation, I cannot (shouldn't) use >>> idmap config parameters in the smb.conf on my dc3. Unfortunately, first I >>> copied that parameters too from fileserver1 (I use rid backend on >>> fileserver1). So, I removed the idmap config lines from the dc3 smb.conf. >>> When I create a file from Windows on a dc3 share, the owner is ok >>> (DOMAIN\user), but the group is users. From the dc3 command line, I can set >>> user, and group ownership correctly. >>> How can I correct the setup on dc3? >>> dc3: >>> [global] >>> bind interfaces only = Yes >>> dns forwarder = 208.67.220.220 >>> dos charset = CP852 >>> interfaces = lo enp0s3 >>> logon path = "" >>> name resolve order = lmhosts host bcast >>> netbios name = DC3 >>> realm = A.B.HU >>> server role = active directory domain controller >>> template homedir = /home/%D/users/%U >>> template shell = /bin/bash >>> unix charset = UTF8 >>> username map = /etc/samba/user.map >>> workgroup = A >>> idmap_ldb:use rfc2307 = yes >>> csc policy = disable >> Nothing to do with your problem, but remove these lines from the smb.conf: >> logon path = "" > It disables roaming profile > >> username map = /etc/samba/user.map >> The first is doing nothing and the second is probably interfering with >> the user mapping in idmap.ldb. >> It is probably a bit late to change now, but there is only one way to >> get the same numeric ID everywhere and that is to use the 'ad' winbind >> backend. > According to https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC: > "Identity Mapping works different on a Samba domain controller (DC) > than on a domain member. For example, setting up an ID mapping back > end, such as ad (RFC2307) or rid, in the smb.conf file is not > supported an can cause the samba service to fail. > For details, see Accessing Shares on Domain Controllers Having idmap > config Parameters Set in the smb.conf File Fails." (At the and, it is > a wrong link, but there is a paragraph related this topic: > https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File)I have fixed the broken link, thanks for pointing it out.> This is why I removed the idmap config entries from the dc3 smb.conf. > "On a Samba Active Directory DC, Winbindd always reads the user IDs > (UID) and group IDs (GID) from the values set in the uidNumber and > gidNumber attributes set in the AD objects. For users and groups not > having a UID or GID assigned, an ID is generated locally on the DC and > stored in the /usr/local/samba/private/idmap.ldb file." > There isn't uidNumber, and gidNumber in my users' objects. > If you are correct, then the documentation is wrong/outdated.No there isn't anything really wrong with the documentation, you are just misunderstanding it, so it sounds like it needs making plainer. You cannot add the 'idmap config' lines to a smb.conf on a DC, the id-mapping is done via idmap.ldb, the users & groups are mapped to xidNumber attributes in there. If you give normal users & groups a uidNumber or gidNumber, these will be used instead of the xidNumbers on DCs, you will need to use the winbind 'ad' backend on Unix domain members to use the uidNumber & gidNumber attributes. Rowland
Thanks for your answer. It is clearer now for me.> >> It is probably a bit late to change now, but there is only one way to > >> get the same numeric ID everywhere and that is to use the 'ad' winbind > >> backend.So, on the Linux clients?> > This is why I removed the idmap config entries from the dc3 smb.conf. > > "On a Samba Active Directory DC, Winbindd always reads the user IDs > > (UID) and group IDs (GID) from the values set in the uidNumber and > > gidNumber attributes set in the AD objects. For users and groups not > > having a UID or GID assigned, an ID is generated locally on the DC and > > stored in the /usr/local/samba/private/idmap.ldb file." > > There isn't uidNumber, and gidNumber in my users' objects. > > If you are correct, then the documentation is wrong/outdated. > No there isn't anything really wrong with the documentation, you are > just misunderstanding it, so it sounds like it needs making plainer. > You cannot add the 'idmap config' lines to a smb.conf on a DC, the > id-mapping is done via idmap.ldb, the users & groups are mapped to > xidNumber attributes in there.And is it hidden? I mean, 'samba-tool user show username' don't show that attribute.> If you give normal users & groups a uidNumber or gidNumber, these will > be used instead of the xidNumbers on DCs, you will need to use the > winbind 'ad' backend on Unix domain members to use the uidNumber & > gidNumber attributes.I use rid on fileserver. So, when I get the users' uid and gid on it, and set them as uidNumber and gidNumber on dc3, and I use the net cache flush on dc3, then should I see the same user and group id on dc3 as on fileserver1, for example with getent passwd? I tested it with an existing user. Now, I see the uidNumber, and gidNumber (set by myself) with samba-tool user show user1, but the getent passwd A\\user1 shows the old user, and group id.