Hi All, I'd like start using 'rid' idmap backed rather than 'tdb' on my member servers to keep gidNumbers in sync across the realm INCLUDING the DC. Problem is when I execute member1# getent group "MPD1\group1" I get no output. The gidNumbers fall within the range of 30000-60000. pestparm passes nicely. No erros logged whilst executing getent. Could anyone point me in the right direction? Thank you. ADDC: Gentoo hardened; kernel 4.9 Samba 4.5.15 (installed from the distribution) addc /etc/samba/smb.conf # Global parameters [global] ??????? server role check:inhibit=yes ??????? dsdb:schema update allowed = yes ??????? netbios name = ACDC ??????? realm = SOME.REA.LM ??????? workgroup = DOMAIN ??????? server role = active directory domain controller ??????? idmap_ldb:use rfc2307 = yes ??????? ldap server require strong auth = no ??????? unix extensions = no ??????? security = user ??????? dns forwarder = 1.2.3.4 ??????? allow dns updates = nonsecure ??????? log level = 1 ??????? log file = /var/log/samba/log.%m ??? ntp signd socket directory = /var/lib/samba/ntp_signd ??? time server = yes member1: Gentoo hardened 2018; kernel 4.17 Samba 4.11.0 compiled: ./configure --prefix=/usr/local/samba --disable-cups --disable-iprint --without-ad-dc memeber1 /etc/samba/smb.conf [global] ??????? netbios name = member1 ??????? realm = SOME.REA.LM ??????? workgroup = DOMAIN ??????? security = ADS ??????? log level = 2 ??????? max log size = 50000 ??????? log file = /var/log/samba/log.%m ??????? idmap config * : backend = tdb ??????? idmap config * : range = 20000-25000 ??????? idmap config MPD1 : backend = rid ??????? idmap config MPD1 : range = 30000-60000 member1 /etc/nsswitch.conf passwd:????? compat files winbind shadow:????? compat files group:?????? compat files winbind hosts:?????? files dns networks:??? files dns services:??? db files protocols:?? db files rpc:???????? db files ethers:????? db files netmasks:??? files netgroup:??? files bootparams:? files automount:?? files aliases:???? files lrwxrwxrwx 1 root root 26 Oct 10 14:33 /lib64/libnss_winbind.so -> /lib64/libnss_winbind.so.2 lrwxrwxrwx 1 root root 40 Oct 10 14:32 /lib64/libnss_winbind.so.2 -> /usr/local/samba/lib/libnss_winbind.so.2
On 23/10/2019 16:49, Leszek Gubernat via samba wrote:> Hi All, > I'd like start using 'rid' idmap backed rather than 'tdb' on my member > servers to keep gidNumbers in sync across the realm INCLUDING the DC.You cannot, A DC uses idmap.ldb to store xidNumbers (which are in the 3000000 range), you cannot use the 'rid' or 'ad' backend on a DC. On a Unix domain member the 'rid' backend calculates the user or group ID from the objects RID and the DOMAIN low range. If you want the same IDs everywhere you must add uidNumber & gidNumber attributes to AD and use the 'ad' backend on all Unix domain members.> Problem is when I execute > member1# getent group "MPD1\group1" > I get no output. The gidNumbers fall within the range of 30000-60000. > pestparm passes nicely. No erros logged whilst executing getent. > Could anyone point me in the right direction? Thank you.This is strange, from your smb.conf below, you are using the 'rid' backend, so it should work.> > > ADDC: > Gentoo hardened; kernel 4.9 > Samba 4.5.15 (installed from the distribution) > > addc /etc/samba/smb.conf > # Global parameters > [global] > ??????? server role check:inhibit=yes > ??????? dsdb:schema update allowed = yes > ??????? netbios name = ACDC > ??????? realm = SOME.REA.LM > ??????? workgroup = DOMAIN > ??????? server role = active directory domain controller > ??????? idmap_ldb:use rfc2307 = yes > ??????? ldap server require strong auth = no > ??????? unix extensions = no > ??????? security = userRemove the 'security' line> ??????? dns forwarder = 1.2.3.4 > ??????? allow dns updates = nonsecure > ??????? log level = 1 > ??????? log file = /var/log/samba/log.%m > ??? ntp signd socket directory = /var/lib/samba/ntp_signd > ??? time server = yesOf course it's a time server, it is a DC> > > > > member1: > Gentoo hardened 2018; kernel 4.17 > Samba 4.11.0 compiled: > ./configure --prefix=/usr/local/samba --disable-cups --disable-iprint > --without-ad-dc > > > > memeber1 /etc/samba/smb.conf > [global] > ??????? netbios name = member1 > ??????? realm = SOME.REA.LM > ??????? workgroup = DOMAIN > ??????? security = ADS > ??????? log level = 2 > ??????? max log size = 50000 > ??????? log file = /var/log/samba/log.%m > ??????? idmap config * : backend = tdb > ??????? idmap config * : range = 20000-25000 > ??????? idmap config MPD1 : backend = rid > ??????? idmap config MPD1 : range = 30000-60000 >I take it that 'DOMAIN' is actually 'MPD1'> > > > member1 /etc/nsswitch.conf > passwd:????? compat files winbind > shadow:????? compat files > group:?????? compat files winbind'compat' and 'files' are the same thing> > hosts:?????? files dns > networks:??? files dns > > services:??? db files > protocols:?? db files > rpc:???????? db files > ethers:????? db files > netmasks:??? files > netgroup:??? files > bootparams:? files > > automount:?? files > aliases:???? files > > > lrwxrwxrwx 1 root root 26 Oct 10 14:33 /lib64/libnss_winbind.so -> > /lib64/libnss_winbind.so.2 > lrwxrwxrwx 1 root root 40 Oct 10 14:32 /lib64/libnss_winbind.so.2 -> > /usr/local/samba/lib/libnss_winbind.so.2 > >Is PAM installed ? (I am not a gentoo user) Rowland
Hi Rowland, thank you for your informative answer. I applied the remarks. Alhough 'rid' still doesn't work, the 'ad' backed does and this is what I need. Best regards, Leszek W dniu 23.10.2019 o?18:23, Rowland penny via samba pisze:> On 23/10/2019 16:49, Leszek Gubernat via samba wrote: >> Hi All, >> I'd like start using 'rid' idmap backed rather than 'tdb' on my >> member servers to keep gidNumbers in sync across the realm INCLUDING >> the DC. > > You cannot, A DC uses idmap.ldb to store xidNumbers (which are in the > 3000000 range), you cannot use the 'rid' or 'ad' backend on a DC. > > On a Unix domain member the 'rid' backend calculates the user or group > ID from the objects RID and the DOMAIN low range. > > If you want the same IDs everywhere you must add uidNumber & gidNumber > attributes to AD and use the 'ad' backend on all Unix domain members. > >> Problem is when I execute >> member1# getent group "MPD1\group1" >> I get no output. The gidNumbers fall within the range of 30000-60000. >> pestparm passes nicely. No erros logged whilst executing getent. >> Could anyone point me in the right direction? Thank you. > This is strange, from your smb.conf below, you are using the 'rid' > backend, so it should work. >> >> >> ADDC: >> Gentoo hardened; kernel 4.9 >> Samba 4.5.15 (installed from the distribution) >> >> addc /etc/samba/smb.conf >> # Global parameters >> [global] >> ??????? server role check:inhibit=yes >> ??????? dsdb:schema update allowed = yes >> ??????? netbios name = ACDC >> ??????? realm = SOME.REA.LM >> ??????? workgroup = DOMAIN >> ??????? server role = active directory domain controller >> ??????? idmap_ldb:use rfc2307 = yes >> ??????? ldap server require strong auth = no >> ??????? unix extensions = no >> ??????? security = user > Remove the 'security' line >> ??????? dns forwarder = 1.2.3.4 >> ??????? allow dns updates = nonsecure >> ??????? log level = 1 >> ??????? log file = /var/log/samba/log.%m >> ??? ntp signd socket directory = /var/lib/samba/ntp_signd >> ??? time server = yes > Of course it's a time server, it is a DC >> >> >> >> >> member1: >> Gentoo hardened 2018; kernel 4.17 >> Samba 4.11.0 compiled: >> ./configure --prefix=/usr/local/samba --disable-cups --disable-iprint >> --without-ad-dc >> >> >> >> memeber1 /etc/samba/smb.conf >> [global] >> ??????? netbios name = member1 >> ??????? realm = SOME.REA.LM >> ??????? workgroup = DOMAIN >> ??????? security = ADS >> ??????? log level = 2 >> ??????? max log size = 50000 >> ??????? log file = /var/log/samba/log.%m >> ??????? idmap config * : backend = tdb >> ??????? idmap config * : range = 20000-25000 >> ??????? idmap config MPD1 : backend = rid >> ??????? idmap config MPD1 : range = 30000-60000 >> > I take it that 'DOMAIN' is actually 'MPD1' >> >> >> >> member1 /etc/nsswitch.conf >> passwd:????? compat files winbind >> shadow:????? compat files >> group:?????? compat files winbind > 'compat' and 'files' are the same thing >> >> hosts:?????? files dns >> networks:??? files dns >> >> services:??? db files >> protocols:?? db files >> rpc:???????? db files >> ethers:????? db files >> netmasks:??? files >> netgroup:??? files >> bootparams:? files >> >> automount:?? files >> aliases:???? files >> >> >> lrwxrwxrwx 1 root root 26 Oct 10 14:33 /lib64/libnss_winbind.so -> >> /lib64/libnss_winbind.so.2 >> lrwxrwxrwx 1 root root 40 Oct 10 14:32 /lib64/libnss_winbind.so.2 -> >> /usr/local/samba/lib/libnss_winbind.so.2 >> >> > Is PAM installed ? (I am not a gentoo user) > > Rowland > >-- Medycyna Praktyczna - Dzia? IT tel: 124465379, kom: 663430379 Cholerzyn 445, 32-060 Liszki