I have succesfully migrated our users (~3900) from our Samba 3 DC/OpenLDAP, complete with passwords. I have some 300 + groups that I'm trying to get migrated to our Samba 4 AD. I can create the groups, but it looks from the domain-member's side that groups don't work as I expect them to. - Not all groups seems to be visible by using 'getent group'. It looks like groups with a gidnumber below 1000 isn't visible. Where is this limit configured? - Am I supposed to be able to list group members by using 'getent group groupname'? Now the groups that are visible don't have any members in them. - I have two accounts, uid 510 and 527 respectively. 510 is a member of all the groups like on the Samba DC, the other one isn't a member of any other groups than users(100) and BUILTIN\users. How do I debug this? I suspect that if a user is defined to be a member of a group with a gidnumber below a certain limit, he or she isn't going to be a member of any extra groups, or something in this order. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
El 15/5/20 a les 14:11, Harald Hannelius via samba ha escrit:> - Not all groups seems to be visible by using 'getent group'. It looks > like groups with a gidnumber below 1000 isn't visible. Where is this > limit configured?You have to configure the idmap range for your domain. See here: https://wiki.samba.org/index.php/Idmap_config_ad Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 15/05/2020 13:11, Harald Hannelius via samba wrote:> > > I have succesfully migrated our users (~3900) from our Samba 3 > DC/OpenLDAP, complete with passwords.How did you carry out the migration ?> > I have some 300 + groups that I'm trying to get migrated to our Samba > 4 AD.Why do need over 300 groups ?> > I can create the groups, but it looks from the domain-member's side > that groups don't work as I expect them to. > > - Not all groups seems to be visible by using 'getent group'. It looks > like groups with a gidnumber below 1000 isn't visible. Where is this > limit configured?In smb.conf, might be an idea to post your smb.conf> > - Am I supposed to be able to list group members by using 'getent > group groupname'? Now the groups that are visible don't have any > members in them.Yes to the first question, and how did you create the groups and add members to them for the second.> > - I have two accounts, uid 510 and 527 respectively. 510 is a member > of all the groups like on the Samba DC, the other one isn't a member > of any other groups than users(100) and BUILTIN\users. How do I debug > this? I suspect that if a user is defined to be a member of a group > with a gidnumber below a certain limit, he or she isn't going to be a > member of any extra groups, or something in this order.It is possible your ID numbers are too low, one problem is that the ID '100' for users is only used on a DC. post your smb.conf and we will go from there. Rowland
[please keep replies on the list] El 15/5/20 a les 14:40, Harald Hannelius ha escrit:>> ????idmap config sad:unix_primary_group = yes > ????idmap config sad:unix_nss_info = yes > ????idmap config sad:range = 500-4000000 > ????idmap config sad:schema_mode = rfc2307 > ????idmap config sad:backend = ad > ????idmap config * : range = 5000000-9000000 > ????idmap config * : backend = tdb > ????map acl inherit = Yes > ????printing = bsd > ????vfs objects = acl_xattrWell, then I don't know. I have a range 490-60000 for my domain and it works. I also have winbind nss info = rfc2307 but I don't know if it's relevant to your problem. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007
On 15/05/2020 13:48, Harald Hannelius wrote:> > I created a script that looped on 'getent passwd' from the old DC. It > called samba-tool and pdbedit to add the users; > > samba-tool user create $username Some2pass/e --use-username-as-cn > --nis-domain=sad --unix-home=$home --uid-number=$uid > --login-shell=/bin/bash --gid-number=100 --given-name="${givenname}" > --surname="${surname}" --gecos "$gecos" > > pdbedit --set-nt-hash=$passhash $usernameTwo things wrong with that, you do not need to use pdbedit? to set the users password, the samba-tool command does it for you and you have set the every users gidNumber to '100'. The '100' comes from idmap.ldb on a DC: dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513 cn: S-1-5-21-1768301897-3342589593-1064908849-513 objectClass: sidMap objectSid: S-1-5-21-1768301897-3342589593-1064908849-513 type: ID_TYPE_GID xidNumber: 100 distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513 This is where 'Domain Users' (the RID 513) is mapped to '100' (the Unix ID for the 'users' group) Unless you have added a gidNumber attribute containing '100' to a group in AD, no users have a group, but even if you have, the '100' is less than the DOMAIN low range '500', so it and all users will be ignored. If you are now saying, but I do get users, then you probably have the same users in AD and /etc/passwd, this is not allowed, delete them from /etc/passwd.> >>> I have some 300 + groups that I'm trying to get migrated to our >>> Samba 4 AD. >> Why do need over 300 groups ? > > We have an intra filesystem that is over 15 years old.And you are trying to make AD work like your old ldap ;-)> >>> I can create the groups, but it looks from the domain-member's side >>> that groups don't work as I expect them to.Please read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and this: https://wiki.samba.org/index.php/Idmap_config_ad Rowland
On 15/05/2020 14:28, Luca Olivetti via samba wrote:> > Well, then I don't know. I have a range 490-60000 for my domain and it > works. > I also have > > winbind nss info = rfc2307 > > but I don't know if it's relevant to your problem.Probably not, if you are running Samba >= 4.6.0 you can remove that line, it has been superceeded by: idmap config SAMDOM:unix_nss_info = yes Rowland
On Fri, 15 May 2020, Rowland penny via samba wrote:> On 15/05/2020 13:48, Harald Hannelius wrote: >> >> I created a script that looped on 'getent passwd' from the old DC. It >> called samba-tool and pdbedit to add the users; >> >> samba-tool user create $username Some2pass/e --use-username-as-cn >> --nis-domain=sad --unix-home=$home --uid-number=$uid >> --login-shell=/bin/bash --gid-number=100 --given-name="${givenname}" >> --surname="${surname}" --gecos "$gecos" >> >> pdbedit --set-nt-hash=$passhash $username > > Two things wrong with that, you do not need to use pdbedit? to set the users > password, the samba-tool command does it for you and you have set the every > users gidNumber to '100'. The '100' comes from idmap.ldb on a DC:If there's a way to copy the sambaNTPassword password-hash from the LDAP for the Samba 3 DC with samba-tool I would have loved to find that information long ago :)> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513 > cn: S-1-5-21-1768301897-3342589593-1064908849-513 > objectClass: sidMap > objectSid: S-1-5-21-1768301897-3342589593-1064908849-513 > type: ID_TYPE_GID > xidNumber: 100 > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513 > > This is where 'Domain Users' (the RID 513) is mapped to '100' (the Unix ID > for the 'users' group) > > Unless you have added a gidNumber attribute containing '100' to a group in > AD, no users have a group, but even if you have, the '100' is less than the > DOMAIN low range '500', so it and all users will be ignored.So the "idmap config sad:range" is for both uid's and gid's? There's no separate range for gid's?> If you are now saying, but I do get users, then you probably have the same > users in AD and /etc/passwd, this is not allowed, delete them from > /etc/passwd.No, they are not in /etc/passwd on neither the DS or the Domain Member-server. I added them with samba-tool.>>>> I have some 300 + groups that I'm trying to get migrated to our Samba 4 >>>> AD. >>> Why do need over 300 groups ? >> >> We have an intra filesystem that is over 15 years old. > And you are trying to make AD work like your old ldap ;-)I guess so, yes.>>>> I can create the groups, but it looks from the domain-member's side that >>>> groups don't work as I expect them to. > > Please read this: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and this: https://wiki.samba.org/index.php/Idmap_config_adI have read these, and followed the instructions. What I don't understand is why one user uid 510, gid 100 works with all groups and another user with uid 527, gid 100 doesn't. What isn't clear is are really uid's and gid's in the same number space in Samba? What if a user has the same uid as a group's gid? -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020