On Fri, 15 May 2020, Rowland penny via samba wrote:> On 15/05/2020 13:48, Harald Hannelius wrote: >> >> I created a script that looped on 'getent passwd' from the old DC. It >> called samba-tool and pdbedit to add the users; >> >> samba-tool user create $username Some2pass/e --use-username-as-cn >> --nis-domain=sad --unix-home=$home --uid-number=$uid >> --login-shell=/bin/bash --gid-number=100 --given-name="${givenname}" >> --surname="${surname}" --gecos "$gecos" >> >> pdbedit --set-nt-hash=$passhash $username > > Two things wrong with that, you do not need to use pdbedit? to set the users > password, the samba-tool command does it for you and you have set the every > users gidNumber to '100'. The '100' comes from idmap.ldb on a DC:If there's a way to copy the sambaNTPassword password-hash from the LDAP for the Samba 3 DC with samba-tool I would have loved to find that information long ago :)> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513 > cn: S-1-5-21-1768301897-3342589593-1064908849-513 > objectClass: sidMap > objectSid: S-1-5-21-1768301897-3342589593-1064908849-513 > type: ID_TYPE_GID > xidNumber: 100 > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513 > > This is where 'Domain Users' (the RID 513) is mapped to '100' (the Unix ID > for the 'users' group) > > Unless you have added a gidNumber attribute containing '100' to a group in > AD, no users have a group, but even if you have, the '100' is less than the > DOMAIN low range '500', so it and all users will be ignored.So the "idmap config sad:range" is for both uid's and gid's? There's no separate range for gid's?> If you are now saying, but I do get users, then you probably have the same > users in AD and /etc/passwd, this is not allowed, delete them from > /etc/passwd.No, they are not in /etc/passwd on neither the DS or the Domain Member-server. I added them with samba-tool.>>>> I have some 300 + groups that I'm trying to get migrated to our Samba 4 >>>> AD. >>> Why do need over 300 groups ? >> >> We have an intra filesystem that is over 15 years old. > And you are trying to make AD work like your old ldap ;-)I guess so, yes.>>>> I can create the groups, but it looks from the domain-member's side that >>>> groups don't work as I expect them to. > > Please read this: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and this: https://wiki.samba.org/index.php/Idmap_config_adI have read these, and followed the instructions. What I don't understand is why one user uid 510, gid 100 works with all groups and another user with uid 527, gid 100 doesn't. What isn't clear is are really uid's and gid's in the same number space in Samba? What if a user has the same uid as a group's gid? -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
On Fri, 15 May 2020, Harald Hannelius wrote:> What isn't clear is are really uid's and gid's in the same number space in > Samba? What if a user has the same uid as a group's gid?Never mind, it looks OK now. There's maybe some caching going on that I wasn't aware of. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
On 15/05/2020 16:33, Harald Hannelius wrote:> If there's a way to copy the sambaNTPassword password-hash from the > LDAP for the Samba 3 DC with samba-tool I would have loved to find > that information long ago :)Why do you need the sambaNTPassword ?> > So the "idmap config sad:range" is for both uid's and gid's? There's > no separate range for gid's?No, they both use the same range.> > I have read these, and followed the instructions. What I don't > understand is why one user uid 510, gid 100 works with all groups and > another user with uid 527, gid 100 doesn't. > > What isn't clear is are really uid's and gid's in the same number > space in Samba? What if a user has the same uid as a group's gid?Because the user or group object in AD has a unique SID, this is what counts for authentication. As in most cases, it looks like you might have been better off creating a totally new AD domain with new Unix UID & GID numbers, this would have allowed you to get away for the big mistake that was made with NT4-style domains, using the RID as the Unix ID. Rowland
On Fri, 15 May 2020, Rowland penny via samba wrote:> On 15/05/2020 16:33, Harald Hannelius wrote: >> If there's a way to copy the sambaNTPassword password-hash from the LDAP >> for the Samba 3 DC with samba-tool I would have loved to find that >> information long ago :) > Why do you need the sambaNTPassword ?So the users would have the same password. I don't have time to wait for our IDM to change the passwords one by one.>> So the "idmap config sad:range" is for both uid's and gid's? There's no >> separate range for gid's? > No, they both use the same range.I see.>> I have read these, and followed the instructions. What I don't understand >> is why one user uid 510, gid 100 works with all groups and another user >> with uid 527, gid 100 doesn't. >> >> What isn't clear is are really uid's and gid's in the same number space in >> Samba? What if a user has the same uid as a group's gid? > Because the user or group object in AD has a unique SID, this is what counts > for authentication. > > As in most cases, it looks like you might have been better off creating a > totally new AD domain with new Unix UID & GID numbers, this would have > allowed you to get away for the big mistake that was made with NT4-style > domains, using the RID as the Unix ID.That migh be true. I have two large filesystems with users and groups that would have required migration in that case. Which would have been an even greater mess I think. But since my users now have uidNumber: in AD, don't they use that as uid and not the RID? -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020