On 8/7/20 12:58 PM, Rowland penny via samba wrote:> On 07/08/2020 20:12, Simon Matthews wrote: >> >> The client is running CentOS 7: >> >> # cat /etc/redhat-release >> CentOS Linux release 7.8.2003 (Core) >> >> After another attempt, I have successfully joined the linux client to >> the domain: >> >> # net rpc join MEMBER -S raidserver -U root%<password> >> Using short domain name -- BLUE >> Joined 'TURQUOISE' to domain 'BLUE' >> >> Note that the hostname of the Linux client is actually "H2". Turquoise >> is a hold over from what it was earlier. "turquoise" resolves on the >> network: >> >> $ ping turquoise >> PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. >> 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 >> time=0.264 ms > I would suggest you stop it resolving if it has gone away. >> >> Client config: >> ========>> >> [global] >> >> >> workgroup = BLUE >> password server = raidserver >> security = domain >> idmap config * : range = 16777216-33554431 > > This is where your problems start, you do not have enough lines, I > would expect something like this: > > idmap config * : backend = tdb > idmap config * : range = 100000-9999999 > idmap config BLUE : backend = rid > idmap config BLUE : range = 500-99999 > >> template shell = /bin/false >> kerberos method = secrets only > You do not use kerberos with a PDC >> winbind use default domain = false > If you want to remove the domain name 'BLUE\' from users and groups, > change 'false' to 'yes' >> >> winbind offline logon = true >> username map = /etc/samba/usermap.txt # This file is empty. >> >> server string = Samba Server Version %v >> >> netbios name = TURQUOISE > If the clients name isn't 'turquoise' remove the above line and let > Samba set it for you. >> # client ntlmv2 auth = yes >> # ntlm auth = no >> >> interfaces = lo eth1 >> >> local master = no >> os level = 20 >> preferred master = no >> >> wins support = no > > Might be an idea to replace the above line with 'wins server = <PDC IP>' > > Add this line: > > client max protocol = NT1 > >> >> Config on PDC (raidserver): >> ================> > Not a lot wrong with the PDC smb.conf > > Again, can I stress that it would be a very good idea to upgrade to AD,Yes, but I have limited resources for IT and the upgrade to AD is somewhat intrusive to the network (I am thinking of the impact to DNS). The changes you suggested have worked. Thank you very much. Simon> > Rowland >> > >Blue Pearl Software, Inc. will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.bluepearlsoftware.com/privacypolicy.
On 07/08/2020 21:57, Simon Matthews wrote:> > Yes, but I have limited resources for IT and the upgrade to AD is > somewhat intrusive to the network (I am thinking of the impact to DNS).I understand, but I would put it on your to do list. Sooner or later, one of two things will happen, Microsoft will break NT4-style domains again, but not fix them this time, or Samba will totally remove SMBv1 and this will mean the end of nt4-style domains, you need SMBv1 for an NT4-style domain. Rowland
On 07/08/2020 22:06, Rowland penny via samba wrote:> > On 07/08/2020 21:57, Simon Matthews wrote: >> >> Yes, but I have limited resources for IT and the upgrade to AD is >> somewhat intrusive to the network (I am thinking of the impact to DNS). > > I understand, but I would put it on your to do list. Sooner or later, > one of two things will happen, Microsoft will break NT4-style domains > again, but not fix them this time, or Samba will totally remove SMBv1 > and this will mean the end of nt4-style domains, you need SMBv1 for an > NT4-style domain. > > Rowland > > > >Has something changed again? I know Windows messed things up around the 1803 release, but I thought NT4 domains worked without enabling SMBv1 in Win10. They did appear to work when I last checked some months ago.
On 8/7/20 1:57 PM, Simon Matthews wrote:> On 8/7/20 12:58 PM, Rowland penny via samba wrote: >> On 07/08/2020 20:12, Simon Matthews wrote: >>> >>> The client is running CentOS 7: >>> >>> # cat /etc/redhat-release >>> CentOS Linux release 7.8.2003 (Core) >>> >>> After another attempt, I have successfully joined the linux client to >>> the domain: >>> >>> # net rpc join MEMBER -S raidserver -U root%<password> >>> Using short domain name -- BLUE >>> Joined 'TURQUOISE' to domain 'BLUE' >>> >>> Note that the hostname of the Linux client is actually "H2". Turquoise >>> is a hold over from what it was earlier. "turquoise" resolves on the >>> network: >>> >>> $ ping turquoise >>> PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. >>> 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 >>> time=0.264 ms >> I would suggest you stop it resolving if it has gone away. >>> >>> Client config: >>> ========>>> >>> [global] >>> >>> >>> workgroup = BLUE >>> password server = raidserver >>> security = domain >>> idmap config * : range = 16777216-33554431 >> >> This is where your problems start, you do not have enough lines, I >> would expect something like this: >> >> idmap config * : backend = tdb >> idmap config * : range = 100000-9999999 >> idmap config BLUE : backend = rid >> idmap config BLUE : range = 500-99999 >> >>> template shell = /bin/false >>> kerberos method = secrets only >> You do not use kerberos with a PDC >>> winbind use default domain = false >> If you want to remove the domain name 'BLUE\' from users and groups, >> change 'false' to 'yes' >>> >>> winbind offline logon = true >>> username map = /etc/samba/usermap.txt # This file is empty. >>> >>> server string = Samba Server Version %v >>> >>> netbios name = TURQUOISE >> If the clients name isn't 'turquoise' remove the above line and let >> Samba set it for you. >>> # client ntlmv2 auth = yes >>> # ntlm auth = no >>> >>> interfaces = lo eth1 >>> >>> local master = no >>> os level = 20 >>> preferred master = no >>> >>> wins support = no >> >> Might be an idea to replace the above line with 'wins server = <PDC IP>' >> >> Add this line: >> >> client max protocol = NT1 >> >>> >>> Config on PDC (raidserver): >>> ================>> >> Not a lot wrong with the PDC smb.conf >> >> Again, can I stress that it would be a very good idea to upgrade to AD, > > Yes, but I have limited resources for IT and the upgrade to AD is > somewhat intrusive to the network (I am thinking of the impact to DNS). > > The changes you suggested have worked. Thank you very much.No, I was wrong about this. The name mapping is correct but the numeric IDs are different, so I still have permission issues: # ls -al total 28 drwxrwxrwx. 4 <user> blue 4096 Aug 7 14:40 . drwxr-xr-x. 12 <user> blue 4096 Aug 6 13:06 .. drwxr-xr-x. 2 <user> blue 4096 Aug 7 14:40 New folder "New folder" is an empty folder I created from the Windows machine after setting the directory perms to 777. However, when we look at the actual UIDs: # ls -aln total 28 drwxrwxrwx. 4 2002 441 4096 Aug 7 14:40 . drwxr-xr-x. 12 2002 441 4096 Aug 6 13:06 .. drwxr-xr-x. 2 16777216 16777222 4096 Aug 7 14:40 New folder Simon Blue Pearl Software, Inc. will collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal information, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to the relevant sections of our Privacy note at www.bluepearlsoftware.com/privacypolicy.
Rpvs> On 07/08/2020 21:57, Simon Matthews wrote:>> Yes, but I have limited resources for IT and the upgrade to AD is >> somewhat intrusive to the network (I am thinking of the impact to DNS).Rpvs> I understand, but I would put it on your to do list. Sooner or later, Rpvs> one of two things will happen, Microsoft will break NT4-style domains Rpvs> again, but not fix them this time, or Samba will totally remove SMBv1 Rpvs> and this will mean the end of nt4-style domains, you need SMBv1 for an Rpvs> NT4-style domain. Rpvs> Rowland While less than ideal, sometimes having things break is simply the only way to impress on management that something needs attention. It's amazing how often management will starve IT for resources, yet when paychecks (or senior executive bonuses) can't go out because the server is broken, how quickly those resources get allocated. :)
On 07/08/2020 22:44, Simon Matthews via samba wrote:> >>> >>>> >>> >>> This is where your problems start, you do not have enough lines, I >>> would expect something like this: >>> >>> ??? idmap config * : backend = tdb >>> ??? idmap config * : range = 100000-9999999 >>> ??? idmap config BLUE : backend = rid >>> ??? idmap config BLUE : range = 500-99999 >>> >>> >>>> > No, I was wrong about this. The name mapping is correct but the numeric > IDs are different, so I still have permission issues: > > # ls -al > total 28 > drwxrwxrwx.? 4 <user> blue 4096 Aug? 7 14:40 . > drwxr-xr-x. 12 <user> blue 4096 Aug? 6 13:06 .. > drwxr-xr-x.? 2 <user> blue 4096 Aug? 7 14:40 New folder > > "New folder" is an empty folder I created from the Windows machine after > setting the directory perms to 777. However, when we look at the actual > UIDs: > > # ls -aln > total 28 > drwxrwxrwx.? 4???? 2002????? 441 4096 Aug? 7 14:40 . > drwxr-xr-x. 12???? 2002????? 441 4096 Aug? 6 13:06 .. > drwxr-xr-x.? 2 16777216 16777222 4096 Aug? 7 14:40 New folderTry running 'net cache flush' Also, the numbers I supplied were examples, you may need to tweak them. The 'rid' backend calculates the the Unix ID from the users RID with this formula: ID = RID + LOW_RANGE_ID Which from the range I posted becomes: ID = RID + 500 So, if a user has the RID 1000, they should have the ID '1500' 1500 = 1000 + 500 The '*' range is for the Well Known Sids and anything outside the domain These numbers will probably not match any users you have /etc/passwd (mind you, you shouldn't have any users in /etc/passwd) Rowland
@Nick, Yes, windows keeps trying to remove smb1 from you computer. Always check it again after you have problems with old servers. @Rowland:> You must be lucky, I cannot get them to work unless I set 'server max > protocol = NT1'Even if you make sure SMB1 client is enabled in windows 10 client? Should work, not seeing any problems here and i still have 2 smb1 servers running. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Simon Matthews via samba > Verzonden: vrijdag 7 augustus 2020 23:45 > Aan: sambalist > Onderwerp: Re: [Samba] User mapping? > > On 8/7/20 1:57 PM, Simon Matthews wrote: > > On 8/7/20 12:58 PM, Rowland penny via samba wrote: > >> On 07/08/2020 20:12, Simon Matthews wrote: > >>> > >>> The client is running CentOS 7: > >>> > >>> # cat /etc/redhat-release > >>> CentOS Linux release 7.8.2003 (Core) > >>> > >>> After another attempt, I have successfully joined the > linux client to > >>> the domain: > >>> > >>> # net rpc join MEMBER -S raidserver -U root%<password> > >>> Using short domain name -- BLUE > >>> Joined 'TURQUOISE' to domain 'BLUE' > >>> > >>> Note that the hostname of the Linux client is actually > "H2". Turquoise > >>> is a hold over from what it was earlier. "turquoise" > resolves on the > >>> network: > >>> > >>> $ ping turquoise > >>> PING h2.sj.bps (192.168.254.105) 56(84) bytes of data. > >>> 64 bytes from h2.sj.bps (192.168.254.105): icmp_seq=1 ttl=64 > >>> time=0.264 ms > >> I would suggest you stop it resolving if it has gone away. > >>> > >>> Client config: > >>> ========> >>> > >>> [global] > >>> > >>> > >>> workgroup = BLUE > >>> password server = raidserver > >>> security = domain > >>> idmap config * : range = 16777216-33554431 > >> > >> This is where your problems start, you do not have enough lines, I > >> would expect something like this: > >> > >> idmap config * : backend = tdb > >> idmap config * : range = 100000-9999999 > >> idmap config BLUE : backend = rid > >> idmap config BLUE : range = 500-99999 > >> > >>> template shell = /bin/false > >>> kerberos method = secrets only > >> You do not use kerberos with a PDC > >>> winbind use default domain = false > >> If you want to remove the domain name 'BLUE\' from users > and groups, > >> change 'false' to 'yes' > >>> > >>> winbind offline logon = true > >>> username map = /etc/samba/usermap.txt # This file is empty. > >>> > >>> server string = Samba Server Version %v > >>> > >>> netbios name = TURQUOISE > >> If the clients name isn't 'turquoise' remove the above line and let > >> Samba set it for you. > >>> # client ntlmv2 auth = yes > >>> # ntlm auth = no > >>> > >>> interfaces = lo eth1 > >>> > >>> local master = no > >>> os level = 20 > >>> preferred master = no > >>> > >>> wins support = no > >> > >> Might be an idea to replace the above line with 'wins > server = <PDC IP>' > >> > >> Add this line: > >> > >> client max protocol = NT1 > >> > >>> > >>> Config on PDC (raidserver): > >>> ================> >> > >> Not a lot wrong with the PDC smb.conf > >> > >> Again, can I stress that it would be a very good idea to > upgrade to AD, > > > > Yes, but I have limited resources for IT and the upgrade to AD is > > somewhat intrusive to the network (I am thinking of the > impact to DNS). > > > > The changes you suggested have worked. Thank you very much. > > No, I was wrong about this. The name mapping is correct but > the numeric > IDs are different, so I still have permission issues: > > # ls -al > total 28 > drwxrwxrwx. 4 <user> blue 4096 Aug 7 14:40 . > drwxr-xr-x. 12 <user> blue 4096 Aug 6 13:06 .. > drwxr-xr-x. 2 <user> blue 4096 Aug 7 14:40 New folder > > "New folder" is an empty folder I created from the Windows > machine after > setting the directory perms to 777. However, when we look at > the actual > UIDs: > > # ls -aln > total 28 > drwxrwxrwx. 4 2002 441 4096 Aug 7 14:40 . > drwxr-xr-x. 12 2002 441 4096 Aug 6 13:06 .. > drwxr-xr-x. 2 16777216 16777222 4096 Aug 7 14:40 New folder > > Simon > > > Blue Pearl Software, Inc. will collect and process > information about you that may be subject to data protection > laws. For more information about how we use and disclose your > personal information, how we protect your information, our > legal basis to use your information, your rights and who you > can contact, please refer to the relevant sections of our > Privacy note at www.bluepearlsoftware.com/privacypolicy. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >