Rowland Penny
2022-Mar-04 19:01 UTC
[Samba] Samba forces domain members to use winbind now
On Fri, 2022-03-04 at 17:43 +0000, Vaughan, Robert J via samba wrote:> Before the winbind requirement, our Samba (ads member) worked I > suppose something along these lines .. > > Windows user authenticated by AD and then DOMAIN\user reduced to > 'user' by Samba and found a match in our UNIX LDAP (via nsswitch sss > or ldap entry) because we have all our Samba users setup in our UNIX > LDAP with the same (matching) userid to get the UNIX uid and gid infoBefore Samba 4.8.0 that would have worked> > Now we must use winbind to authenticate with AD and winbind needs to > be configured as to how it gets the UNIX uid/gid info (either by > generating them, or looking them up in some backend facility)That is correct.> > So I want to use our UNIX LDAP as that backend facilityNot sure that is going to work.> > It seems to work fairly well with a config like this .. > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > idmap config XXX : backend = nss > idmap config XXX : range = 400-199999The 'nss' backend requires you to have the same users in your database and AD and the AD users would be mapped to the users in your database.> > > but I have seen where a test user (and me too) who could map a share > one day be unable to map it the next with this error .. > > create_connection_session_info: user 'my userid' (from session setup) > not permitted to access this share > > If I stop smb and winbind at that point, delete tdb files, restart > smb and winbind it starts working againIf an error occurs looking up your user in your ldap, then winbind will not have a user to map to. You could also have intermittent problems connecting to AD.> > So I feel like I am close to something that works for usNo, you seem to have something that sometimes works for you. As you have already admitted that the ldap is only used for authentication, your best bet would be to add your user and group ID's to AD and then use the 'ad' winbind idmap backend. Rowland
Vaughan, Robert J
2022-Mar-04 19:43 UTC
[Samba] Samba forces domain members to use winbind now
>The 'nss' backend requires you to have the same users in your database >and AD and the AD users would be mapped to the users in your database.yes, that is correct, our UNIX LDAP has the same users in it as AD minus those who do not use SAMBA ( so it is a sub-set of AD)>As you have already admitted that the ldap is only used for >authenticationI thought AD was used for authentication and our LDAP used for authorization to the share (via the uid/gid)? Any idea why stopping samba/winbind and having to delete the tdb files is necessary to get it working again? Did you think that some problem looking them up in AD or our LDAP might result in winbind creating a mapping in tdb for that user that then would not have permissions on the share? Rob -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, March 4, 2022 2:02 PM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Samba forces domain members to use winbind now CAUTION EXTERNAL EMAILTHIS EMAIL WAS SENT FROM OUTSIDE GDLS. PLEASE DO NOT OPEN ANY URL LINKS, OPEN ATTACHMENTS OR REPLY TO THIS EMAIL IF YOU ARE UNABLE TO VERIFY THE SENDER?S EMAIL ADDRESS On Fri, 2022-03-04 at 17:43 +0000, Vaughan, Robert J via samba wrote:> Before the winbind requirement, our Samba (ads member) worked I > suppose something along these lines .. > > Windows user authenticated by AD and then DOMAIN\user reduced to > 'user' by Samba and found a match in our UNIX LDAP (via nsswitch sss > or ldap entry) because we have all our Samba users setup in our UNIX > LDAP with the same (matching) userid to get the UNIX uid and gid infoBefore Samba 4.8.0 that would have worked> > Now we must use winbind to authenticate with AD and winbind needs to > be configured as to how it gets the UNIX uid/gid info (either by > generating them, or looking them up in some backend facility)That is correct.> > So I want to use our UNIX LDAP as that backend facilityNot sure that is going to work.> > It seems to work fairly well with a config like this .. > > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > idmap config XXX : backend = nss > idmap config XXX : range = 400-199999The 'nss' backend requires you to have the same users in your database and AD and the AD users would be mapped to the users in your database.> > > but I have seen where a test user (and me too) who could map a share > one day be unable to map it the next with this error .. > > create_connection_session_info: user 'my userid' (from session setup) > not permitted to access this share > > If I stop smb and winbind at that point, delete tdb files, restart > smb and winbind it starts working againIf an error occurs looking up your user in your ldap, then winbind will not have a user to map to. You could also have intermittent problems connecting to AD.> > So I feel like I am close to something that works for usNo, you seem to have something that sometimes works for you. As you have already admitted that the ldap is only used for authentication, your best bet would be to add your user and group ID's to AD and then use the 'ad' winbind idmap backend. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://urldefense.com/v3/__https://lists.samba.org/mailman/options/samba__;!!BlOwZnr7TA!1h7vPLRXjfi4SBGpBMwJg15YtXoK7dbgJ00IDzp17Ijkd9f8WzF9yFF77luM5sA$ ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.