On Wed, 2022-05-11 at 15:11 +0000, Jim Brand wrote:> There is a problem with your uid, in your smb.conf you posted this: > > You are saying that your uid (or ID) is '3578', but : > > 3578 != 7880 > > So where is it coming from ???? > > 3578 is UID from AD and local on the box. Our organization requires > local userids on all servers(!) The only time we join AD on Linux is > for Samba.The smb.conf that you posted in your first post is from a Unix domain member. You do not have 'local users' (users in /etc/passwd) that are also in AD e.g. you do not have the user 'fred' in /etc/passwd and in AD. If you do have the same usernames in both, the local user will be used before the AD users and the two users are totally different users even if they are both called 'fred'.> > Since our Samba files normally match UID/GID in /etc/passwd, not RID > + Offset I assume ' backend = rid' has never worked properly.No your understanding of Samba seems to be the problem, you seem to be treating Samba as a standalone server (which, from your sample smb.conf , it isn't) and a Unix domain member.> Since we want UIDs to match /etc/passwd I'm going to try again to > get Samba working with ad backend.If you go down this path (just use the Unix ID's for the uidNumber or gidNumber attributes in AD), remove the users from /etc/passwd, you will no longer require them.> > Or we can stick with > security = DOMAIN > which gives us the desired behavior. Only problem is when servers > reboot we have to rejoin the domain. Security = ADS solved that.Do not use 'security = DOMAIN', it requires SMBv1 and this will be removed from Samba. Rowland
On Wed, 2022-05-11 at 16:28 +0100, Rowland Penny via samba wrote:> On Wed, 2022-05-11 at 15:11 +0000, Jim Brand wrote: > > There is a problem with your uid, in your smb.conf you posted this: > > > > You are saying that your uid (or ID) is '3578', but : > > > > 3578 != 7880 > > > > So where is it coming from ???? > > > > 3578 is UID from AD and local on the box. Our organization > > requires > > local userids on all servers(!) The only time we join AD on Linux > > is > > for Samba. > > The smb.conf that you posted in your first post is from a Unix domain > member. You do not have 'local users' (users in /etc/passwd) that are > also in AD e.g. you do not have the user 'fred' in /etc/passwd and in > AD. If you do have the same usernames in both, the local user will be > used before the AD users and the two users are totally different > users > even if they are both called 'fred'. > > Since our Samba files normally match UID/GID in /etc/passwd, not > > RID > > + Offset I assume ' backend = rid' has never worked properly. > > No your understanding of Samba seems to be the problem, you seem to > be > treating Samba as a standalone server (which, from your sample > smb.conf > , it isn't) and a Unix domain member. > > > Since we want UIDs to match /etc/passwd I'm going to try again to > > get Samba working with ad backend. > > If you go down this path (just use the Unix ID's for the uidNumber or > gidNumber attributes in AD), remove the users from /etc/passwd, you > will no longer require them. > > > > Or we can stick with > > security = DOMAIN > > which gives us the desired behavior. Only problem is when servers > > reboot we have to rejoin the domain. Security = ADS solved that. > > Do not use 'security = DOMAIN', it requires SMBv1 and this will be > removed from Samba. > > RowlandJust to prove what I saying is true, I ran a few commands on a Unix domain member: First, am I a domain user: rowland at devstation:~$ wbinfo -u | grep rowland rowland Okay, I am a domain user. Is my username in /etc/passwd: rowland at devstation:~$ cat /etc/passwd | grep rowland rowland at devstation:~$ So my name isn't in /etc/passwd, so does the Unix OS know who I am : rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Yes, it does. I use the 'ad' idmap backend, but I would get a similar result with the 'autorid' or 'rid' idmap backends (only the numbers would change) I can log into any of my Unix computers with the same username and password and I only have to maintain those in one place, not 10, 20, 30 etc places. Rowland
If you do have the same usernames in both, the local user will be used before the AD users and the two users are totally different users even if they are both called 'fred'. That explains a lot. For our old CentOS 5/6 servers, if we really just need a standalone file server, all userids are local, and don't otherwise need to join a domain, could we just use security = user Is that still a valid mode? Our clients are Windows 10. Thanks, Jim This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.
McIntyre, Vincent (S&A, Marsfield)
2022-May-11 23:15 UTC
[Samba] security=domain (wa: What is the Uid in smbstatus command?)
On Wed, May 11, 2022 at 04:28:32PM +0100, Rowland Penny via samba wrote:>> >> Or we can stick with >> security = DOMAIN >> which gives us the desired behavior. Only problem is when servers >> reboot we have to rejoin the domain. Security = ADS solved that. > >Do not use 'security = DOMAIN', it requires SMBv1 and this will be >removed from Samba. >Hi Rowland, this is a bit of a surprise to me. I know "samba doesn't do roadmaps" but can you point to somewhere this is documented? I have looked through the wiki quite a lot but really can't recall seeing this stated anywhere before; that security = domain is now deprecated because of the SMBv1 requiement. Kind regards Vince