UID/GID mapping consistency across at least two Linux machines

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

UID/GID mapping consistency across at least two Linux machines

bakytn
I have two SAMBA machines

they both successfully joined to the same Active Directory (actually SAMBA 4)

I have copied the user files from server 1 to server 2

owner id and group ids are preserved.

on server 1, when is do: id user1
I get 2001

but on server 2
the same user has different id.

This is actual for groups as well i.e different id's.

smb.confs are identical
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

bakytn
I found this: http://lists.samba.org/archive/samba/2004-January/078411.html

How to implement "a" scenario?

but..how about simpler way...like, may be, running rsync to copy necessary fiels from server 1 to server 2.

I could do this..but I don't know which files to replicate?
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Gaiseric Vandal
On 04/09/12 13:11, bakytn wrote:

> I found this: http://lists.samba.org/archive/samba/2004-January/078411.html
>
> How to implement "a" scenario?
>
> but..how about simpler way...like, may be, running rsync to copy necessary
> fiels from server 1 to server 2.
>
> I could do this..but I don't know which files to replicate?
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543292.html
> Sent from the Samba - General mailing list archive at Nabble.com.
Are you using winbind for idmapping?   The files you want may be
/var/samba/locks (check "testparm -v" for the locks and cache
directories.)  Look at the winbind*tdb and idmap*tdb files.  tdbdump
will show you what is in them.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

bakytn
Here ist he global section of my smb.conf:

I am not sure if I am using Winbind (I guess yes).

[global]
   workgroup = DOMAIN
   realm = DOMAIN.LOCAL
   preferred master = no

   server string = SAMBA
   security = ADS
   encrypt passwords = yes
   log level = 1
   log file = /var/log/samba/log.%m
   max log size = 1000

   idmap uid = 3000-20000
   idmap gid = 3000-20000
   template shell = /bin/bash

   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +
   winbind use default domain = Yes
   winbind nested groups = Yes

   template homedir = "/data/files/%U"

   syslog = 0

   panic action = /usr/share/samba/panic-action %d
   passdb backend = tdbsam

   obey pam restrictions = yes

   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes

   map to guest = bad user

   usershare allow guests = yes
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Robert Freeman-Day
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/09/2012 04:09 PM, bakytn wrote:

> Here ist he global section of my smb.conf:
>
> I am not sure if I am using Winbind (I guess yes).
>
> [global]
>    workgroup = DOMAIN
>    realm = DOMAIN.LOCAL
>    preferred master = no
>
>    server string = SAMBA
>    security = ADS
>    encrypt passwords = yes
>    log level = 1
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>
>    idmap uid = 3000-20000
>    idmap gid = 3000-20000
>    template shell = /bin/bash
>
>    winbind enum groups = yes
>    winbind enum users = yes
>    winbind separator = +
>    winbind use default domain = Yes
>    winbind nested groups = Yes
>
>    template homedir = "/data/files/%U"
>
>    syslog = 0
>
>    panic action = /usr/share/samba/panic-action %d
>    passdb backend = tdbsam
>
>    obey pam restrictions = yes
>
>    unix password sync = yes
>
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
>
>    pam password change = yes
>
>    map to guest = bad user
>
>    usershare allow guests = yes
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html
> Sent from the Samba - General mailing list archive at Nabble.com.

I have some notes on what I have done with my machines.  I hope it may
help you out.  Just read it all over and the template files closely
before just jumping on into it.

https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory

- --
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+DiG4ACgkQup357T5MfTaMKQCg0HMM00tuKtxZUMWwzWC1lOSM
fxkAoLd8HO0otegVuye7dIf2c/UO1dc/
=lgc5
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

steve-2
In reply to this post by Gaiseric Vandal
On 09/04/12 21:00, Gaiseric Vandal wrote:
> On 04/09/12 13:11, bakytn wrote:
>> I found this: http://lists.samba.org/archive/samba/2004-January/078411.html
>>
>> How to implement "a" scenario?
> Are you using winbind for idmapping?   The files you want may be
> /var/samba/locks (check "testparm -v" for the locks and cache
> directories.)  Look at the winbind*tdb and idmap*tdb files.  tdbdump
> will show you what is in them.
Hi

I've never understood why we have to use winbind when using Linux
clients. It seems a complicated way to go about uid/gid mapping.

All we do is add posixAccount, uidNumber and gidNumber +any of other
2307 stuff you may need to the user record in LDAP. Maybe the problem
before has been with the poor performance of nss-ldap. But with the new
nss-ldapd nslcd, the user and group mapping is perfect and very fast.
It's just as good as reading from a local file even on a busy lan.

HTH
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Gaiseric Vandal



On 04/10/12 12:29, steve wrote:

> On 09/04/12 21:00, Gaiseric Vandal wrote:
>> On 04/09/12 13:11, bakytn wrote:
>>> I found this:
>>> http://lists.samba.org/archive/samba/2004-January/078411.html
>>>
>>> How to implement "a" scenario?
>> Are you using winbind for idmapping?   The files you want may be
>> /var/samba/locks (check "testparm -v" for the locks and cache
>> directories.)  Look at the winbind*tdb and idmap*tdb files.  tdbdump
>> will show you what is in them.
> Hi
>
> I've never understood why we have to use winbind when using Linux
> clients. It seems a complicated way to go about uid/gid mapping.
>
> All we do is add posixAccount, uidNumber and gidNumber +any of other
> 2307 stuff you may need to the user record in LDAP. Maybe the problem
> before has been with the poor performance of nss-ldap. But with the
> new nss-ldapd nslcd, the user and group mapping is perfect and very
> fast. It's just as good as reading from a local file even on a busy lan.
>
> HTH
> Cheers,
> Steve
>
Winbind mapping should not be necessary on domain controllers, except if
you have domain trusts.  I have ldap backend so my LDAP users have both
unix and samba attributes.    Samba member servers are a little
trickier, when settings permissions from a Windows client.  The server
does need some sort of idmap to connect the samba account to the local
unix account.   I had to use ldap backend for idmap to make sure the
idmapping was consistent on samba member server.   In theory the
idmap_nss backend should do this, but I don't think it was  available in
samba 3.0.x.    I haven't had much luck with it in samba 3.4 or 3.5.  
I found it easier just to make sure that my primary file servers were
also DC's.



 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

steve-2
On 10/04/12 18:45, Gaiseric Vandal wrote:
>
>
> On 04/10/12 12:29, steve wrote:
>> On 09/04/12 21:00, Gaiseric Vandal wrote:
>>> On 04/09/12 13:11, bakytn wrote:
>>
> Winbind mapping should not be necessary on domain controllers, except if
> you have domain trusts.  I have ldap backend so my LDAP users have both
> unix and samba attributes.
That's what we have too.
>     Samba member servers are a little
> trickier, when settings permissions from a Windows client.  The server
> does need some sort of idmap to connect the samba account to the local
> unix account.
But you wouldn't need local accounts for network users would you? Or at
least we don't. They can use either a windows client or a Linux client.
None of them are attached to any box locally.  All the windows and linux
data is stored centrally in LDAP. The windows clients pull the sid and
whatever else they need and the Linux clients use nss-ldapd to
automagically pull the 2307 stuff that they need. Having said that, this
is quite a simple setup of a heterogeneous lan under 3.6. If the post is
about 2 or more linux machines then that ought to do it I think.
Cheers,
Steve


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

bakytn
In reply to this post by bakytn
Would you recommend me to use IDMAP_RID with Winbind?

I don't have domain trusts (which is required to be "off" when using rid).

It's a small domain with about 300 users at the very maximum.

Also..if I just add

idmap backend = idmap_rid:DOMAIN=2000-100000000

What would change? Would it mess my current UID/GID's???
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Mueller
In reply to this post by steve-2
I also only use ldap the same way without any winbind.

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: [hidden email]
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im
Auftrag von steve
Gesendet: Dienstag, 10. April 2012 18:30
An: [hidden email]
Betreff: Re: [Samba] UID/GID mapping consistency across at least two Linux
machines

On 09/04/12 21:00, Gaiseric Vandal wrote:
> On 04/09/12 13:11, bakytn wrote:
>> I found this:
>> http://lists.samba.org/archive/samba/2004-January/078411.html
>>
>> How to implement "a" scenario?
> Are you using winbind for idmapping?   The files you want may be
> /var/samba/locks (check "testparm -v" for the locks and cache
> directories.)  Look at the winbind*tdb and idmap*tdb files.  tdbdump
> will show you what is in them.
Hi

I've never understood why we have to use winbind when using Linux clients.
It seems a complicated way to go about uid/gid mapping.

All we do is add posixAccount, uidNumber and gidNumber +any of other
2307 stuff you may need to the user record in LDAP. Maybe the problem before
has been with the poor performance of nss-ldap. But with the new nss-ldapd
nslcd, the user and group mapping is perfect and very fast.
It's just as good as reading from a local file even on a busy lan.

HTH
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

steve-2
On 11/04/12 09:09, Daniel Müller wrote:
> I also only use ldap the same way without any winbind.
Hi
Thanks. I was beginning to wonder if we were the only ones. It seems
such an easy alternative to using winbind. The uid/gid is _exactly_
wysiwyg. Always. I think this is the sort of consistency the op was
looking for. The sid-rid idmap winbind stuff seems horrendously complicated.
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Ludek Finstrle
Hi,

Wed, Apr 11, 2012 at 11:02:09AM +0200, steve napsal(a):
> On 11/04/12 09:09, Daniel Müller wrote:
> >I also only use ldap the same way without any winbind.
> Thanks. I was beginning to wonder if we were the only ones. It seems
> such an easy alternative to using winbind. The uid/gid is _exactly_

I don't use winbind and also I don't use posixAccount on Samba4 Frenky.

> wysiwyg. Always. I think this is the sort of consistency the op was
> looking for. The sid-rid idmap winbind stuff seems horrendously
> complicated.

It's just easy from my point of view. But I don't want to have running
winbind and I don't see very nice way to manage posixAccount too. The man
who creates user accounts isn't very keen in IT ...

So I use nslcd to map uid/gid with last part of SID + some constant and
I created very small patch to the samba ads backend with the same behaviour.
I don't need DOMAIN trusts so it's enough for my small environment.

Luf
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

John Drescher
In reply to this post by Mueller
> I also only use ldap the same way without any winbind.
>

For years I used to do that however my domain member servers (not PDCs
/ BDCs) would not enumerate the users correctly for the windows
security tab without using winbind. Does this work for you?

John
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Chris Smith-30
In reply to this post by bakytn
On Tue, Apr 10, 2012 at 2:27 PM, bakytn <[hidden email]> wrote:
> Would you recommend me to use IDMAP_RID with Winbind?

I use it successfully.

> idmap backend = idmap_rid:DOMAIN=2000-100000000

Depending upon your Samba version the syntax may be a bit different.

idmap config DOMAIN : backend  = rid
idmap config DOMAIN : range = 1000-999999

> What would change? Would it mess my current UID/GID's???

Probably, but that's as easy one time fix using "find" with "xargs" to
update the old uid, gid to the new one.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

steve-2
In reply to this post by John Drescher
On 11/04/12 15:00, John Drescher wrote:
>> I also only use ldap the same way without any winbind.
>>
>
> For years I used to do that however my domain member servers (not PDCs
> / BDCs) would not enumerate the users correctly for the windows
> security tab without using winbind. Does this work for you?
>
> John

Yes. Even in s3 (we are using 3.6 setup under openSUSE)

In Samba4 there was a bug in the schema mapping for rfc2307. Now it's fixed,

Why not store the user uid/gid in the directory alongside their sid
stuff? The m$ schema has it bolted in.

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

Chris Smith-30
In reply to this post by Chris Smith-30
On Wed, Apr 11, 2012 at 3:50 PM, bakytn <[hidden email]> wrote:
> I tried the old config and newer.
>
>   idmap backend = rid:DOMAIN=4000-20000
>   idmap uid = 4000-20000
>   idmap gid = 4000-20000

Doesn't look right - man smb.conf - for the correct syntax. For your
version I think it should be more like:

idmap backend = tdb
idmap uid = 300000-400000
idmap gid = 300000-400000
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 2000-299999

from man smb.conf:
winbind uses this parameter to find the backend that is authoritative
for a unix ID
               to SID mapping, so it must be set for each individually
configured domain, and it
               must be disjoint from the ranges set via idmap uid and idmap gid.

> My version is SAMBA 3.5.11

If you check the release notes you'll find that 3.5.12 fixed a winbind
race issue in 3.5.11. Also there's a security exploit and it's a good
idea to update to 3.5.14, or 3.6.4. I'm still a bit leery of the 3.6
series for production and hopefully 3.6.5 will be released soon fixing
some outstanding issues.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

bakytn
I have also cleared the /var/run/samba folder and it's now working properly.

you helped a lot! Thank you!
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

steve-2
On 11/04/12 22:35, bakytn wrote:
> I have also cleared the /var/run/samba folder and it's now working properly.
>
> you helped a lot! Thank you!
>

Hi
Just remembered a gotcha with the rfc2307 stuff. Hope you don't mind me
including it here for completeness and to save head scratching.

If the user is a member of more than one group, then the
  memberUid
attribute must be specified in the group dn

I think that this is one of the pieces missing from the samba3Upgrade
script.

Here is a LDAP example which complies with the schema from Samba4:

dn: CN=teachers,CN=Users,DC=hh3,DC=site
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 1119
member: CN=steve2,CN=Users,DC=hh3,DC=site
member: CN=lynn2,CN=Users,DC=hh3,DC=site
memberUid: steve2
memberUid: lynn2

HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID mapping consistency across at least two Linux machines

bakytn
This post was updated on .
Thanks! But how is this related to my problem? is there any pitfalls when some user is a member of many groups? is their uid (actually rid) idepends on their group membership ?