member server idmap config (auto)rid

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

member server idmap config (auto)rid

Samba - General mailing list
I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
according to
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

It joins OK but I cannot get idmap rid (or autorid) to work

    idmap config * : backend = autorid
    idmap config * : range = 1000000-1199999

Nothing is returned for getent "SAMDOM\user"

log.winbindd shows:

[2017/08/07 15:44:08.377559,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
   getpwnam SAMDOM\user
[2017/08/07 15:45:12.561500,  5]
../source3/winbindd/winbindd.c:1139(remove_timed_out_clients)
   Client request timed out, shutting down sock 26, pid 639

(libnss_winbind is installed and nsswitcy.conf modified as per wiki)

If however I use

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 1000000-1199999

Then getent "SAMDOM\user" works but the uid is taken from the * range,
not SAMDOM.

What am I doing wrong?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
Hi,

Could you post the whole smb.conf? That should help...

Did you install libpam-winbind? libpam-krb5?

Kerberos is working? It should as you mentioned join was ok.

Anyway and in short, to help we need information.

And playing with wbinfo could help to understand what you missed (wbinfo -n
username; wbinfo -S userSID; wbnifo -i username; for a start)

2017-08-07 16:44 GMT+02:00 Neil Price via samba <[hidden email]>:

> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
> according to https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> n_Member
>
> It joins OK but I cannot get idmap rid (or autorid) to work
>
>    idmap config * : backend = autorid
>    idmap config * : range = 1000000-1199999
>

Using only these two lines AD users and groups could become Linux users and
groups but their UID/GID will be randomly generated, which is certinaly not
what you want (at least in future that's you should regret)


>
> Nothing is returned for getent "SAMDOM\user"
>
> log.winbindd shows:
>
> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
> etpwnam.c:56(winbindd_getpwnam_send)
>   getpwnam SAMDOM\user
> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
> :1139(remove_timed_out_clients)
>   Client request timed out, shutting down sock 26, pid 639
>
> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
>
> If however I use
>
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>
>    idmap config SAMDOM : backend = rid
>    idmap config SAMDOM : range = 1000000-1199999
>

Using these 4 lines is the right thing to do: idmap-rid will generate
UID/GID using LDAP object's RID + 1000000 (according to what you wrote) and
as UID/GID are now based on RID which is stable your UID/GID will be stable
too (not randomly generated)


>
> Then getent "SAMDOM\user" works but the uid is taken from the * range, not
> SAMDOM.
>
> What am I doing wrong?
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

member server idmap config (auto)rid

Samba - General mailing list
(forwarding as I forgot to reply-all)

-----Original Message-----
From: Lange Norbert
Sent: Dienstag, 08. August 2017 12:26
To: 'mathias dufresne'
Subject: RE: [Samba] member server idmap config (auto)rid

>Did you install libpam-winbind? libpam-krb5?

Nope, I did try installing them now, made no difference.
I have backup-scripts running on the server for months, and it worked before.

Can`t get wbinfo to report anything but errors, I am using user/domain/pass file with smbclient,
There is no sophisticated authentication AFAIK, and the issue just seems that samba sends data in bigger chunks
than the server accepts, the patch limits this. This does not seem anything related to login/auth.

Kind regards,
Norbert

 >-----Original Message-----
 >From: samba [mailto:[hidden email]] On Behalf Of mathias
 >dufresne via samba
 >Sent: Dienstag, 08. August 2017 12:05
 >Cc: samba
 >Subject: Re: [Samba] member server idmap config (auto)rid
 >
 >EMAIL from a NON-ANDRITZ SOURCE: as a security measure, please exercise
 >caution with email content and any links or attachments.
 >
 >
 >Hi,
 >
 >Could you post the whole smb.conf? That should help...
 >
 >Did you install libpam-winbind? libpam-krb5?
 >
 >Kerberos is working? It should as you mentioned join was ok.
 >
 >Anyway and in short, to help we need information.
 >
 >And playing with wbinfo could help to understand what you missed (wbinfo -n
 >username; wbinfo -S userSID; wbnifo -i username; for a start)
 >
 >2017-08-07 16:44 GMT+02:00 Neil Price via samba <[hidden email]>:
 >
 >> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
 >> according to
 >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
 >> n_Member
 >>
 >> It joins OK but I cannot get idmap rid (or autorid) to work
 >>
 >>    idmap config * : backend = autorid
 >>    idmap config * : range = 1000000-1199999
 >>
 >
 >Using only these two lines AD users and groups could become Linux users and
 >groups but their UID/GID will be randomly generated, which is certinaly not
 >what you want (at least in future that's you should regret)
 >
 >
 >>
 >> Nothing is returned for getent "SAMDOM\user"
 >>
 >> log.winbindd shows:
 >>
 >> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
 >> etpwnam.c:56(winbindd_getpwnam_send)
 >>   getpwnam SAMDOM\user
 >> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
 >> :1139(remove_timed_out_clients)
 >>   Client request timed out, shutting down sock 26, pid 639
 >>
 >> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
 >>
 >> If however I use
 >>
 >>        idmap config * : backend = tdb
 >>        idmap config * : range = 3000-7999
 >>
 >>    idmap config SAMDOM : backend = rid
 >>    idmap config SAMDOM : range = 1000000-1199999
 >>
 >
 >Using these 4 lines is the right thing to do: idmap-rid will generate
 >UID/GID using LDAP object's RID + 1000000 (according to what you wrote) and
 >as UID/GID are now based on RID which is stable your UID/GID will be stable
 >too (not randomly generated)
 >
 >
 >>
 >> Then getent "SAMDOM\user" works but the uid is taken from the * range, not
 >> SAMDOM.
 >>
 >> What am I doing wrong?
 >>
 >>
 >>
 >>
 >> --
 >> To unsubscribe from this list go to the following URL and read the
 >> instructions:  https://lists.samba.org/mailman/options/samba
 >--
 >To unsubscribe from this list go to the following URL and read the
 >instructions:  https://lists.samba.org/mailman/options/samba


#####################################################################################

This message and any attachments are solely for the use of the intended recipients. They may contain privileged and/or confidential information or other information protected from disclosure. If you are not an intended recipient, you are hereby notified that you received this email in error and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system.

Thank You.

#####################################################################################

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
Ok debian stretch..

Go here.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862580#39
Review all steps there. ( message 39, Date: Mon, 22 May 2017 10:21:18 +0200 )

And if you change something, mark it so you can find it back, but that config works.
If it fails, post you smb.conf and post where you see errors based on the steps of above link.

Without smb.conf is a guessing game.


Greetz,

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Lange Norbert via samba
> Verzonden: dinsdag 8 augustus 2017 13:30
> Aan: [hidden email]
> Onderwerp: [Samba] member server idmap config (auto)rid
>
> (forwarding as I forgot to reply-all)
>
> -----Original Message-----
> From: Lange Norbert
> Sent: Dienstag, 08. August 2017 12:26
> To: 'mathias dufresne'
> Subject: RE: [Samba] member server idmap config (auto)rid
>
> >Did you install libpam-winbind? libpam-krb5?
>
> Nope, I did try installing them now, made no difference.
> I have backup-scripts running on the server for months, and
> it worked before.
>
> Can`t get wbinfo to report anything but errors, I am using
> user/domain/pass file with smbclient, There is no
> sophisticated authentication AFAIK, and the issue just seems
> that samba sends data in bigger chunks than the server
> accepts, the patch limits this. This does not seem anything
> related to login/auth.
>
> Kind regards,
> Norbert
>
>  >-----Original Message-----
>  >From: samba [mailto:[hidden email]] On
> Behalf Of mathias  >dufresne via samba
>  >Sent: Dienstag, 08. August 2017 12:05
>  >Cc: samba
>  >Subject: Re: [Samba] member server idmap config (auto)rid  
> >  >EMAIL from a NON-ANDRITZ SOURCE: as a security measure,
> please exercise  >caution with email content and any links or
> attachments.
>  >
>  >
>  >Hi,
>  >
>  >Could you post the whole smb.conf? That should help...
>  >
>  >Did you install libpam-winbind? libpam-krb5?
>  >
>  >Kerberos is working? It should as you mentioned join was ok.
>  >
>  >Anyway and in short, to help we need information.
>  >
>  >And playing with wbinfo could help to understand what you
> missed (wbinfo -n  >username; wbinfo -S userSID; wbnifo -i
> username; for a start)  >
>  >2017-08-07 16:44 GMT+02:00 Neil Price via samba
> <[hidden email]>:
>  >
>  >> I've joined a samba 4.48 (debian stretch) to a Windows
> 2008R2 AD domain  >> according to  
> >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
>  >> n_Member
>  >>
>  >> It joins OK but I cannot get idmap rid (or autorid) to work  >>
>  >>    idmap config * : backend = autorid
>  >>    idmap config * : range = 1000000-1199999
>  >>
>  >
>  >Using only these two lines AD users and groups could become
> Linux users and  >groups but their UID/GID will be randomly
> generated, which is certinaly not  >what you want (at least
> in future that's you should regret)  >  >  >>  >> Nothing is
> returned for getent "SAMDOM\user"
>  >>
>  >> log.winbindd shows:
>  >>
>  >> [2017/08/07 15:44:08.377559,  3]
> ../source3/winbindd/winbindd_g  >>
> etpwnam.c:56(winbindd_getpwnam_send)
>  >>   getpwnam SAMDOM\user
>  >> [2017/08/07 15:45:12.561500,  5]
> ../source3/winbindd/winbindd.c  >> :1139(remove_timed_out_clients)
>  >>   Client request timed out, shutting down sock 26, pid 639
>  >>
>  >> (libnss_winbind is installed and nsswitcy.conf modified
> as per wiki)  >>  >> If however I use  >>
>  >>        idmap config * : backend = tdb
>  >>        idmap config * : range = 3000-7999
>  >>
>  >>    idmap config SAMDOM : backend = rid
>  >>    idmap config SAMDOM : range = 1000000-1199999
>  >>
>  >
>  >Using these 4 lines is the right thing to do: idmap-rid
> will generate  >UID/GID using LDAP object's RID + 1000000
> (according to what you wrote) and  >as UID/GID are now based
> on RID which is stable your UID/GID will be stable  >too (not
> randomly generated)  >  >  >>  >> Then getent "SAMDOM\user"
> works but the uid is taken from the * range, not  >> SAMDOM.
>  >>
>  >> What am I doing wrong?
>  >>
>  >>
>  >>
>  >>
>  >> --
>  >> To unsubscribe from this list go to the following URL and
> read the  >> instructions:  
> https://lists.samba.org/mailman/options/samba
>  >--
>  >To unsubscribe from this list go to the following URL and read the
>  >instructions:  https://lists.samba.org/mailman/options/samba
>
>
> ##############################################################
> #######################
>
> This message and any attachments are solely for the use of
> the intended recipients. They may contain privileged and/or
> confidential information or other information protected from
> disclosure. If you are not an intended recipient, you are
> hereby notified that you received this email in error and
> that any review, dissemination, distribution or copying of
> this email and any attachment is strictly prohibited. If you
> have received this email in error, please contact the sender
> and delete the message and any attachment from your system.
>
> Thank You.
>
> ##############################################################
> #######################
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
Hi,

sorry, I responded to the wrong thread.
Please ignore my posts here, my issue is different and the last post is here: https://lists.samba.org/archive/samba/2017-August/210156.html

 >-----Original Message-----
 >From: samba [mailto:[hidden email]] On Behalf Of L.P.H. van
 >Belle via samba
 >Sent: Dienstag, 08. August 2017 14:19
 >To: [hidden email]
 >Subject: Re: [Samba] member server idmap config (auto)rid
 >
 >EMAIL from a NON-ANDRITZ SOURCE: as a security measure, please exercise
 >caution with email content and any links or attachments.
 >
 >
 >Ok debian stretch..
 >
 >Go here.
 >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862580#39
 >Review all steps there. ( message 39, Date: Mon, 22 May 2017 10:21:18 +0200
 >)
 >
 >And if you change something, mark it so you can find it back, but that config
 >works.
 >If it fails, post you smb.conf and post where you see errors based on the steps
 >of above link.
 >
 >Without smb.conf is a guessing game.
 >
 >
 >Greetz,
 >
 >Louis
 >
 >
 >
 >> -----Oorspronkelijk bericht-----
 >> Van: samba [mailto:[hidden email]] Namens
 >> Lange Norbert via samba
 >> Verzonden: dinsdag 8 augustus 2017 13:30
 >> Aan: [hidden email]
 >> Onderwerp: [Samba] member server idmap config (auto)rid
 >>
 >> (forwarding as I forgot to reply-all)
 >>
 >> -----Original Message-----
 >> From: Lange Norbert
 >> Sent: Dienstag, 08. August 2017 12:26
 >> To: 'mathias dufresne'
 >> Subject: RE: [Samba] member server idmap config (auto)rid
 >>
 >> >Did you install libpam-winbind? libpam-krb5?
 >>
 >> Nope, I did try installing them now, made no difference.
 >> I have backup-scripts running on the server for months, and
 >> it worked before.
 >>
 >> Can`t get wbinfo to report anything but errors, I am using
 >> user/domain/pass file with smbclient, There is no
 >> sophisticated authentication AFAIK, and the issue just seems
 >> that samba sends data in bigger chunks than the server
 >> accepts, the patch limits this. This does not seem anything
 >> related to login/auth.
 >>
 >> Kind regards,
 >> Norbert
 >>
 >>  >-----Original Message-----
 >>  >From: samba [mailto:[hidden email]] On
 >> Behalf Of mathias  >dufresne via samba
 >>  >Sent: Dienstag, 08. August 2017 12:05
 >>  >Cc: samba
 >>  >Subject: Re: [Samba] member server idmap config (auto)rid
 >> >  >EMAIL from a NON-ANDRITZ SOURCE: as a security measure,
 >> please exercise  >caution with email content and any links or
 >> attachments.
 >>  >
 >>  >
 >>  >Hi,
 >>  >
 >>  >Could you post the whole smb.conf? That should help...
 >>  >
 >>  >Did you install libpam-winbind? libpam-krb5?
 >>  >
 >>  >Kerberos is working? It should as you mentioned join was ok.
 >>  >
 >>  >Anyway and in short, to help we need information.
 >>  >
 >>  >And playing with wbinfo could help to understand what you
 >> missed (wbinfo -n  >username; wbinfo -S userSID; wbnifo -i
 >> username; for a start)  >
 >>  >2017-08-07 16:44 GMT+02:00 Neil Price via samba
 >> <[hidden email]>:
 >>  >
 >>  >> I've joined a samba 4.48 (debian stretch) to a Windows
 >> 2008R2 AD domain  >> according to
 >> >https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
 >>  >> n_Member
 >>  >>
 >>  >> It joins OK but I cannot get idmap rid (or autorid) to work  >>
 >>  >>    idmap config * : backend = autorid
 >>  >>    idmap config * : range = 1000000-1199999
 >>  >>
 >>  >
 >>  >Using only these two lines AD users and groups could become
 >> Linux users and  >groups but their UID/GID will be randomly
 >> generated, which is certinaly not  >what you want (at least
 >> in future that's you should regret)  >  >  >>  >> Nothing is
 >> returned for getent "SAMDOM\user"
 >>  >>
 >>  >> log.winbindd shows:
 >>  >>
 >>  >> [2017/08/07 15:44:08.377559,  3]
 >> ../source3/winbindd/winbindd_g  >>
 >> etpwnam.c:56(winbindd_getpwnam_send)
 >>  >>   getpwnam SAMDOM\user
 >>  >> [2017/08/07 15:45:12.561500,  5]
 >> ../source3/winbindd/winbindd.c  >> :1139(remove_timed_out_clients)
 >>  >>   Client request timed out, shutting down sock 26, pid 639
 >>  >>
 >>  >> (libnss_winbind is installed and nsswitcy.conf modified
 >> as per wiki)  >>  >> If however I use  >>
 >>  >>        idmap config * : backend = tdb
 >>  >>        idmap config * : range = 3000-7999
 >>  >>
 >>  >>    idmap config SAMDOM : backend = rid
 >>  >>    idmap config SAMDOM : range = 1000000-1199999
 >>  >>
 >>  >
 >>  >Using these 4 lines is the right thing to do: idmap-rid
 >> will generate  >UID/GID using LDAP object's RID + 1000000
 >> (according to what you wrote) and  >as UID/GID are now based
 >> on RID which is stable your UID/GID will be stable  >too (not
 >> randomly generated)  >  >  >>  >> Then getent "SAMDOM\user"
 >> works but the uid is taken from the * range, not  >> SAMDOM.
 >>  >>
 >>  >> What am I doing wrong?
 >>  >>
 >>  >>
 >>  >>
 >>  >>
 >>  >> --
 >>  >> To unsubscribe from this list go to the following URL and
 >> read the  >> instructions:
 >> https://lists.samba.org/mailman/options/samba
 >>  >--
 >>  >To unsubscribe from this list go to the following URL and read the
 >>  >instructions:  https://lists.samba.org/mailman/options/samba
 >>
 >>
 >> ##############################################################
 >> #######################
 >>
 >> This message and any attachments are solely for the use of
 >> the intended recipients. They may contain privileged and/or
 >> confidential information or other information protected from
 >> disclosure. If you are not an intended recipient, you are
 >> hereby notified that you received this email in error and
 >> that any review, dissemination, distribution or copying of
 >> this email and any attachment is strictly prohibited. If you
 >> have received this email in error, please contact the sender
 >> and delete the message and any attachment from your system.
 >>
 >> Thank You.
 >>
 >> ##############################################################
 >> #######################
 >>
 >> --
 >> To unsubscribe from this list go to the following URL and read the
 >> instructions:  https://lists.samba.org/mailman/options/samba
 >>
 >
 >
 >--
 >To unsubscribe from this list go to the following URL and read the
 >instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 08/08/2017 12:04, mathias dufresne via samba wrote:
> Could you post the whole smb.conf? That should help...
The server is maybe not normal as its a high availability cluster, so
the netbios name is not the same as the linux hostname. Hope that makes
sense and is not a problem..


[global]
     interfaces = 127.0.0.0/8 eth0:0       <== This is a drbd/pacemaker
cluster
     netbios name = PTA-CLUSTER         <-----Ditto
     realm = AD.GIBB.CO.ZA
     workgroup = GIBB
     log file = /var/log/samba/log.%m
     max log size = 1000
     syslog = 0
     panic action = /usr/share/samba/panic-action %d
     map to guest = Bad User
     security = ADS
     server role = member server
     username map = /etc/samba/user.map
     winbind enum groups = Yes
     winbind enum users = Yes
     dns proxy = No
     wins server = 192.168.112.94 192.168.104.65
     idmap config GIBB : range = 1000000-1199999
     idmap config GIBB : backend = rid
     idmap config * : range = 3000-7999
     idmap config * : backend = tdb


> Did you install libpam-winbind? libpam-krb5?
Yes
> Kerberos is working? It should as you mentioned join was ok.
Yes it works but seems very slow. kinit followed by klist.

I'm getting inconsistent results. Now it works, now it doesn't. I'm
looking at the possibility that one of the many Windows AD servers is at
fault and samba is occasionally choosing that one. It looks like using
"password server" is not recommended and it fact it it did not help.
I still need to to work through Louis' helpful post.


> Anyway and in short, to help we need information.
>
> And playing with wbinfo could help to understand what you missed
> (wbinfo -n
> username; wbinfo -S userSID; wbnifo -i username; for a start)
>
> 2017-08-07 16:44 GMT+02:00 Neil Price via samba <[hidden email]>:
>
>> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
>> according to
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
>> n_Member
>>
>> It joins OK but I cannot get idmap rid (or autorid) to work
>>
>>     idmap config * : backend = autorid
>>     idmap config * : range = 1000000-1199999
>>
> Using only these two lines AD users and groups could become Linux
> users and
> groups but their UID/GID will be randomly generated, which is
> certinaly not
> what you want (at least in future that's you should regret)
>
>
>> Nothing is returned for getent "SAMDOM\user"
>>
>> log.winbindd shows:
>>
>> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
>> etpwnam.c:56(winbindd_getpwnam_send)
>>    getpwnam SAMDOM\user
>> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
>> :1139(remove_timed_out_clients)
>>    Client request timed out, shutting down sock 26, pid 639
>>
>> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
>>
>> If however I use
>>
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
>>
>>     idmap config SAMDOM : backend = rid
>>     idmap config SAMDOM : range = 1000000-1199999
>>
> Using these 4 lines is the right thing to do: idmap-rid will generate
> UID/GID using LDAP object's RID + 1000000 (according to what you
> wrote) and
> as UID/GID are now based on RID which is stable your UID/GID will be
> stable
> too (not randomly generated)
>
>
>> Then getent "SAMDOM\user" works but the uid is taken from the *
>> range, not
>> SAMDOM.
>>
>> What am I doing wrong?
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
If you use the debian package 4.5.8 is can suggest you upgrade to 4.6.5 from buster or use my 4.6.6

Go through this changelog.
http://metadata.ftp-master.debian.org/changelogs/main/s/samba/samba_4.6.5+dfsg-8_changelog 
My 4.6.6 is based on 4.6.5+dfsg-6

But i cant tell much jet about clustering setups.
Except this page:
https://wiki.samba.org/index.php/Clustered_Samba 
And
https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba 


Greetz,

Louis

 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Neil
> Price via samba
> Verzonden: dinsdag 8 augustus 2017 16:54
> Aan: [hidden email]
> Onderwerp: Re: [Samba] member server idmap config (auto)rid
>
> On 08/08/2017 12:04, mathias dufresne via samba wrote:
> > Could you post the whole smb.conf? That should help...
> The server is maybe not normal as its a high availability
> cluster, so the netbios name is not the same as the linux
> hostname. Hope that makes sense and is not a problem..
>
>
> [global]
>      interfaces = 127.0.0.0/8 eth0:0       <== This is a
> drbd/pacemaker
> cluster
>      netbios name = PTA-CLUSTER         <-----Ditto
>      realm = AD.GIBB.CO.ZA
>      workgroup = GIBB
>      log file = /var/log/samba/log.%m
>      max log size = 1000
>      syslog = 0
>      panic action = /usr/share/samba/panic-action %d
>      map to guest = Bad User
>      security = ADS
>      server role = member server
>      username map = /etc/samba/user.map
>      winbind enum groups = Yes
>      winbind enum users = Yes
>      dns proxy = No
>      wins server = 192.168.112.94 192.168.104.65
>      idmap config GIBB : range = 1000000-1199999
>      idmap config GIBB : backend = rid
>      idmap config * : range = 3000-7999
>      idmap config * : backend = tdb
>
>
> > Did you install libpam-winbind? libpam-krb5?
> Yes
> > Kerberos is working? It should as you mentioned join was ok.
> Yes it works but seems very slow. kinit followed by klist.
>
> I'm getting inconsistent results. Now it works, now it
> doesn't. I'm looking at the possibility that one of the many
> Windows AD servers is at fault and samba is occasionally
> choosing that one. It looks like using "password server" is
> not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
>
>
> > Anyway and in short, to help we need information.
> >
> > And playing with wbinfo could help to understand what you missed
> > (wbinfo -n username; wbinfo -S userSID; wbnifo -i username; for a
> > start)
> >
> > 2017-08-07 16:44 GMT+02:00 Neil Price via samba
> <[hidden email]>:
> >
> >> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD
> >> domain according to
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domai
> >> n_Member
> >>
> >> It joins OK but I cannot get idmap rid (or autorid) to work
> >>
> >>     idmap config * : backend = autorid
> >>     idmap config * : range = 1000000-1199999
> >>
> > Using only these two lines AD users and groups could become Linux
> > users and groups but their UID/GID will be randomly
> generated, which
> > is certinaly not what you want (at least in future that's
> you should
> > regret)
> >
> >
> >> Nothing is returned for getent "SAMDOM\user"
> >>
> >> log.winbindd shows:
> >>
> >> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
> >> etpwnam.c:56(winbindd_getpwnam_send)
> >>    getpwnam SAMDOM\user
> >> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
> >> :1139(remove_timed_out_clients)
> >>    Client request timed out, shutting down sock 26, pid 639
> >>
> >> (libnss_winbind is installed and nsswitcy.conf modified as
> per wiki)
> >>
> >> If however I use
> >>
> >>         idmap config * : backend = tdb
> >>         idmap config * : range = 3000-7999
> >>
> >>     idmap config SAMDOM : backend = rid
> >>     idmap config SAMDOM : range = 1000000-1199999
> >>
> > Using these 4 lines is the right thing to do: idmap-rid
> will generate
> > UID/GID using LDAP object's RID + 1000000 (according to what you
> > wrote) and
> > as UID/GID are now based on RID which is stable your
> UID/GID will be
> > stable too (not randomly generated)
> >
> >
> >> Then getent "SAMDOM\user" works but the uid is taken from the *
> >> range, not
> >> SAMDOM.
> >>
> >> What am I doing wrong?
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi Niel,

First I've no knowledge about clustering Samba. I'll read what gave Louis
but for now, I didn't.

Anyway, several suggestions:
About hostname, if it is really an issue, you should be able to cheat using
/etc/hosts and configuring /etc/nsswitch with:
"hosts:      files dns myhostname"
or
"hosts:      files dns"
as I'm not sure what really means this myhostname. I expect it means
running hostname command or the equivalent system function (something like
gethostname(), no idea, I'm not a dev ;)

Now regarding smb.conf:

First I expect your workgroup is not correct. For me, workgroup is first
part(s) of full domain name. So I would try with AD.GIBB rather than on
GIBB.

here is the one I prepared for my client:
[global]
   workgroup = SAMDOM
   realm = SAMDOM.DOMAIN.TLD
   # We use it because few DCs are accessible from this Samba server
   # and for now I have no idea how AD Sites are configured
   password server = dcXY.samdom.domain.tld

   security = ads

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    # These two lines are to be removed once it works
    # to limit excessive requests to AD DCs
    winbind enum users = yes
    winbind enum groups = yes

    ## map ids outside of domain to tdb files.
    idmap config * : backend = tdb
    idmap config * : range = 1200-1999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : schema_mode = template
    idmap config SAMDOM : range = 100000-999999
    # idmap config line once 4.6.x and more is deployed
    # as long as 4.6.x are not installed we have to use winbind nss info
    ;idmap config SAMDOM : unix_nss_info = yes
    winbind nss info = template
    # As we are using idmap-rid, we need template to fill shell and homedir
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

So the differences:
The addition of both template lines
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

Addition of line to tell winbind to use templates
    winbind nss info = template
/!\ remember to change that line once you've upgraded you Samba version.

This line to tell winbind what idamp module you really want.
This line is for idmap-rid module which will create UID/GID
 using LDAP object's RID + low number of SAMDOM : range
    idmap config SAMDOM : backend = rid

The workgroup which seems strange to me.

Then I would first remove everything which is not part of authentication:
    panic action = /usr/share/samba/panic-action %d
    map to guest = Bad User
    server role = member server
    dns proxy = No
    wins server = 192.168.112.94 192.168.104.65

Perhaps the panic-action if related to cluster, in that case keep it of
course ;)
"map to guest" could also be kept
"server role" I would remove it as it is not necessary and because I don't
know all role and their exact meaning
dns proxy + wins stuffs: if it is really AD domain, you should rely on DNS.
It's a Microsoft choice to remove WINS... I'll remove it at least for
testing as AD is supposed to rely on DNS and I don't know how your
infrastructure.



2017-08-08 16:52 GMT+02:00 Neil Price <[hidden email]>:

> On 08/08/2017 12:04, mathias dufresne via samba wrote:
>
>> Could you post the whole smb.conf? That should help...
>>
> The server is maybe not normal as its a high availability cluster, so the
> netbios name is not the same as the linux hostname. Hope that makes sense
> and is not a problem..
>
>
> [global]
>     interfaces = 127.0.0.0/8 eth0:0       <== This is a drbd/pacemaker
> cluster
>     netbios name = PTA-CLUSTER         <-----Ditto
>     realm = AD.GIBB.CO.ZA
>     workgroup = GIBB
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     map to guest = Bad User
>     security = ADS
>     server role = member server
>     username map = /etc/samba/user.map
>     winbind enum groups = Yes
>     winbind enum users = Yes
>     dns proxy = No
>     wins server = 192.168.112.94 192.168.104.65
>     idmap config GIBB : range = 1000000-1199999
>     idmap config GIBB : backend = rid
>     idmap config * : range = 3000-7999
>     idmap config * : backend = tdb
>
>
> Did you install libpam-winbind? libpam-krb5?
>>
> Yes
>
>> Kerberos is working? It should as you mentioned join was ok.
>>
> Yes it works but seems very slow. kinit followed by klist.
>
> I'm getting inconsistent results. Now it works, now it doesn't. I'm
> looking at the possibility that one of the many Windows AD servers is at
> fault and samba is occasionally choosing that one.  It looks like using
> "password server" is not recommended and it fact it it did not help.
> I still need to to work through Louis' helpful post.
>
>
>
> Anyway and in short, to help we need information.
>>
>> And playing with wbinfo could help to understand what you missed (wbinfo
>> -n
>> username; wbinfo -S userSID; wbnifo -i username; for a start)
>>
>> 2017-08-07 16:44 GMT+02:00 Neil Price via samba <[hidden email]>:
>>
>> I've joined a samba 4.48 (debian stretch) to a Windows 2008R2 AD domain
>>> according to https://wiki.samba.org/index.p
>>> hp/Setting_up_Samba_as_a_Domai
>>> n_Member
>>>
>>> It joins OK but I cannot get idmap rid (or autorid) to work
>>>
>>>     idmap config * : backend = autorid
>>>     idmap config * : range = 1000000-1199999
>>>
>>> Using only these two lines AD users and groups could become Linux users
>> and
>> groups but their UID/GID will be randomly generated, which is certinaly
>> not
>> what you want (at least in future that's you should regret)
>>
>>
>> Nothing is returned for getent "SAMDOM\user"
>>>
>>> log.winbindd shows:
>>>
>>> [2017/08/07 15:44:08.377559,  3] ../source3/winbindd/winbindd_g
>>> etpwnam.c:56(winbindd_getpwnam_send)
>>>    getpwnam SAMDOM\user
>>> [2017/08/07 15:45:12.561500,  5] ../source3/winbindd/winbindd.c
>>> :1139(remove_timed_out_clients)
>>>    Client request timed out, shutting down sock 26, pid 639
>>>
>>> (libnss_winbind is installed and nsswitcy.conf modified as per wiki)
>>>
>>> If however I use
>>>
>>>         idmap config * : backend = tdb
>>>         idmap config * : range = 3000-7999
>>>
>>>     idmap config SAMDOM : backend = rid
>>>     idmap config SAMDOM : range = 1000000-1199999
>>>
>>> Using these 4 lines is the right thing to do: idmap-rid will generate
>> UID/GID using LDAP object's RID + 1000000 (according to what you wrote)
>> and
>> as UID/GID are now based on RID which is stable your UID/GID will be
>> stable
>> too (not randomly generated)
>>
>>
>> Then getent "SAMDOM\user" works but the uid is taken from the * range, not
>>> SAMDOM.
>>>
>>> What am I doing wrong?
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list

On 09/08/2017 12:19 PM, mathias dufresne via samba wrote:
> Now regarding smb.conf:
>
> First I expect your workgroup is not correct. For me, workgroup is first
> part(s) of full domain name. So I would try with AD.GIBB rather than on
> GIBB.
>
>
Yes it is unusual but it is correct. The tree is AD.GIBB.CO.ZA but the
short name is GIBB. It is a working windows ad system. The windows guys
set it up like that (I know some but I'm not a windows guy)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
In reply to this post by Samba - General mailing list

On 08/08/2017 05:03 PM, L.P.H. van Belle via samba wrote:
> If you use the debian package 4.5.8 is can suggest you upgrade to 4.6.5 from buster or use my 4.6.6

Will do, I assume I can find the location of your debs elsewhere in this
list.
> But i cant tell much jet about clustering setups.
> Except this page:
> https://wiki.samba.org/index.php/Clustered_Samba
> And
> https://wiki.samba.org/index.php/CTDB_and_Clustered_Samba
>
>
That is a different kind of cluster. Mine is pacemaker/drbd which I have
used with great success with samba3 and imap servers. Following a
suggestion from another poster I will shut down the clustering, get this
to work, and then think about clustering again.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 08/08/2017 17:03, L.P.H. van Belle via samba wrote:
> If you use the debian package 4.5.8 is can suggest you upgrade to 4.6.5 from buster or use my 4.6.6
>

Instant success and it's fast. I also found a fubarred windows DC.
Thanks.:-D


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
Hai Neil,

Great, thanks for the feedback..
But what what your solution? Which version are you running now?
That helps others.


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Neil
> Price via samba
> Verzonden: donderdag 10 augustus 2017 14:48
> Aan: [hidden email]
> Onderwerp: Re: [Samba] member server idmap config (auto)rid
>
> On 08/08/2017 17:03, L.P.H. van Belle via samba wrote:
> > If you use the debian package 4.5.8 is can suggest you upgrade to
> > 4.6.5 from buster or use my 4.6.6
> >
>
> Instant success and it's fast. I also found a fubarred windows DC.
> Thanks.:-D
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
Your 4.6.5.

Still getting some inconsistent results. Think its yet another windows
DC causing it because password server = (known good DC) seems to fix it.
Still testing.


On 10/08/2017 14:53, L.P.H. van Belle via samba wrote:

> Hai Neil,
>
> Great, thanks for the feedback..
> But what what your solution? Which version are you running now?
> That helps others.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens Neil
>> Price via samba
>> Verzonden: donderdag 10 augustus 2017 14:48
>> Aan: [hidden email]
>> Onderwerp: Re: [Samba] member server idmap config (auto)rid
>>
>> On 08/08/2017 17:03, L.P.H. van Belle via samba wrote:
>>> If you use the debian package 4.5.8 is can suggest you upgrade to
>>> 4.6.5 from buster or use my 4.6.6
>>>
>> Instant success and it's fast. I also found a fubarred windows DC.
>> Thanks.:-D
>>
>>
>> --
>>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: member server idmap config (auto)rid

Samba - General mailing list
2017-08-10 17:02 GMT+02:00 Neil Price via samba <[hidden email]>:

> Your 4.6.5.
>
> Still getting some inconsistent results. Think its yet another windows DC
> causing it because password server = (known good DC) seems to fix it. Still
> testing.


Inconsistent result could come from previous tests if you don't flush the
idmap cache using:
net flush cache


>
>
>
> On 10/08/2017 14:53, L.P.H. van Belle via samba wrote:
>
>> Hai Neil,
>>
>> Great, thanks for the feedback..
>> But what what your solution? Which version are you running now?
>> That helps others.
>>
>>
>> Greetz,
>>
>> Louis
>>
>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:[hidden email]] Namens Neil
>>> Price via samba
>>> Verzonden: donderdag 10 augustus 2017 14:48
>>> Aan: [hidden email]
>>> Onderwerp: Re: [Samba] member server idmap config (auto)rid
>>>
>>> On 08/08/2017 17:03, L.P.H. van Belle via samba wrote:
>>>
>>>> If you use the debian package 4.5.8 is can suggest you upgrade to
>>>> 4.6.5 from buster or use my 4.6.6
>>>>
>>>> Instant success and it's fast. I also found a fubarred windows DC.
>>> Thanks.:-D
>>>
>>>
>>> --
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba