Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 problems
20 views
Skip to first unread message
Brett Wynkoop
Dec 18, 2014, 12:40:03 PM12/18/14
to
Greeting-
It has been years since I last set up a Samba server. The last one I
did was a 2.x version!
For the last two weeks I have been fighting with 2 issues with a samba
4 server I have set up for testing.
. Encrypted transport seems to not work for me
. Unix user smith and Samba user smith seem to have different UID
numbers when files are created.
At the moment the second issue is the most vexing, but if I do not
solve the first issue as well the project I am testing this for will
need to be implemented using some other technology.
Here is my current smb4.conf file:
# Global parameters
[global]
workgroup = EXAMPLE
kerberos method = secrets and keytab
local master = yes
netbios name = HOSTNAME
log level = 4
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, winreg , srvsvc
realm = EXAMPLE.COM
os level = 20
username map = /var/db/samba4/private/users.map
client max protocol = SMB3
# server min protocol = SMB3
hide dot files = no
winbind trusted domains only = yes
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, nt p_signd, kcc, smb
winbind use default domain = yes
dns forwarder = 192.168.1.1
domain logons = yes
smb encrypt = yes
security = user
encrypt passwords = yes
preferred master = yes
#
# I have tried with and without the line below
#
#idmap_ldb:use rfc2307 = yes
wins support = true
server role = active directory domain controller
[netlogon]
path = /var/db/samba4/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[archive]
writeable = yes
browseable = yes
valid users = smith
write list = smith,@wheel
path = /archive
comment = /archive
revalidate = yes
# vfs objects = zfsacl
# nfs4:mode = special
# nfs4:chown = yes
# zfsacl:acesort = dontcare
The user was first created as a Unix user with a UID of 50 (historical
reasons for the low uid). Then the user was added to samba using
smbpasswd.
It should be noted that all the kerberos bits seem to be working as
doing a kinit then running smbclient -k //server/share yeilds a
connection, but of course with the UID different from the UID of the
same user at the unix shell level.
Also unless I am using the kerberized smbclient it seems that all
traffic is passed unencrypted according to my TCPDUMP tests. Tested
clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
with smbclient forced to V3. I probably will not move on to testing
with a windows client if I can not solve the UID mismatch issue.
Any ideas? I have been searching the net for some time with no joy.
Thanks.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
It has been years since I last set up a Samba server. The last one I
did was a 2.x version!
For the last two weeks I have been fighting with 2 issues with a samba
4 server I have set up for testing.
. Encrypted transport seems to not work for me
. Unix user smith and Samba user smith seem to have different UID
numbers when files are created.
At the moment the second issue is the most vexing, but if I do not
solve the first issue as well the project I am testing this for will
need to be implemented using some other technology.
Here is my current smb4.conf file:
# Global parameters
[global]
workgroup = EXAMPLE
kerberos method = secrets and keytab
local master = yes
netbios name = HOSTNAME
log level = 4
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsa rpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, winreg , srvsvc
realm = EXAMPLE.COM
os level = 20
username map = /var/db/samba4/private/users.map
client max protocol = SMB3
# server min protocol = SMB3
hide dot files = no
winbind trusted domains only = yes
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, nt p_signd, kcc, smb
winbind use default domain = yes
dns forwarder = 192.168.1.1
domain logons = yes
smb encrypt = yes
security = user
encrypt passwords = yes
preferred master = yes
#
# I have tried with and without the line below
#
#idmap_ldb:use rfc2307 = yes
wins support = true
server role = active directory domain controller
[netlogon]
path = /var/db/samba4/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[archive]
writeable = yes
browseable = yes
valid users = smith
write list = smith,@wheel
path = /archive
comment = /archive
revalidate = yes
# vfs objects = zfsacl
# nfs4:mode = special
# nfs4:chown = yes
# zfsacl:acesort = dontcare
The user was first created as a Unix user with a UID of 50 (historical
reasons for the low uid). Then the user was added to samba using
smbpasswd.
It should be noted that all the kerberos bits seem to be working as
doing a kinit then running smbclient -k //server/share yeilds a
connection, but of course with the UID different from the UID of the
same user at the unix shell level.
Also unless I am using the kerberized smbclient it seems that all
traffic is passed unencrypted according to my TCPDUMP tests. Tested
clients at the moment are Mac OSX 10.6 and various *BSD GNU/Linux boxes
with smbclient forced to V3. I probably will not move on to testing
with a windows client if I can not solve the UID mismatch issue.
Any ideas? I have been searching the net for some time with no joy.
Thanks.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Dec 18, 2014, 1:00:04 PM12/18/14
to
completely. Where did you find docs telling you to add
this to the smb.conf ?
Rowland Penny
Dec 18, 2014, 1:00:04 PM12/18/14
to
samba4 as an AD DC and then trying to add parts to it that are either
the defaults or are not required. I would suggest that you reinstate the
original smb.conf (you did keep a copy, didn't you ?), delete most of,
if not all, the Unix users you have added, then add them again, but this
time to your AD. Unlike samba 2, when running samba 4 in AD mode, you
cannot have Unix users that are also AD users, you store everything in AD.
I would suggest that you have a read here:
https://wiki.samba.org/index.php/Main_Page
I know that you are testing here, but it would seem that samba 4.2 will
support OSX clients better, this version seems to be delayed due to
problems, but I am sure that the wait will be worth it.
Rowland
Jeremy Allison
Dec 18, 2014, 1:20:03 PM12/18/14
to
On Thu, Dec 18, 2014 at 01:09:17PM -0500, Brett Wynkoop wrote:
> and much to my surprise it did not install a sample smb4.conf file, so
> I went casting about the internet and came up with what I posted here,
> but I do not remember where I found this.
>
> Removing the line above produced a totally non-working samba install:
>
> ivory:~ wynkoop$ smbclient -L sambahost
> Error connecting to X.X.X.X (Connection refused)
> Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
> ivory:~ wynkoop$
If you want a working AD-DC, follow the documentation
here:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
> On Thu, 18 Dec 2014 09:49:28 -0800
> Jeremy Allison <j...@samba.org> wrote:
>
> winbind trusted domains only = yes
> > >
> > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > > winbind, nt p_signd, kcc, smb
> >
> > Remove 'smb' from this line. In fact, remove this line
> > completely. Where did you find docs telling you to add
> > this to the smb.conf ?
>
> I am not sure where that came from. The install was from FreeBSD ports
> Jeremy Allison <j...@samba.org> wrote:
>
> winbind trusted domains only = yes
> > >
> > > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > > winbind, nt p_signd, kcc, smb
> >
> > Remove 'smb' from this line. In fact, remove this line
> > completely. Where did you find docs telling you to add
> > this to the smb.conf ?
>
> and much to my surprise it did not install a sample smb4.conf file, so
> I went casting about the internet and came up with what I posted here,
> but I do not remember where I found this.
>
> Removing the line above produced a totally non-working samba install:
>
> ivory:~ wynkoop$ smbclient -L sambahost
> Error connecting to X.X.X.X (Connection refused)
> Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
> ivory:~ wynkoop$
If you want a working AD-DC, follow the documentation
here:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
Brett Wynkoop
Dec 18, 2014, 1:20:04 PM12/18/14
to
winbind trusted domains only = yes
> >
> > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, nt p_signd, kcc, smb
>
> Remove 'smb' from this line. In fact, remove this line
> completely. Where did you find docs telling you to add
> this to the smb.conf ?
> >
> > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbind, nt p_signd, kcc, smb
>
> Remove 'smb' from this line. In fact, remove this line
> completely. Where did you find docs telling you to add
> this to the smb.conf ?
I am not sure where that came from. The install was from FreeBSD ports
and much to my surprise it did not install a sample smb4.conf file, so
I went casting about the internet and came up with what I posted here,
but I do not remember where I found this.
Removing the line above produced a totally non-working samba install:
ivory:~ wynkoop$ smbclient -L sambahost
Error connecting to X.X.X.X (Connection refused)
Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
ivory:~ wynkoop$
and much to my surprise it did not install a sample smb4.conf file, so
I went casting about the internet and came up with what I posted here,
but I do not remember where I found this.
Removing the line above produced a totally non-working samba install:
ivory:~ wynkoop$ smbclient -L sambahost
Error connecting to X.X.X.X (Connection refused)
Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
ivory:~ wynkoop$
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Brett Wynkoop
Dec 18, 2014, 1:30:03 PM12/18/14
to
On Thu, 18 Dec 2014 17:57:55 +0000
Rowland Penny <rowlan...@googlemail.com> wrote:
> Hi, After sorting out your smb.conf, it would seem that you are
> running samba4 as an AD DC and then trying to add parts to it that
> are either the defaults or are not required. I would suggest that you
> reinstate the original smb.conf (you did keep a copy, didn't you ?),
> delete most of, if not all, the Unix users you have added, then add
> them again, but this time to your AD. Unlike samba 2, when running
> samba 4 in AD mode, you cannot have Unix users that are also AD
> users, you store everything in AD.
>
The FreeBSD Ports system for reasons unknown to me does not install ANY
Rowland Penny <rowlan...@googlemail.com> wrote:
> Hi, After sorting out your smb.conf, it would seem that you are
> running samba4 as an AD DC and then trying to add parts to it that
> are either the defaults or are not required. I would suggest that you
> reinstate the original smb.conf (you did keep a copy, didn't you ?),
> delete most of, if not all, the Unix users you have added, then add
> them again, but this time to your AD. Unlike samba 2, when running
> samba 4 in AD mode, you cannot have Unix users that are also AD
> users, you store everything in AD.
>
smb4.conf file and provides no example. The one I have came from
someplace on the internet in the last couple of weeks. A pointer to a
good minimal smb4.conf file would be appreciated.
I have existing Unix users with many GB of files that I need to keep
the UID the same for because of interactions with other systems and
mounts via NFS. Is there any way to force user smith to have uid=50
for example, or am I stuck with the auto-assigned UIDs that end up in
AD?
I have poked about the wiki a bit, but could not sort this without
resorting to the list, but I will again RTFM. Always good advice.
Thanks.
>
> I know that you are testing here, but it would seem that samba 4.2
> will support OSX clients better, this version seems to be delayed due
> to problems, but I am sure that the wait will be worth it.
>
> Rowland
4.2 makes it out before my testing is over. I have an immediate need
that just cropped up because all of the sudden I have to bring some
MS-Windows boxes into the mix here. For years the site has been
running using just NFS.
Thanks!
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Rowland Penny
Dec 18, 2014, 1:30:03 PM12/18/14
to
On 18/12/14 18:09, Brett Wynkoop wrote:
> On Thu, 18 Dec 2014 09:49:28 -0800
> Jeremy Allison <j...@samba.org> wrote:
>
> winbind trusted domains only = yes
>>> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, nt p_signd, kcc, smb
>> Remove 'smb' from this line. In fact, remove this line
>> completely. Where did you find docs telling you to add
>> this to the smb.conf ?
> I am not sure where that came from. The install was from FreeBSD ports
> and much to my surprise it did not install a sample smb4.conf file, so
> I went casting about the internet and came up with what I posted here,
> but I do not remember where I found this.
>
> Removing the line above produced a totally non-working samba install:
>
> ivory:~ wynkoop$ smbclient -L sambahost
> Error connecting to X.X.X.X (Connection refused)
> Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
> ivory:~ wynkoop$
>
> -Brett
>
>
AH, light is dawning, with samba 4 you don't get a smb.conf until you
> On Thu, 18 Dec 2014 09:49:28 -0800
> Jeremy Allison <j...@samba.org> wrote:
>
> winbind trusted domains only = yes
>>> server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, nt p_signd, kcc, smb
>> Remove 'smb' from this line. In fact, remove this line
>> completely. Where did you find docs telling you to add
>> this to the smb.conf ?
> I am not sure where that came from. The install was from FreeBSD ports
> and much to my surprise it did not install a sample smb4.conf file, so
> I went casting about the internet and came up with what I posted here,
> but I do not remember where I found this.
>
> Removing the line above produced a totally non-working samba install:
>
> ivory:~ wynkoop$ smbclient -L sambahost
> Error connecting to X.X.X.X (Connection refused)
> Connection to sambahost failed (Error NT_STATUS_CONNECTION_REFUSED)
> ivory:~ wynkoop$
>
> -Brett
>
>
provision an active directory domain, you can however run samba4 in
classic mode somewhat similar to samba2 or 3, only some of the
parameters will have changed. See the wiki, all of the info is in there.
Rowland
Rowland Penny
Dec 18, 2014, 2:00:03 PM12/18/14
to
On 18/12/14 18:27, Brett Wynkoop wrote:
> On Thu, 18 Dec 2014 17:57:55 +0000
> Rowland Penny <rowlan...@googlemail.com> wrote:
>
>> Hi, After sorting out your smb.conf, it would seem that you are
>> running samba4 as an AD DC and then trying to add parts to it that
>> are either the defaults or are not required. I would suggest that you
>> reinstate the original smb.conf (you did keep a copy, didn't you ?),
>> delete most of, if not all, the Unix users you have added, then add
>> them again, but this time to your AD. Unlike samba 2, when running
>> samba 4 in AD mode, you cannot have Unix users that are also AD
>> users, you store everything in AD.
>>
> The FreeBSD Ports system for reasons unknown to me does not install ANY
> smb4.conf file and provides no example. The one I have came from
> someplace on the internet in the last couple of weeks. A pointer to a
> good minimal smb4.conf file would be appreciated.
I cannot speak about freeBSD as I do not use it, but as I said samba4
> On Thu, 18 Dec 2014 17:57:55 +0000
> Rowland Penny <rowlan...@googlemail.com> wrote:
>
>> Hi, After sorting out your smb.conf, it would seem that you are
>> running samba4 as an AD DC and then trying to add parts to it that
>> are either the defaults or are not required. I would suggest that you
>> reinstate the original smb.conf (you did keep a copy, didn't you ?),
>> delete most of, if not all, the Unix users you have added, then add
>> them again, but this time to your AD. Unlike samba 2, when running
>> samba 4 in AD mode, you cannot have Unix users that are also AD
>> users, you store everything in AD.
>>
> The FreeBSD Ports system for reasons unknown to me does not install ANY
> smb4.conf file and provides no example. The one I have came from
> someplace on the internet in the last couple of weeks. A pointer to a
> good minimal smb4.conf file would be appreciated.
can be run in two modes, it can be run just like samba 3 in classic
mode. In this mode, you need to supply the smb.conf and samba will run
as a PDC/BDC, member server or client, you will need to start the smbd &
nmbd deamons and optionally the winbindd deamon.
You can also run samba4 as an Active Directory Domain Controller, in
this mode, the smb.conf file will be created for you when you provision
the domain with samba-tool.
If you do run samba4 as an AD DC, you can use the id numbers you require
by creating the users in AD and giving them a 'uidNumber' containing the
id number.
As I said, read the wiki and then decide which way you want to go,
'classic' or 'AD DC'
Once you done this, come back with your new questions :-)
Rowland
>
> I have existing Unix users with many GB of files that I need to keep
> the UID the same for because of interactions with other systems and
> mounts via NFS. Is there any way to force user smith to have uid=50
> for example, or am I stuck with the auto-assigned UIDs that end up in
> AD?
>
>> I would suggest that you have a read here:
>> https://wiki.samba.org/index.php/Main_Page
> I have poked about the wiki a bit, but could not sort this without
> resorting to the list, but I will again RTFM. Always good advice.
> Thanks.
>
>> I know that you are testing here, but it would seem that samba 4.2
>> will support OSX clients better, this version seems to be delayed due
>> to problems, but I am sure that the wait will be worth it.
>>
>> Rowland
>
> That sounds good, but I will probably be deploying with 4.1.13 unless
> 4.2 makes it out before my testing is over. I have an immediate need
> that just cropped up because all of the sudden I have to bring some
> MS-Windows boxes into the mix here. For years the site has been
> running using just NFS.
>
> Thanks!
>
> -Brett
>
>
>
--
> I have existing Unix users with many GB of files that I need to keep
> the UID the same for because of interactions with other systems and
> mounts via NFS. Is there any way to force user smith to have uid=50
> for example, or am I stuck with the auto-assigned UIDs that end up in
> AD?
>
>> I would suggest that you have a read here:
>> https://wiki.samba.org/index.php/Main_Page
> I have poked about the wiki a bit, but could not sort this without
> resorting to the list, but I will again RTFM. Always good advice.
> Thanks.
>
>> I know that you are testing here, but it would seem that samba 4.2
>> will support OSX clients better, this version seems to be delayed due
>> to problems, but I am sure that the wait will be worth it.
>>
>> Rowland
>
> That sounds good, but I will probably be deploying with 4.1.13 unless
> 4.2 makes it out before my testing is over. I have an immediate need
> that just cropped up because all of the sudden I have to bring some
> MS-Windows boxes into the mix here. For years the site has been
> running using just NFS.
>
> Thanks!
>
> -Brett
>
>
>
--
Brett Wynkoop
Dec 18, 2014, 4:00:03 PM12/18/14
to
Rowland-
Thanks so much for the info. I expect some of my confusion was the
lack of initial smb4.conf.
I will look at all you have told me to examine and come back with new
questions, or a report that all is well in the land of Samba.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Thanks so much for the info. I expect some of my confusion was the
lack of initial smb4.conf.
I will look at all you have told me to examine and come back with new
questions, or a report that all is well in the land of Samba.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Brett Wynkoop
Dec 19, 2014, 2:40:03 AM12/19/14
to
Greeting-
Ok I went back and re-read the page on the AD DC HowTo, and now I
remember that it was the first way I tried to set up the server two
weeks ago. When I tried to start the server it failed to start, which is
why I went searching out an smb4.conf online.
I can go through the setup from the start again, but I am still at a
loss as to how to match the UID numbers in the Samba AD to the
historical UID numbers that all the existing unix users have. The
situation is that historically everything here was Unix of some sort,
but we are adding a small flock of windows boxes, which is why I am
looking at trying to bring Samba 4 on line.
If someone can point me to a clear simple explanation on how to force
particular UIDs in Samba I would appreciate that. I will tackle the
lack of encryption once I get the UID situation solved.
Here is a partial output of pdbedit -Lv for my account:
Unix username: wynkoop
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3503051414-2097048719-4239445089-1105
Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: never
Password last set: Mon, 15 Dec 2014 15:17:39 EST
Password can change: Mon, 15 Dec 2014 15:17:39 EST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
I am not sure what Rowland meant when he said give them a UIDnumber
containing the numbers I need. I do not see any field marked as UID
above. Do I need to extend the database with the addition of another
field?
Thanks so much everyone. It has been years since I needed to use
samba, so I am climbing the learning curve on this new version.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Ok I went back and re-read the page on the AD DC HowTo, and now I
remember that it was the first way I tried to set up the server two
weeks ago. When I tried to start the server it failed to start, which is
why I went searching out an smb4.conf online.
I can go through the setup from the start again, but I am still at a
loss as to how to match the UID numbers in the Samba AD to the
historical UID numbers that all the existing unix users have. The
situation is that historically everything here was Unix of some sort,
but we are adding a small flock of windows boxes, which is why I am
looking at trying to bring Samba 4 on line.
If someone can point me to a clear simple explanation on how to force
particular UIDs in Samba I would appreciate that. I will tackle the
lack of encryption once I get the UID situation solved.
Here is a partial output of pdbedit -Lv for my account:
Unix username: wynkoop
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3503051414-2097048719-4239445089-1105
Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: never
Password last set: Mon, 15 Dec 2014 15:17:39 EST
Password can change: Mon, 15 Dec 2014 15:17:39 EST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
I am not sure what Rowland meant when he said give them a UIDnumber
containing the numbers I need. I do not see any field marked as UID
above. Do I need to extend the database with the addition of another
field?
Thanks so much everyone. It has been years since I needed to use
samba, so I am climbing the learning curve on this new version.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Tim
Dec 19, 2014, 3:20:03 AM12/19/14
to
I think Rowland meant to use rfc2307 attributes in your domain. Therefore it is needed to provision your domain with --use-rfc2307 parameter. When you have done this the schema doesn't need to be extended.
When you are using ADUC in Windows, are you seeing a Unix tab in preferences of a user or group?
If not you need to install the "Server for NIS Tools" extension for ADUC.
Then you can Unix attribs in ADUC.
Regards
Tim
When you are using ADUC in Windows, are you seeing a Unix tab in preferences of a user or group?
If not you need to install the "Server for NIS Tools" extension for ADUC.
Then you can Unix attribs in ADUC.
Regards
Tim
Brett Wynkoop
Dec 19, 2014, 4:10:03 AM12/19/14
to
On Fri, 19 Dec 2014 09:17:25 +0100
Tim <rint...@gmx.net> wrote:
> I think Rowland meant to use rfc2307 attributes in your domain.
> Therefore it is needed to provision your domain with --use-rfc2307
> parameter. When you have done this the schema doesn't need to be
> extended.
Hmmm well used rfc2307 on one of my previous attempts, but still saw no
Tim <rint...@gmx.net> wrote:
> I think Rowland meant to use rfc2307 attributes in your domain.
> Therefore it is needed to provision your domain with --use-rfc2307
> parameter. When you have done this the schema doesn't need to be
> extended.
way to set the UID to what I wanted them to be. They were something
like 5 or 6 digit numbers.
So is there a way to force a particular UID, meaning can I create
account smith with UID 553 in a Samba DC?
My plan is after I figure this out to script the process and
feed /etc/passwd into the AD.
At the moment I do not have an MS-Windows box here yet, so I can not
check what is shown in an MS-Windows control pannel.
This task is in preparation for the arrival of a small flock of
ms-windows boxes that are coming in for a special project, but they
need to be integrated with the existing network of FreeBSD, Solaris,
GNU/Linux and Mac OSX boxes, all of which are suing NIS and NFS. Since
they can all authenticate against LDAP and Kerberos (AKA AD) my plan is
to just move over to AD on a samba box, but if a user is on a
Windows box I need him to have the same UID on created files as if he
was on a Unix box.
Did I miss something with smbpasswd or pdbedit where I can set specific
UID just like I can by editing /etc/passwd?
Here is something interesting.....
root@prd2:/home/wynkoop # pdbedit -L | grep wynkoop
wynkoop:34:
root@prd2:/home/wynkoop #
root@prd2:/home/wynkoop # id wynkoop
uid=34(wynkoop) gid=34(wynkoop) groups=34(wynkoop),0(wheel),80(www)
root@prd2:/home/wynkoop #
root@prd2:/home/wynkoop # pdbedit -Lv wynkoop
(config output snipped)
ldb_wrap open of idmap.ldb
Home server: prd2
Home server: prd2
Unix username: wynkoop
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3503051414-2097048719-4239445089-1105
Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: never
Password last set: Mon, 15 Dec 2014 15:17:39 EST
Password can change: Mon, 15 Dec 2014 15:17:39 EST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Nowhere in the verbose output do I see 34, and then we have this:
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3503051414-2097048719-4239445089-1105
Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513
Full Name:
Home Directory:
HomeDir Drive: (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: never
Password last set: Mon, 15 Dec 2014 15:17:39 EST
Password can change: Mon, 15 Dec 2014 15:17:39 EST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root@prd2:/archive/test # ls -l
total 1
-rw-r--r-- 1 3000014 wheel 236 Dec 19 03:50 hosts
root@prd2:/archive/test #
Hosts was transferred into that directory using smbclient from another
box and as you can see the owner is a user that does not exist on the
system. How the heck did it come up with a UID of 3000014?
So I think I am getting more confused as things go along. I have a
mind to deinstall everything, remove all the database files and try
again from scratch, but that still leaves the burning question how do I
do something like this:
root@prd2:/archive/test # adduser
Username: bew
Full name: B^C
root@prd2:/archive/test # adduser
Username: example
Full name: Ex Ample
Uid (Leave empty for default): 554
Login group [example]:
Login group is example. Invite example into other groups? []:
with Samba. I suppose I could drop back to samba 2 or 3, or run in
legacy mode, but that is not what I would consider optimal.
Thanks!
Rowland Penny
Dec 19, 2014, 4:50:03 AM12/19/14
to
identifies the domain and the RID is the users unique ID number, the
same goes for groups.
An example of a SID-RID would be:
S-1-5-21-3623811015-3361044348-30300820-1013
The SID being: S-1-5-21-3623811015-3361044348-30300820
and the RID: 1013
From the example, you can see that this is no good for Unix, so you
need to map these numbers to something that Unix understands, or use
something else. This is where the RFC2307 attributes come in, amongst
which are 'uidNumber' & 'gidNumber', this is where you can set the
user's or group's Unix ID. You can set these numbers to whatever you
need, but having said that, I am struggling to understand why you need
to map/use numbers like '50'. These low numbers on Unix are usually used
for programs that run on Unix (apache, bind, etc) that do not really
need to be in AD.
If you feel that you want to take this discussion off-list, then contact
me direct.
Rowland
steve
Dec 19, 2014, 9:10:06 AM12/19/14
to
On 19/12/14 10:06, Brett Wynkoop wrote:
>
> So is there a way to force a particular UID, meaning can I create
> account smith with UID 553 in a Samba DC?
Yes. Simply add:
>
> So is there a way to force a particular UID, meaning can I create
> account smith with UID 553 in a Samba DC?
uidNumber: 553
to the user's entry. That gets it into the database. You can use sssd or
winbind to get it out.
HTH
Davor Vusir
Dec 21, 2014, 1:30:03 PM12/21/14
to
http://www.citi.umich.edu/projects/nfsv4/windows/readme.html?
Mvh
Davor Vusir
-- Skickat från mobilusken! --
----- Ursprungligt meddelande -----
Från: "Brett Wynkoop" <wynkoo...@wynn.com>
Skickat: 2014-12-19 10:06
Till: "sa...@lists.samba.org" <sa...@lists.samba.org>
Kopia: "Tim" <rint...@gmx.net>
Ämne: Re: [Samba] Samba 4 problems
Brett Wynkoop
Dec 21, 2014, 3:10:03 PM12/21/14
to
On Fri, 19 Dec 2014 11:35:58 +0100
steve <st...@steve-ss.com> wrote:
> On 19/12/14 10:06, Brett Wynkoop wrote:
>
> >
> > So is there a way to force a particular UID, meaning can I create
> > account smith with UID 553 in a Samba DC?
>
> Yes. Simply add:
> uidNumber: 553
> to the user's entry. That gets it into the database. You can use sssd
> or winbind to get it out.
> HTH
>
>
Steve,
steve <st...@steve-ss.com> wrote:
> On 19/12/14 10:06, Brett Wynkoop wrote:
>
> >
> > So is there a way to force a particular UID, meaning can I create
> > account smith with UID 553 in a Samba DC?
>
> Yes. Simply add:
> uidNumber: 553
> to the user's entry. That gets it into the database. You can use sssd
> or winbind to get it out.
> HTH
>
>
Thanks for the above, but I found nothing in the pdbedit man page that
I recognize as a way to "Simply add". A pointer would be appreciated.
-Brett
--
wyn...@wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt
917-642-6925
929-272-0000
A free people ought to be armed. - George Washington
Rowland Penny
Dec 21, 2014, 5:00:03 PM12/21/14
to
On 21/12/14 20:05, Brett Wynkoop wrote:
> On Fri, 19 Dec 2014 11:35:58 +0100
> steve <st...@steve-ss.com> wrote:
>
>> On 19/12/14 10:06, Brett Wynkoop wrote:
>>
>>> So is there a way to force a particular UID, meaning can I create
>>> account smith with UID 553 in a Samba DC?
>> Yes. Simply add:
>> uidNumber: 553
>> to the user's entry. That gets it into the database. You can use sssd
>> or winbind to get it out.
>> HTH
>>
>>
> Steve,
>
> Thanks for the above, but I found nothing in the pdbedit man page that
> I recognize as a way to "Simply add". A pointer would be appreciated.
>
> -Brett
>
Hi, its not quite as easy as that, you need to use ldbmodify (or
> On Fri, 19 Dec 2014 11:35:58 +0100
> steve <st...@steve-ss.com> wrote:
>
>> On 19/12/14 10:06, Brett Wynkoop wrote:
>>
>>> So is there a way to force a particular UID, meaning can I create
>>> account smith with UID 553 in a Samba DC?
>> Yes. Simply add:
>> uidNumber: 553
>> to the user's entry. That gets it into the database. You can use sssd
>> or winbind to get it out.
>> HTH
>>
>>
> Steve,
>
> Thanks for the above, but I found nothing in the pdbedit man page that
> I recognize as a way to "Simply add". A pointer would be appreciated.
>
> -Brett
>
similar) to add the ID number.
First create an ldif i.e. /tmp/user.ldif
dn: CN=John Doe,CN=Users,DC=example,DC=com
changetype: modify
add: uidNumber
uidNumber: IDNUMBER
Replace 'John Doe' with your users name
Replace 'CN=Users' with where your users are stored in AD, if they are
not stored in the default container
Replace 'DC=example,DC=com' with your rootdse
Replace 'IDNUMBER' with whatever number (it must be a number) you want
to give the user.
Now add the info to the users AD object:
ldbmodify --url=/var/lib/samba/private/sam.ldb /tmp/user.ldif
The above relies on 'sam.ldb' being at the given path.
Your user on Unix should now have the given ID number.
Only problem, you have to remember what ID numbers you have used.
Rowland
0 new messages