Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] IDMAP + GETENT

148 views
Skip to first unread message

Edson Tadeu Almeida da Silveira via samba

unread,
Sep 22, 2016, 7:10:03 PM9/22/16
to
Hi guys!

I'm looking for a way to solve the problem between my Samba 4.4.4 DC and my
samba 4.3 File Server.

The users and groups ids are not the same in both servers and i can't find
the solution for this.

Can anyone help me?

This is the environment:

DC: Samba 4.4.4
------------------------
smb.conf:

[global]

interfaces = lo eth0

workgroup = DOMAIN

realm = DOMAIN.LOCAL

netbios name = SERVER

server role = active directory domain controller

dns forwarder = 10.x.x.x

allow dns updates = nonsecure

idmap config *:backend = tdb

idmap config *:range = 70001-80000

idmap config DOMAIN:backend = ad

idmap config DOMAIN:schema_mode = rfc2307

idmap config DOMAIN:range = 3000000-4000000

winbind nss info = rfc2307

winbind trusted domains only = no

winbind use default domain = yes

winbind enum users = yes

winbind enum groups = yes


root@server:/usr/local/src/samba-4.4.6# wbinfo --name-to-sid edsontadeu

S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)


root@server:/usr/local/src/samba-4.4.6# wbinfo --sid-to-uid
S-1-5-21-1058002876-845724780-2777320708-1106

3000019


FILE SERVER: Samba 4.3.6

------------------------
smb.conf

[global]

workgroup = DOMAIN

netbios name = FS1

realm = DOMAIN.LOCAL

security = domain

server services = smb winbindd

encrypt passwords = true

wins server = 10.x.x.x

idmap config * : backend = tdb

idmap config * : range = 70001-80000

idmap config DOMAIN : backend = ad

idmap config DOMAIN : schema_mode = rfc2307

idmap config DOMAIN : range = 3000000-4000000

winbind nss info = rfc2307

winbind trusted domains only = no

winbind use default domain = yes

winbind enum users = yes

winbind enum groups = yes

vfs objects = acl_xattr

map acl inherit = Yes

store dos attributes = Yes

domain master = no

local master = no

preferred master = no

os level = 0

log level = 2 vfs:7 auth:2 passdb:2


root@fs1:~# wbinfo --name-to-sid edsontadeu

S-1-5-21-1058002876-845724780-2777320708-1106 SID_USER (1)


root@fs1:~# wbinfo --sid-to-uid
S-1-5-21-1058002876-845724780-2777320708-1106

70001


root@fs1:~# id edsontadeu

id: edsontadeu: no such user


root@fs1:~# getent passwd edsontadeu

(NO RESULTS)


root@fs1:~# wbinfo -i edsontadeu

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

Could not get info for user edsontadeu


wbinfo -u and wbinfo -g works well. They give-me all my AD Users.

Thanks all!!


--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland Penny via samba

unread,
Sep 23, 2016, 3:30:03 AM9/23/16
to

OK, can I suggest you change the DC smb.conf to this:

[global]
netbios name = SERVER
realm = DOMAIN.LOCAL
workgroup = DOMAIN


server role = active directory domain controller
dns forwarder = 10.x.x.x
allow dns updates = nonsecure

winbind enum users = yes
winbind enum groups = yes

All the other lines you added will not do anything on a DC.

You should also change the domain member smb.conf to this:

[global]
workgroup = DOMAIN
security = domain # wrong
realm = DOMAIN.LOCAL
netbios name = FS1

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

winbind expand groups = 4


winbind nss info = rfc2307

winbind refresh tickets = Yes
winbind normalize names = Yes

idmap config * : backend = tdb

idmap config * : range = 2000-9999


idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307

idmap config DOMAIN : range = 10000-999999

domain master = no
local master = no
preferred master = no

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

log level = 2 vfs:7 auth:2 passdb:2

You will then need to give Domain Users a gidNumber attribute inside
the range '10000-999999'
You will then need to give each user a uidNumber attribute inside the
range '10000-999999'

If you follow the above, you should then get the same ID numbers on the
DC and the domain member, provided nsswitch & links are set up on the
DC.

Rowland

Rowland Penny via samba

unread,
Sep 23, 2016, 7:40:02 AM9/23/16
to
On Fri, 23 Sep 2016 08:06:56 -0300
Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> I´m using ADUC, but Unix attributes is not enabled to insert GID.
> Should i recompile my samba with rfc option ?

If you are using ADUC on windows 10, there is no Unix Attributes tab,
if you are using any other version of windows, you need to install
IDMU, see here:

https://wiki.samba.org/index.php/Installing_RSAT

This does depend on you adding the option '--use-rfc2307' to the
provision command, but if you didn't, you can add it later, see here:

https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

>
> So, let me see if i understood.
>
> For each existent or new user and group, should i insert a unique
> UID/GID manually?

If you need to have the same IDs everywhere you need to do the
following:

For a windows user to be a Unix user as well, you need to add
a uidNumber attribute.
You also need to give 'Domain Users' a gidNumber attribute, if you do
not do this and use winbind, you will not get any Unix users.

These 'uidNumber' and 'gidNumber' attributes are NOT created
automatically, it needs to be a manual action.

Rowland Penny via samba

unread,
Sep 23, 2016, 9:30:03 AM9/23/16
to
On Fri, 23 Sep 2016 09:50:38 -0300

Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> I don´t know why, but, ldbmodify is not working with me :-)
>
> ldbmodify
> -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif-CHANGED
> --option="dsdb:schema update allowed"=true
>
> Invalid option --option=dsdb:schema update allowed=true: unknown
> option
>

Strange, it should work, is 'sam.ldb' in /usr/local/samba/private ? or
to put it another way, did you compile Samba yourself ?

There is another way of doing this (once you are sure you are running
ldbmodify against the correct path to sam.ldb), add 'dsdb:schema update
allowed = true' to the DCs smb.conf, restart samba and then run the
command without the '--option'

If this works, remove the line you added to smb.conf and restart samba
again.

Rowland Penny via samba

unread,
Sep 23, 2016, 10:00:04 AM9/23/16
to
On Fri, 23 Sep 2016 10:38:18 -0300

Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> Yes. My DC i compiled by myself.
>
> i did what you said an then:
>
> # ldbmodify
> -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif-cbmerj
> WARNING: Module [samba_dsdb] not found - do you need to set
> LDB_MODULES_PATH? Unable to load modules
> for /usr/local/samba/private/sam.ldb: (null) Failed to connect
> to /usr/local/samba/private/sam.ldb - (null)
>

It looks like your Python path isn't setup correctly, I would
investigate how to do this for your OS.

Rowland Penny via samba

unread,
Sep 23, 2016, 10:50:02 AM9/23/16
to
On Fri, 23 Sep 2016 11:10:51 -0300

Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> I think my ubuntu version doesn´t have support for the necessary
> libraries:
>
> ldb: unable to dlopen /usr/local/samba/lib/ldb/acl.so :
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2: version `TALLOC_2.1.0' not
> found (required by /usr/local/samba/lib/libsamba-hostconfig.so.0)
> ldb: unable to dlopen /usr/local/samba/lib/ldb/aclread.so :
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2: version `TALLOC_2.1.0' not
> found (required by /usr/local/samba/lib/libsamba-hostconfig.so.0)
> ldb: unable to dlopen /usr/local/samba/lib/ldb/anr.so :
> /usr/lib/x86_64-linux-gnu/libldb.so.1: version `LDB_1.1.19' not found
> (required by /usr/local/samba/lib/private/libldbsamba-samba4.so)
>
> I´m tunning with
>
> python-talloc 2.0.7
> python-ldb 1.1.4
>

I think that explains it, you are using the OS package libs not the
ones you compiled with Samba. I do not have those packages installed (I
use Devuan) and it works for me.
Try removing those packages and you will probably want to ensure
that /usr/local/samba/bin and /usr/local/samba/sbin are at the front of
your env PATH variable.

Rowland Penny via samba

unread,
Sep 24, 2016, 3:40:03 AM9/24/16
to
On Fri, 23 Sep 2016 19:54:36 -0300

Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> Hi Rowland.
>
> I did the ldif import and it seems ok now.
>
> I set only gid to my groups, because they are in small quantity.
>
> But, when i insert these lines to my member server:
>
> # idmap config CBMERJ : backend = ad
>
> # idmap config CBMERJ : schema_mode = rfc2307
>
> # idmap config CBMERJ : range = 3000000-4000000
>
>
> I can't access they shares though my windows clients.
>
>
> This only will work if a set all uid to my users, or there is
> something else?
>
>

The only groups that need a gidNumber are 'Domain Users' and any other
group that you want/need to be visible to Unix.
You MUST also give a uidNumber to any users that you want to be visible
to Unix (Note: you do not have to use the 3000000 numbers)

This is where a lot of people go wrong or misunderstand the winbind ad
backend.

0 new messages