Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Consistent UID/GID mappings?
1,443 views
Skip to first unread message
Alexandre Beauclair
Apr 7, 2014, 3:50:02 PM4/7/14
to
Greetings everyone,
I am currently in the process of trying to setup Samba4 as an Active Directory DC. My environment contains about 50% of Windows workstations, and 50% of Centos servers/Ubuntu workstations.
Everything setup quite nicely, with Windows workstations and Linux machines being able to logon with a domain user.
The problem I have is I can't seem to be able to get consistent UIDs and GIDs across all platforms. We would need those for we use NFS shares along with samba shares on the Samba machine.
At first, I noticed UIDs were being mapped locally, and this wouldn't do. So I read online I could use the RID backend with winbind to generate their mappings in a consistent fashion. It worked great on my Linux members (running Samba3). UIDs were the same, and everything was good. Then I noticed it didn't work on the Samba DC, using the same configuration. From what I could understand, it seems like RID mapping isn't supported in Samba4?
I've seen tricks such as these: http://www.blackhole-networks.com/Cheatsheets/Samba4Map/, but even so when I then tried to create a file on an NFS share (on the Samba4 DC), and then mount said share on a Samba3 member, it would show the owner and group as being "nobody", even though "getent passwd" showed the user having the same UID.
I've also noticed on my DC, "getent passwd" displays users as DOM\testuser, whereas on my members it simply shows them as "testuser". Could this have something to do with my problem?
I've seen sample configurations using the "idmap config DOM : backend = ad" configuration, but did not have any kind of success with it. Apart from smb.conf in that kind of a setup, is there something else to configure?
Is there a new recommended way to setup mappings in Samba4? In the end all I need are UIDs to match so I can setup user home directories with NFS, and when Windows users create files under a Samba share they retain the appropriate username/group ID under Linux as well, so that everything is tied up nicely.
Thanks a lot for any help you can provide!
Regards,
Alexandre Beauclair
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am currently in the process of trying to setup Samba4 as an Active Directory DC. My environment contains about 50% of Windows workstations, and 50% of Centos servers/Ubuntu workstations.
Everything setup quite nicely, with Windows workstations and Linux machines being able to logon with a domain user.
The problem I have is I can't seem to be able to get consistent UIDs and GIDs across all platforms. We would need those for we use NFS shares along with samba shares on the Samba machine.
At first, I noticed UIDs were being mapped locally, and this wouldn't do. So I read online I could use the RID backend with winbind to generate their mappings in a consistent fashion. It worked great on my Linux members (running Samba3). UIDs were the same, and everything was good. Then I noticed it didn't work on the Samba DC, using the same configuration. From what I could understand, it seems like RID mapping isn't supported in Samba4?
I've seen tricks such as these: http://www.blackhole-networks.com/Cheatsheets/Samba4Map/, but even so when I then tried to create a file on an NFS share (on the Samba4 DC), and then mount said share on a Samba3 member, it would show the owner and group as being "nobody", even though "getent passwd" showed the user having the same UID.
I've also noticed on my DC, "getent passwd" displays users as DOM\testuser, whereas on my members it simply shows them as "testuser". Could this have something to do with my problem?
I've seen sample configurations using the "idmap config DOM : backend = ad" configuration, but did not have any kind of success with it. Apart from smb.conf in that kind of a setup, is there something else to configure?
Is there a new recommended way to setup mappings in Samba4? In the end all I need are UIDs to match so I can setup user home directories with NFS, and when Windows users create files under a Samba share they retain the appropriate username/group ID under Linux as well, so that everything is tied up nicely.
Thanks a lot for any help you can provide!
Regards,
Alexandre Beauclair
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
Apr 7, 2014, 4:00:01 PM4/7/14
to
Hello Alexandre,
Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
> The problem I have is I can't seem to be able to get
> consistent UIDs and GIDs across all platforms.
You have to fill the stuff in the unix attributes tab in ADUC.
It it isn't there, you haven't provisioned your domain with
--use-rfc2307. You enable the NIS extension later (not tried):
https://serverfault.com/questions/558090/enable-nis-extensions-rfc2307-on-samba-4-ad-after-installation
> I've seen sample configurations using the
> "idmap config DOM : backend = ad" configuration, but
> did not have any kind of success with it
If you have filled the attributes in AD (UID, home, etc.) have a look here:
https://wiki.samba.org/index.php/Samba/Domain_Member#Setting_up_a_basic_smb.conf
As an alternative you can setup sssd instead of Winbind and retrieve the
account data from AD:
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
Regards,
Marc
Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
> The problem I have is I can't seem to be able to get
> consistent UIDs and GIDs across all platforms.
It it isn't there, you haven't provisioned your domain with
--use-rfc2307. You enable the NIS extension later (not tried):
https://serverfault.com/questions/558090/enable-nis-extensions-rfc2307-on-samba-4-ad-after-installation
> I've seen sample configurations using the
> "idmap config DOM : backend = ad" configuration, but
> did not have any kind of success with it
https://wiki.samba.org/index.php/Samba/Domain_Member#Setting_up_a_basic_smb.conf
As an alternative you can setup sssd instead of Winbind and retrieve the
account data from AD:
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
Regards,
Marc
Alexandre Beauclair
Apr 8, 2014, 12:00:02 PM4/8/14
to
Thanks for the help Marc.
With your guidance I was able to make winbind retrieve the user's UID in a consistent manner across machines.
I was able to fill the info in ADUC, and retrieve it with the ad backend. However, whenever I "getent" or "id" the user, it shows me the correct UID, but doesn't show the additional groups it is a member of. It stays as Domain Users, even though I created the group under ADUC, gave it UNIX attributes, and filled the field for the user for Primary GID.
Also, I tried creating a file in an NFS share, then mounting it on another system (which is able to retrieve the user info), and ownerships appear as nobody for both the user and group. Is this normal behavior?
Thanks!
Alexandre Beauclair
With your guidance I was able to make winbind retrieve the user's UID in a consistent manner across machines.
I was able to fill the info in ADUC, and retrieve it with the ad backend. However, whenever I "getent" or "id" the user, it shows me the correct UID, but doesn't show the additional groups it is a member of. It stays as Domain Users, even though I created the group under ADUC, gave it UNIX attributes, and filled the field for the user for Primary GID.
Also, I tried creating a file in an NFS share, then mounting it on another system (which is able to retrieve the user info), and ownerships appear as nobody for both the user and group. Is this normal behavior?
Thanks!
Alexandre Beauclair
steve
Apr 8, 2014, 12:20:02 PM4/8/14
to
On Mon, 2014-04-07 at 21:52 +0200, Marc Muehlfeld wrote:
> Hello Alexandre,
>
> Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
> > The problem I have is I can't seem to be able to get
> > consistent UIDs and GIDs across all platforms.
>
> You have to fill the stuff in the unix attributes tab in ADUC.
>
> It it isn't there, you haven't provisioned your domain with
> --use-rfc2307.
You do not need to provision with:
> Hello Alexandre,
>
> Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
> > The problem I have is I can't seem to be able to get
> > consistent UIDs and GIDs across all platforms.
>
> You have to fill the stuff in the unix attributes tab in ADUC.
>
> It it isn't there, you haven't provisioned your domain with
> --use-rfc2307.
--use-rfc2307
to use rfc2307 with a Samba4 DC.
Simply manage your users and using samba-tool.
HTH
Steve
Jonathan Buzzard
Apr 8, 2014, 12:20:02 PM4/8/14
to
On Tue, 2014-04-08 at 11:59 -0400, Alexandre Beauclair wrote:
> Thanks for the help Marc. With your guidance I was able to make winbind
> retrieve the user's UID in a consistent manner across machines. I was
> able to fill the info in ADUC, and retrieve it with the ad backend.
> However, whenever I "getent" or "id" the user, it shows me the correct
> UID, but doesn't show the additional groups it is a member of. It stays
> as Domain Users, even though I created the group under ADUC, gave it
> UNIX attributes, and filled the field for the user for Primary GID.
>
Because winbind for some reason I could never figure uses the
> Thanks for the help Marc. With your guidance I was able to make winbind
> retrieve the user's UID in a consistent manner across machines. I was
> able to fill the info in ADUC, and retrieve it with the ad backend.
> However, whenever I "getent" or "id" the user, it shows me the correct
> UID, but doesn't show the additional groups it is a member of. It stays
> as Domain Users, even though I created the group under ADUC, gave it
> UNIX attributes, and filled the field for the user for Primary GID.
>
primarygroupid rather than the GID number for the users primary group.
Best practice IMHO is to keep the two synchronized. That is the GID
number of the user should match the GID number of the users
primarygroupid.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
steve
Apr 8, 2014, 12:40:01 PM4/8/14
to
On Tue, 2014-04-08 at 17:11 +0100, Jonathan Buzzard wrote:
> On Tue, 2014-04-08 at 11:59 -0400, Alexandre Beauclair wrote:
> > Thanks for the help Marc. With your guidance I was able to make winbind
> > retrieve the user's UID in a consistent manner across machines. I was
> > able to fill the info in ADUC, and retrieve it with the ad backend.
> > However, whenever I "getent" or "id" the user, it shows me the correct
> > UID, but doesn't show the additional groups it is a member of. It stays
> > as Domain Users, even though I created the group under ADUC, gave it
> > UNIX attributes, and filled the field for the user for Primary GID.
> >
>
> Because winbind for some reason I could never figure uses the
> primarygroupid rather than the GID number for the users primary group.
>
> Best practice IMHO is to keep the two synchronized. That is the GID
> number of the user should match the GID number of the users
> primarygroupid.
The OP does not have a problem with primaryGroupID. He has a problem
> On Tue, 2014-04-08 at 11:59 -0400, Alexandre Beauclair wrote:
> > Thanks for the help Marc. With your guidance I was able to make winbind
> > retrieve the user's UID in a consistent manner across machines. I was
> > able to fill the info in ADUC, and retrieve it with the ad backend.
> > However, whenever I "getent" or "id" the user, it shows me the correct
> > UID, but doesn't show the additional groups it is a member of. It stays
> > as Domain Users, even though I created the group under ADUC, gave it
> > UNIX attributes, and filled the field for the user for Primary GID.
> >
>
> Because winbind for some reason I could never figure uses the
> primarygroupid rather than the GID number for the users primary group.
>
> Best practice IMHO is to keep the two synchronized. That is the GID
> number of the user should match the GID number of the users
> primarygroupid.
with displaying additional group membership.
Marc Muehlfeld
Apr 8, 2014, 1:00:02 PM4/8/14
to
Am 08.04.2014 18:09, schrieb steve:
> You do not need to provision with:
> --use-rfc2307
> to use rfc2307 with a Samba4 DC.
No. But not everyone wants to administrate the server on cmd line. And
> You do not need to provision with:
> --use-rfc2307
> to use rfc2307 with a Samba4 DC.
to have the Unix Tab in ADUC, it's neccessary.
Regards,
Marc
Alexandre Beauclair
Apr 8, 2014, 2:10:01 PM4/8/14
to
I can go in ADUC, or on the command line (both works) to add a user to the group.
Let's say I have a group called testgroup. I can add a user to it using samba-tool, or use ADUC and add testuser to the group under the Members tab of the group object. However, still in ADUC, if I go to the UNIX Attribute tab of the testgroup object and add a member there, it doesn't work. At least there's a way that works for me to add a member to a group, but I'm wondering why it's not being picked up.
Also, the problem I mentioned earlier was regarding the PrimaryGID of the user, which is apparently not read. I can set it to testgroup under UNIX Attributes of the ADUC, but when I "getent passwd" on my member machine, the GID is still at 513 (Domain Users).
I noticed that on my member machine, when I "getent passwd" it actually shows the values I set in the UNIX Attributes tab for UID, Login Shell and Home Directory, but not PrimaryGID.
On my Samba4 server machine, it only gets the UID, and nothing else. Login Shell remains at /bin/false except if I set a template shell in smb.conf, and the Home Directory value is /home/DOM/testuser. If I set a template homedir in smb.conf, it will take that value, but doesn't register the %U value to replace the username.
So all in all, as far as UID goes, I'm good to go. My problem is now with PrimaryGID not being picked up on either machines, and Login Shell/Home Directory not registering with the Samba4 Server when I query with getent.
Sorry if it seems a bit confusing, I'm trying to make sense of it all. As usual I appreciate all your support!
Alexandre Beauclair
----- Original Message -----
From: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>
To: "steve" <st...@steve-ss.com>, sa...@lists.samba.org
Sent: Tuesday, April 8, 2014 12:53:32 PM
Subject: Re: [Samba] Consistent UID/GID mappings?
Let's say I have a group called testgroup. I can add a user to it using samba-tool, or use ADUC and add testuser to the group under the Members tab of the group object. However, still in ADUC, if I go to the UNIX Attribute tab of the testgroup object and add a member there, it doesn't work. At least there's a way that works for me to add a member to a group, but I'm wondering why it's not being picked up.
Also, the problem I mentioned earlier was regarding the PrimaryGID of the user, which is apparently not read. I can set it to testgroup under UNIX Attributes of the ADUC, but when I "getent passwd" on my member machine, the GID is still at 513 (Domain Users).
I noticed that on my member machine, when I "getent passwd" it actually shows the values I set in the UNIX Attributes tab for UID, Login Shell and Home Directory, but not PrimaryGID.
On my Samba4 server machine, it only gets the UID, and nothing else. Login Shell remains at /bin/false except if I set a template shell in smb.conf, and the Home Directory value is /home/DOM/testuser. If I set a template homedir in smb.conf, it will take that value, but doesn't register the %U value to replace the username.
So all in all, as far as UID goes, I'm good to go. My problem is now with PrimaryGID not being picked up on either machines, and Login Shell/Home Directory not registering with the Samba4 Server when I query with getent.
Sorry if it seems a bit confusing, I'm trying to make sense of it all. As usual I appreciate all your support!
Alexandre Beauclair
----- Original Message -----
From: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>
To: "steve" <st...@steve-ss.com>, sa...@lists.samba.org
Sent: Tuesday, April 8, 2014 12:53:32 PM
Subject: Re: [Samba] Consistent UID/GID mappings?
steve
Apr 8, 2014, 2:50:01 PM4/8/14
to
On Tue, 2014-04-08 at 14:03 -0400, Alexandre Beauclair wrote:
> I can go in ADUC, or on the command line (both works) to add a user to the group.
> Let's say I have a group called testgroup. I can add a user to it using samba-tool, or use ADUC and add testuser to the group under the Members tab of the group object. However, still in ADUC, if I go to the UNIX Attribute tab of the testgroup object and add a member there, it doesn't work. At least there's a way that works for me to add a member to a group, but I'm wondering why it's not being picked up.
>
> Also, the problem I mentioned earlier was regarding the PrimaryGID of the user, which is apparently not read. I can set it to testgroup under UNIX Attributes of the ADUC, but when I "getent passwd" on my member machine, the GID is still at 513 (Domain Users).
>
Hi
> I can go in ADUC, or on the command line (both works) to add a user to the group.
> Let's say I have a group called testgroup. I can add a user to it using samba-tool, or use ADUC and add testuser to the group under the Members tab of the group object. However, still in ADUC, if I go to the UNIX Attribute tab of the testgroup object and add a member there, it doesn't work. At least there's a way that works for me to add a member to a group, but I'm wondering why it's not being picked up.
>
> Also, the problem I mentioned earlier was regarding the PrimaryGID of the user, which is apparently not read. I can set it to testgroup under UNIX Attributes of the ADUC, but when I "getent passwd" on my member machine, the GID is still at 513 (Domain Users).
>
Set the primary group under the Member of tab, not the Unix tab.
Alexandre Beauclair
Apr 8, 2014, 3:00:04 PM4/8/14
to
Thanks a lot!
It worked perfectly to set the Primary GID.
That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
Alexandre Beauclair
----- Original Message -----
From: "steve" <st...@steve-ss.com>
To: "Alexandre Beauclair" <beauc...@lexum.com>
Cc: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>, sa...@lists.samba.org
Sent: Tuesday, April 8, 2014 2:39:24 PM
Subject: Re: [Samba] Consistent UID/GID mappings?
It worked perfectly to set the Primary GID.
That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
Alexandre Beauclair
----- Original Message -----
From: "steve" <st...@steve-ss.com>
To: "Alexandre Beauclair" <beauc...@lexum.com>
Cc: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>, sa...@lists.samba.org
Sent: Tuesday, April 8, 2014 2:39:24 PM
Subject: Re: [Samba] Consistent UID/GID mappings?
Rowland Penny
Apr 8, 2014, 3:10:02 PM4/8/14
to
On 08/04/14 19:57, Alexandre Beauclair wrote:
> Thanks a lot!
> It worked perfectly to set the Primary GID.
> That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
>
> Alexandre Beauclair
Hi, I take it this is on the samba4 server? if so, you could try using
> Thanks a lot!
> It worked perfectly to set the Primary GID.
> That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
>
> Alexandre Beauclair
sssd (damn I am not supposed to recommend this, the devs don't like it ;-) )
Rowland
Jeremy Allison
Apr 8, 2014, 3:20:02 PM4/8/14
to
On Tue, Apr 08, 2014 at 08:07:20PM +0100, Rowland Penny wrote:
> On 08/04/14 19:57, Alexandre Beauclair wrote:
> >Thanks a lot!
> >It worked perfectly to set the Primary GID.
> >That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
> >
> >Alexandre Beauclair
> Hi, I take it this is on the samba4 server? if so, you could try
> using sssd (damn I am not supposed to recommend this, the devs don't
> like it ;-) )
Argggh. Please stop (not the recommending of sssd, but the
> On 08/04/14 19:57, Alexandre Beauclair wrote:
> >Thanks a lot!
> >It worked perfectly to set the Primary GID.
> >That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
> >
> >Alexandre Beauclair
> Hi, I take it this is on the samba4 server? if so, you could try
> using sssd (damn I am not supposed to recommend this, the devs don't
> like it ;-) )
'the devs don't like it' bullshit :-).
ON THE RECORD !!!! I am fine with sssd, I think it's great.
Simo (who is a core Samba Team member) and the other sssd
devs do great with their product. It's a modern clean design
with great technology. It just doesn't happen to be supported
on this list.
What I object to is the promotion of 'use sssd, winbindd
is shit' comments on the samba-technical and samba lists.
It's just not the place !
If you want to wave flags for one solution or another
just don't do it on the lists for either of the solutions
(I'm sure the sssd lists wouldn't appreciate comments like
'sssd is shit, use winbindd' either :-).
Now is that so hard ?
:-).
Jeremy.
Rowland Penny
Apr 8, 2014, 3:50:01 PM4/8/14
to
I posted. I wouldn't have posted except for the fact that in this
instance, sssd actually works in the way that the OP wants, whereas the
builtin winbind doesn't.
I do not recommend sssd on the list any more except in this case,
because the last time I did, YOU told me not to!
I have found out why I could never get the winbind ad backend to work
for me, you have to jump through a series of hoops, users have to have a
uidnumber & gidNumber, groups have to have a gidNumber and NONE of these
must be below the lower range you set in smb.conf. It was the later that
got me, I stupidly gave Domain Users the gidnumber of '100', this I
based on samba4 giving the group the same xidNumber in idmap.ldb.
Having said all this, I will not mention sssd here again.
Rowland
Jeremy Allison
Apr 8, 2014, 4:00:03 PM4/8/14
to
On Tue, Apr 08, 2014 at 08:48:53PM +0100, Rowland Penny wrote:
> Jeremy, I thought before I posted, and I was being sarcastic in the
> way I posted. I wouldn't have posted except for the fact that in
> this instance, sssd actually works in the way that the OP wants,
> whereas the builtin winbind doesn't.
Sure, and it's entirely appropriate to say so, I have no
> Jeremy, I thought before I posted, and I was being sarcastic in the
> way I posted. I wouldn't have posted except for the fact that in
> this instance, sssd actually works in the way that the OP wants,
> whereas the builtin winbind doesn't.
issues with that ! Remember the builtin winbindd in s4
is different to the member winbindd daemon. One of the
things Andrew is trying to do is unify the two so the
more flexible and complete 'member' winbindd can be
used in the AD-DC case and we can deprecate the builtin
winbindd, in the same way smbd replaced the ntvfs
backend for file serving. Having said that we're not
there yet.
> I do not recommend sssd on the list any more except in this case,
> because the last time I did, YOU told me not to!
hope I didn't tell you not to mention sssd.
> I have found out why I could never get the winbind ad backend to
> work for me, you have to jump through a series of hoops, users have
> to have a uidnumber & gidNumber, groups have to have a gidNumber and
> NONE of these must be below the lower range you set in smb.conf. It
> was the later that got me, I stupidly gave Domain Users the
> gidnumber of '100', this I based on samba4 giving the group the same
> xidNumber in idmap.ldb.
>
> Having said all this, I will not mention sssd here again.
I'm fine with you mentioning and even recommending sssd
on this list when it helps the user and solves the problem.
Positive contributions are *always* welcome. Just think
carefully before making any *negative* comments.
Hope that's clear !
Cheers,
Jeremy.
Rowland Penny
Apr 8, 2014, 4:10:02 PM4/8/14
to
On 08/04/14 20:54, Jeremy Allison wrote:
> On Tue, Apr 08, 2014 at 08:48:53PM +0100, Rowland Penny wrote:
>
>> Jeremy, I thought before I posted, and I was being sarcastic in the
>> way I posted. I wouldn't have posted except for the fact that in
>> this instance, sssd actually works in the way that the OP wants,
>> whereas the builtin winbind doesn't.
> Sure, and it's entirely appropriate to say so, I have no
> issues with that ! Remember the builtin winbindd in s4
> is different to the member winbindd daemon. One of the
> things Andrew is trying to do is unify the two so the
> more flexible and complete 'member' winbindd can be
> used in the AD-DC case and we can deprecate the builtin
> winbindd, in the same way smbd replaced the ntvfs
> backend for file serving. Having said that we're not
> there yet.
In which case, could he use what is probably the best part of the
> On Tue, Apr 08, 2014 at 08:48:53PM +0100, Rowland Penny wrote:
>
>> Jeremy, I thought before I posted, and I was being sarcastic in the
>> way I posted. I wouldn't have posted except for the fact that in
>> this instance, sssd actually works in the way that the OP wants,
>> whereas the builtin winbind doesn't.
> Sure, and it's entirely appropriate to say so, I have no
> issues with that ! Remember the builtin winbindd in s4
> is different to the member winbindd daemon. One of the
> things Andrew is trying to do is unify the two so the
> more flexible and complete 'member' winbindd can be
> used in the AD-DC case and we can deprecate the builtin
> winbindd, in the same way smbd replaced the ntvfs
> backend for file serving. Having said that we're not
> there yet.
builtin winbind, the fact that NO range has to be given in smb.conf.
>> I do not recommend sssd on the list any more except in this case,
>> because the last time I did, YOU told me not to!
> I don't remember what I said (getting old :-), but I
> hope I didn't tell you not to mention sssd.
>
>> I have found out why I could never get the winbind ad backend to
>> work for me, you have to jump through a series of hoops, users have
>> to have a uidnumber & gidNumber, groups have to have a gidNumber and
>> NONE of these must be below the lower range you set in smb.conf. It
>> was the later that got me, I stupidly gave Domain Users the
>> gidnumber of '100', this I based on samba4 giving the group the same
>> xidNumber in idmap.ldb.
>>
>> Having said all this, I will not mention sssd here again.
> Rowland, that's exactly what I *didn't* want you to think.
>
> I'm fine with you mentioning and even recommending sssd
> on this list when it helps the user and solves the problem.
OK
>> I have found out why I could never get the winbind ad backend to
>> work for me, you have to jump through a series of hoops, users have
>> to have a uidnumber & gidNumber, groups have to have a gidNumber and
>> NONE of these must be below the lower range you set in smb.conf. It
>> was the later that got me, I stupidly gave Domain Users the
>> gidnumber of '100', this I based on samba4 giving the group the same
>> xidNumber in idmap.ldb.
>>
>> Having said all this, I will not mention sssd here again.
> Rowland, that's exactly what I *didn't* want you to think.
>
> I'm fine with you mentioning and even recommending sssd
> on this list when it helps the user and solves the problem.
>
> Positive contributions are *always* welcome. Just think
> carefully before making any *negative* comments.
you sure lose a lot with the loss of body language.
> Hope that's clear !
Rowland
Jeremy Allison
Apr 8, 2014, 4:20:02 PM4/8/14
to
On Tue, Apr 08, 2014 at 09:07:11PM +0100, Rowland Penny wrote:
> On 08/04/14 20:54, Jeremy Allison wrote:
> >On Tue, Apr 08, 2014 at 08:48:53PM +0100, Rowland Penny wrote:
> >
> >>Jeremy, I thought before I posted, and I was being sarcastic in the
> >>way I posted. I wouldn't have posted except for the fact that in
> >>this instance, sssd actually works in the way that the OP wants,
> >>whereas the builtin winbind doesn't.
> >Sure, and it's entirely appropriate to say so, I have no
> >issues with that ! Remember the builtin winbindd in s4
> >is different to the member winbindd daemon. One of the
> >things Andrew is trying to do is unify the two so the
> >more flexible and complete 'member' winbindd can be
> >used in the AD-DC case and we can deprecate the builtin
> >winbindd, in the same way smbd replaced the ntvfs
> >backend for file serving. Having said that we're not
> >there yet.
>
> In which case, could he use what is probably the best part of the
> builtin winbind, the fact that NO range has to be given in smb.conf.
Maybe. Andrew is doing the work so I'm
> On 08/04/14 20:54, Jeremy Allison wrote:
> >On Tue, Apr 08, 2014 at 08:48:53PM +0100, Rowland Penny wrote:
> >
> >>Jeremy, I thought before I posted, and I was being sarcastic in the
> >>way I posted. I wouldn't have posted except for the fact that in
> >>this instance, sssd actually works in the way that the OP wants,
> >>whereas the builtin winbind doesn't.
> >Sure, and it's entirely appropriate to say so, I have no
> >issues with that ! Remember the builtin winbindd in s4
> >is different to the member winbindd daemon. One of the
> >things Andrew is trying to do is unify the two so the
> >more flexible and complete 'member' winbindd can be
> >used in the AD-DC case and we can deprecate the builtin
> >winbindd, in the same way smbd replaced the ntvfs
> >backend for file serving. Having said that we're not
> >there yet.
>
> In which case, could he use what is probably the best part of the
> builtin winbind, the fact that NO range has to be given in smb.conf.
sure he can comment here.
> >I don't remember what I said (getting old :-), but I
> >hope I didn't tell you not to mention sssd.
> Er, yes you did (and you are younger than me! )
the problem :-).
> The problem is the usual one of the reader not being with the
> writer, you sure lose a lot with the loss of body language.
Nico Kadel-Garcia
Apr 8, 2014, 11:20:01 PM4/8/14
to
On Tue, Apr 8, 2014 at 12:09 PM, steve <st...@steve-ss.com> wrote:
> On Mon, 2014-04-07 at 21:52 +0200, Marc Muehlfeld wrote:
>> Hello Alexandre,
>>
>> Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
>> > The problem I have is I can't seem to be able to get
>> > consistent UIDs and GIDs across all platforms.
>>
>> You have to fill the stuff in the unix attributes tab in ADUC.
>>
>> It it isn't there, you haven't provisioned your domain with
>> --use-rfc2307.
>
> You do not need to provision with:
> --use-rfc2307
> to use rfc2307 with a Samba4 DC.
>
> Simply manage your users and using samba-tool.
> HTH
> Steve
This is like saying "just pay your taxes and the IRS won't bother
> On Mon, 2014-04-07 at 21:52 +0200, Marc Muehlfeld wrote:
>> Hello Alexandre,
>>
>> Am 07.04.2014 21:43, schrieb Alexandre Beauclair:
>> > The problem I have is I can't seem to be able to get
>> > consistent UIDs and GIDs across all platforms.
>>
>> You have to fill the stuff in the unix attributes tab in ADUC.
>>
>> It it isn't there, you haven't provisioned your domain with
>> --use-rfc2307.
>
> You do not need to provision with:
> --use-rfc2307
> to use rfc2307 with a Samba4 DC.
>
> Simply manage your users and using samba-tool.
> HTH
> Steve
you". Getting from the variety of inconsistent uid/gid environments
common to most previously unmanaged NFS managed to a consistent
uid/gid deployment across a wide variety of environments which were
previously managed in disparate AD or Samba environments is often
quite painful.
steve
Apr 9, 2014, 5:00:02 AM4/9/14
to
On Tue, 2014-04-08 at 14:57 -0400, Alexandre Beauclair wrote:
> Thanks a lot!
> It worked perfectly to set the Primary GID.
> That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
On the DC, winbind can't fetch anything other than uidNumber and
> Thanks a lot!
> It worked perfectly to set the Primary GID.
> That's one down and I feel I'm finally getting somehwere. Now for the Home Directory attribute, we need them to point to /home/users/DOMAIN/username. The member machine has no trouble reading it from the UNIX attributes, but it doesn't seem to be able to from the Samba4 Server. It keeps pointing to /home/DOMAIN/username, which I believe is the default for Samba4. Is there some place else I have to configure it? Looking at my previous problems, I'm beginning to think I'm just not looking at the right place to configure these...
gidNumber. Use nslcd or sssd instead. In fact, use them on all your
Linux boxes.
HTH
Steve
Alexandre Beauclair
Apr 9, 2014, 2:40:02 PM4/9/14
to
Following all your recommendations, I switched over to SSSD.
After a bit of fiddling, I got it working, and everything works like a charm!
Thanks to all of you for the support!
Alexandre Beauclair
----- Original Message -----
From: "steve" <st...@steve-ss.com>
To: "Alexandre Beauclair" <beauc...@lexum.com>
Cc: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>, sa...@lists.samba.org
Sent: Wednesday, April 9, 2014 4:49:22 AM
Subject: Re: [Samba] Consistent UID/GID mappings?
After a bit of fiddling, I got it working, and everything works like a charm!
Thanks to all of you for the support!
Alexandre Beauclair
----- Original Message -----
From: "steve" <st...@steve-ss.com>
To: "Alexandre Beauclair" <beauc...@lexum.com>
Cc: "Marc Muehlfeld" <sa...@marc-muehlfeld.de>, sa...@lists.samba.org
Sent: Wednesday, April 9, 2014 4:49:22 AM
Subject: Re: [Samba] Consistent UID/GID mappings?
Alexandre Beauclair
Apr 22, 2014, 12:10:03 PM4/22/14
to
Hello once again!
So I got everything to work on the Linux side of things using SSSD.
Now on to Windows. It seems it doesn't get the correct UID/GID when creating files in a Samba Share.
For example, on Linux I can see the following info for user test11:
[root@samba-master ~]# getent passwd test15
test15:*:23192:50001:test15:/home/users/domain/test15:/bin/bash
However, if I go in a share on my Windows client and create a file, this is what I get:
[root@samba-master share]# ls -l
-rwxrwxrwx+ 1 3000044 3000040 0 Apr 22 11:59 file.txt
Is there a way for Windows to use the Unix attributes?
So I got everything to work on the Linux side of things using SSSD.
Now on to Windows. It seems it doesn't get the correct UID/GID when creating files in a Samba Share.
For example, on Linux I can see the following info for user test11:
[root@samba-master ~]# getent passwd test15
test15:*:23192:50001:test15:/home/users/domain/test15:/bin/bash
However, if I go in a share on my Windows client and create a file, this is what I get:
[root@samba-master share]# ls -l
-rwxrwxrwx+ 1 3000044 3000040 0 Apr 22 11:59 file.txt
Is there a way for Windows to use the Unix attributes?
Rowland Penny
Apr 22, 2014, 12:10:03 PM4/22/14
to
read here:
https://wiki.samba.org/index.php/Setting_up_a_home_share
Rowland
Alexandre Beauclair
Apr 22, 2014, 1:40:02 PM4/22/14
to
Hi Rowland,
Actually I meant for any share.
Let's say a Windows user (test15) goes to the \\samba-master\documents\ samba share, then creates a file in it on Windows, on the Unix side of things, it shows the owner and group as a different user than the on that's connected to Windows (it shows the owner as 3000044 rather than test15). I believe Windows gets the user ID and associates it with its SID right? But what I need is for both Windows and Linux to see the same attributes, so that the user test15 has the same UID wether he logs in on Windows or Linux. Is there a way to make this work, so that on Windows it sees the test15 user and associates it with its correct UID (which has been set in ADUC as 23192)?
The only thing I'm trying to get working right now is to make sure a user has the same UID everywhere it goes, be it on Linux or Windows.
Actually I meant for any share.
Let's say a Windows user (test15) goes to the \\samba-master\documents\ samba share, then creates a file in it on Windows, on the Unix side of things, it shows the owner and group as a different user than the on that's connected to Windows (it shows the owner as 3000044 rather than test15). I believe Windows gets the user ID and associates it with its SID right? But what I need is for both Windows and Linux to see the same attributes, so that the user test15 has the same UID wether he logs in on Windows or Linux. Is there a way to make this work, so that on Windows it sees the test15 user and associates it with its correct UID (which has been set in ADUC as 23192)?
The only thing I'm trying to get working right now is to make sure a user has the same UID everywhere it goes, be it on Linux or Windows.
Rowland Penny
Apr 22, 2014, 2:40:02 PM4/22/14
to
On 22/04/14 18:37, Alexandre Beauclair wrote:
> Hi Rowland,
>
> Actually I meant for any share.
> Let's say a Windows user (test15) goes to the \\samba-master\documents\ samba share, then creates a file in it on Windows, on the Unix side of things, it shows the owner and group as a different user than the on that's connected to Windows (it shows the owner as 3000044 rather than test15). I believe Windows gets the user ID and associates it with its SID right? But what I need is for both Windows and Linux to see the same attributes, so that the user test15 has the same UID wether he logs in on Windows or Linux. Is there a way to make this work, so that on Windows it sees the test15 user and associates it with its correct UID (which has been set in ADUC as 23192)?
> The only thing I'm trying to get working right now is to make sure a user has the same UID everywhere it goes, be it on Linux or Windows.
>
> Alexandre Beauclair
OK, first things first, have you followed the procedure laid out here:
> Hi Rowland,
>
> Actually I meant for any share.
> Let's say a Windows user (test15) goes to the \\samba-master\documents\ samba share, then creates a file in it on Windows, on the Unix side of things, it shows the owner and group as a different user than the on that's connected to Windows (it shows the owner as 3000044 rather than test15). I believe Windows gets the user ID and associates it with its SID right? But what I need is for both Windows and Linux to see the same attributes, so that the user test15 has the same UID wether he logs in on Windows or Linux. Is there a way to make this work, so that on Windows it sees the test15 user and associates it with its correct UID (which has been set in ADUC as 23192)?
> The only thing I'm trying to get working right now is to make sure a user has the same UID everywhere it goes, be it on Linux or Windows.
>
> Alexandre Beauclair
https://wiki.samba.org/index.php/Setting_up_a_home_share
When you connect to the samba share on the member server from a windows
client as user test15, any files and/or directories that the user
creates should be owned by test15 and their main linux group.
If samba is showing the user as 3000044, then linux does not know who
they are, does user test15 have a gidNumber ? a windows user needs both
to work correctly with samba & linux.
Linux knows nothing about SID,s & RID's, it only knows about uid & gid
numbers, when it comes to AD, it gets these from the users uidNumber &
gidNumber attributes, you need both and something for pull them from AD.
Rowland
Alexandre Beauclair
Apr 22, 2014, 3:20:02 PM4/22/14
to
Yes, I have followed the procedure to create my share.
What it appeared to be was that upon logging on Windows, it did not pull the UID and GID numbers from the Unix Attributes tab of ADUC, and so used a generated number (3000044).
In ADUC, I had both a UID and GID number for my user.
Then I remembered seeing this work back when I was trying to get consistent UIDs on across Linux machines, and was playing around with different idmap configs before finally switching over to SSSD. So I tried putting this back in smb.conf on the Samba4 server: idmap_ldb:use rfc2307 = yes.
I restarted Samba, then logged back in with test15, and it seems to be working! When I create a file, it now shows the owner as being test15 on Linux.
I probably should have left that there when I switched over from idmap config attempts to SSSD, but I was unaware of its importance. That was a newbie move on my part!
I'm learning something everyday!
Thanks for the continued support Rowland :)
What it appeared to be was that upon logging on Windows, it did not pull the UID and GID numbers from the Unix Attributes tab of ADUC, and so used a generated number (3000044).
In ADUC, I had both a UID and GID number for my user.
Then I remembered seeing this work back when I was trying to get consistent UIDs on across Linux machines, and was playing around with different idmap configs before finally switching over to SSSD. So I tried putting this back in smb.conf on the Samba4 server: idmap_ldb:use rfc2307 = yes.
I restarted Samba, then logged back in with test15, and it seems to be working! When I create a file, it now shows the owner as being test15 on Linux.
I probably should have left that there when I switched over from idmap config attempts to SSSD, but I was unaware of its importance. That was a newbie move on my part!
I'm learning something everyday!
Thanks for the continued support Rowland :)
0 new messages