[Samba] UID/GID mapping consistency across at least two Linux machines

[bakytn]

I have two SAMBA machines

they both successfully joined to the same Active Directory (actually SAMBA
4)

I have copied the user files from *server 1* to *server 2*

/owner id/ and /group id/s are preserved.

on server 1, when is do: *id user1*
I get *2001*

but on server 2
the same user has different id.

This is actual for groups as well i.e different id's.

*smb.conf*s are identical

--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543255.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[bakytn]

I found this: http://lists.samba.org/archive/samba/2004-January/078411.html

How to implement "a" scenario?

but..how about simpler way...like, may be, running rsync to copy necessary
fiels from server 1 to server 2.

I could do this..but I don't know which files to replicate?

--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543292.html

[Gaiseric Vandal]

On 04/09/12 13:11, bakytn wrote:
> I found this: http://lists.samba.org/archive/samba/2004-January/078411.html
>
> How to implement "a" scenario?
>
> but..how about simpler way...like, may be, running rsync to copy necessary
> fiels from server 1 to server 2.
>
> I could do this..but I don't know which files to replicate?
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543292.html
> Sent from the Samba - General mailing list archive at Nabble.com.

Are you using winbind for idmapping? The files you want may be
/var/samba/locks (check "testparm -v" for the locks and cache
directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump
will show you what is in them.

[bakytn]

Here ist he global section of my smb.conf:

I am not sure if I am using Winbind (I guess yes).

[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
preferred master = no

server string = SAMBA
security = ADS
encrypt passwords = yes
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000

idmap uid = 3000-20000
idmap gid = 3000-20000
template shell = /bin/bash

winbind enum groups = yes
winbind enum users = yes
winbind separator = +
winbind use default domain = Yes
winbind nested groups = Yes

template homedir = "/data/files/%U"

syslog = 0

panic action = /usr/share/samba/panic-action %d
passdb backend = tdbsam

obey pam restrictions = yes

unix password sync = yes

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .

pam password change = yes

map to guest = bad user

usershare allow guests = yes


--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html

Sent from the Samba - General mailing list archive at Nabble.com.

[Robert Freeman-Day]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have some notes on what I have done with my machines. I hope it may
help you out. Just read it all over and the template files closely
before just jumping on into it.

https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory

- --
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+DiG4ACgkQup357T5MfTaMKQCg0HMM00tuKtxZUMWwzWC1lOSM
fxkAoLd8HO0otegVuye7dIf2c/UO1dc/
=lgc5
-----END PGP SIGNATURE-----

[steve]

On 09/04/12 21:00, Gaiseric Vandal wrote:
> On 04/09/12 13:11, bakytn wrote:
>> I found this: http://lists.samba.org/archive/samba/2004-January/078411.html
>>
>> How to implement "a" scenario?

> Are you using winbind for idmapping? The files you want may be
> /var/samba/locks (check "testparm -v" for the locks and cache
> directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump
> will show you what is in them.

Hi

I've never understood why we have to use winbind when using Linux
clients. It seems a complicated way to go about uid/gid mapping.

All we do is add posixAccount, uidNumber and gidNumber +any of other
2307 stuff you may need to the user record in LDAP. Maybe the problem
before has been with the poor performance of nss-ldap. But with the new
nss-ldapd nslcd, the user and group mapping is perfect and very fast.
It's just as good as reading from a local file even on a busy lan.

HTH
Cheers,
Steve

[Gaiseric Vandal]

On 04/10/12 12:29, steve wrote:
> On 09/04/12 21:00, Gaiseric Vandal wrote:
>> On 04/09/12 13:11, bakytn wrote:
>>> I found this:
>>> http://lists.samba.org/archive/samba/2004-January/078411.html
>>>
>>> How to implement "a" scenario?
>> Are you using winbind for idmapping? The files you want may be
>> /var/samba/locks (check "testparm -v" for the locks and cache
>> directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump
>> will show you what is in them.
> Hi
>
> I've never understood why we have to use winbind when using Linux
> clients. It seems a complicated way to go about uid/gid mapping.
>
> All we do is add posixAccount, uidNumber and gidNumber +any of other
> 2307 stuff you may need to the user record in LDAP. Maybe the problem
> before has been with the poor performance of nss-ldap. But with the
> new nss-ldapd nslcd, the user and group mapping is perfect and very
> fast. It's just as good as reading from a local file even on a busy lan.
>
> HTH
> Cheers,
> Steve
>

Winbind mapping should not be necessary on domain controllers, except if
you have domain trusts. I have ldap backend so my LDAP users have both
unix and samba attributes. Samba member servers are a little
trickier, when settings permissions from a Windows client. The server
does need some sort of idmap to connect the samba account to the local
unix account. I had to use ldap backend for idmap to make sure the
idmapping was consistent on samba member server. In theory the
idmap_nss backend should do this, but I don't think it was available in
samba 3.0.x. I haven't had much luck with it in samba 3.4 or 3.5.
I found it easier just to make sure that my primary file servers were
also DC's.

[steve]

On 10/04/12 18:45, Gaiseric Vandal wrote:
>
>
> On 04/10/12 12:29, steve wrote:
>> On 09/04/12 21:00, Gaiseric Vandal wrote:
>>> On 04/09/12 13:11, bakytn wrote:
>>
> Winbind mapping should not be necessary on domain controllers, except if
> you have domain trusts. I have ldap backend so my LDAP users have both
> unix and samba attributes.

That's what we have too.

> Samba member servers are a little
> trickier, when settings permissions from a Windows client. The server
> does need some sort of idmap to connect the samba account to the local
> unix account.

But you wouldn't need local accounts for network users would you? Or at
least we don't. They can use either a windows client or a Linux client.
None of them are attached to any box locally. All the windows and linux
data is stored centrally in LDAP. The windows clients pull the sid and
whatever else they need and the Linux clients use nss-ldapd to
automagically pull the 2307 stuff that they need. Having said that, this
is quite a simple setup of a heterogeneous lan under 3.6. If the post is
about 2 or more linux machines then that ought to do it I think.
Cheers,
Steve

[bakytn]

Would you recommend me to use IDMAP_RID with Winbind?

I don't have domain trusts (which is required to be "off" when using rid).

It's a small domain with about 300 users at the very maximum.

Also..if I just add

idmap backend = idmap_rid:DOMAIN=2000-100000000

What would change? Would it mess my current UID/GID's???


--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4546516.html

[Daniel Müller]

I also only use ldap the same way without any winbind.

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von steve
Gesendet: Dienstag, 10. April 2012 18:30
An: sa...@lists.samba.org
Betreff: Re: [Samba] UID/GID mapping consistency across at least two Linux
machines

[steve]

On 11/04/12 09:09, Daniel Müller wrote:
> I also only use ldap the same way without any winbind.

Hi
Thanks. I was beginning to wonder if we were the only ones. It seems
such an easy alternative to using winbind. The uid/gid is _exactly_
wysiwyg. Always. I think this is the sort of consistency the op was
looking for. The sid-rid idmap winbind stuff seems horrendously complicated.

[Ludek Finstrle]

Hi,

Wed, Apr 11, 2012 at 11:02:09AM +0200, steve napsal(a):

> On 11/04/12 09:09, Daniel Müller wrote:
> >I also only use ldap the same way without any winbind.

> Thanks. I was beginning to wonder if we were the only ones. It seems
> such an easy alternative to using winbind. The uid/gid is _exactly_

I don't use winbind and also I don't use posixAccount on Samba4 Frenky.

> wysiwyg. Always. I think this is the sort of consistency the op was
> looking for. The sid-rid idmap winbind stuff seems horrendously
> complicated.

It's just easy from my point of view. But I don't want to have running
winbind and I don't see very nice way to manage posixAccount too. The man
who creates user accounts isn't very keen in IT ...

So I use nslcd to map uid/gid with last part of SID + some constant and
I created very small patch to the samba ads backend with the same behaviour.
I don't need DOMAIN trusts so it's enough for my small environment.

Luf

[John Drescher]

> I also only use ldap the same way without any winbind.
>

For years I used to do that however my domain member servers (not PDCs
/ BDCs) would not enumerate the users correctly for the windows
security tab without using winbind. Does this work for you?

John

[Chris Smith]

On Tue, Apr 10, 2012 at 2:27 PM, bakytn <bak...@gmail.com> wrote:
> Would you recommend me to use IDMAP_RID with Winbind?

I use it successfully.

> idmap backend = idmap_rid:DOMAIN=2000-100000000

Depending upon your Samba version the syntax may be a bit different.

idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 1000-999999

> What would change? Would it mess my current UID/GID's???

Probably, but that's as easy one time fix using "find" with "xargs" to
update the old uid, gid to the new one.

Chris

[steve]

On 11/04/12 15:00, John Drescher wrote:
>> I also only use ldap the same way without any winbind.
>>
>
> For years I used to do that however my domain member servers (not PDCs
> / BDCs) would not enumerate the users correctly for the windows
> security tab without using winbind. Does this work for you?
>
> John

Yes. Even in s3 (we are using 3.6 setup under openSUSE)

In Samba4 there was a bug in the schema mapping for rfc2307. Now it's fixed,

Why not store the user uid/gid in the directory alongside their sid
stuff? The m$ schema has it bolted in.

Cheers,
Steve

[bakytn]

something strange is happening. It's not working at all. Just the same ID's
as before

I tried the old config and newer.

idmap backend = rid:DOMAIN=4000-20000
idmap uid = 4000-20000
idmap gid = 4000-20000

(changed from 2000 to 4000)

Also tried to use:
idmap alloc backend = rid

I removed all the caches and tdb files in /var/lib/samba and in
/var/cache/samba

restarted daemons many times Oo

uid/gids are the same.

My version is SAMBA 3.5.11

Any idea?


--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4549883.html

Sent from the Samba - General mailing list archive at Nabble.com.

[Chris Smith]

On Wed, Apr 11, 2012 at 3:50 PM, bakytn <bak...@gmail.com> wrote:
> I tried the old config and newer.
>
>   idmap backend = rid:DOMAIN=4000-20000
>   idmap uid = 4000-20000
>   idmap gid = 4000-20000

Doesn't look right - man smb.conf - for the correct syntax. For your
version I think it should be more like:

idmap backend = tdb
idmap uid = 300000-400000
idmap gid = 300000-400000

idmap config DOMAIN:backend = rid

idmap config DOMAIN:range = 2000-299999

from man smb.conf:
winbind uses this parameter to find the backend that is authoritative
for a unix ID
to SID mapping, so it must be set for each individually
configured domain, and it
must be disjoint from the ranges set via idmap uid and idmap gid.

> My version is SAMBA 3.5.11

If you check the release notes you'll find that 3.5.12 fixed a winbind
race issue in 3.5.11. Also there's a security exploit and it's a good
idea to update to 3.5.14, or 3.6.4. I'm still a bit leery of the 3.6
series for production and hopefully 3.6.5 will be released soon fixing
some outstanding issues.

Chris

[bakytn]

I have also cleared the /var/run/samba folder and it's now working properly.

you helped a lot! Thank you!

--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4549992.html

Sent from the Samba - General mailing list archive at Nabble.com.

[steve]

On 11/04/12 22:35, bakytn wrote:
> I have also cleared the /var/run/samba folder and it's now working properly.
>
> you helped a lot! Thank you!
>

Hi
Just remembered a gotcha with the rfc2307 stuff. Hope you don't mind me
including it here for completeness and to save head scratching.

If the user is a member of more than one group, then the
memberUid
attribute must be specified in the group dn

I think that this is one of the pieces missing from the samba3Upgrade
script.

Here is a LDAP example which complies with the schema from Samba4:

dn: CN=teachers,CN=Users,DC=hh3,DC=site
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 1119
member: CN=steve2,CN=Users,DC=hh3,DC=site
member: CN=lynn2,CN=Users,DC=hh3,DC=site
memberUid: steve2
memberUid: lynn2

HTH,
Steve

[bakytn]

Thanks! But how is this related to my problem? is there any pitfalls when
some user is a member of many groups? is their uid idepends on their group
membership ?

--
View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4551082.html

Sent from the Samba - General mailing list archive at Nabble.com.