Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] ldbedit: no matching records - cannot edit (newly-created user)
133 views
Skip to first unread message
Jim Seymour
Sep 10, 2015, 10:10:04 AM9/10/15
to
Hi,
This doc (and another like it)
http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
Says
samba-tool user add <username>
wbinfo --name-to-sid <username>
ldbedit -e <editor> -H <path-to-idmap.ldb> objectsid=<SID>
To create a user and get the UID in Samba to match the *nix UID.
Yet, when I do that (the ldbedit), I get back: "no matching records -
cannot edit"
Or is there a better way?
N.B.: This is the second time creating a test user for
experimentation. The first time I did it: At some point the "missing"
record suddenly appeared. I deleted the user in order to start all
over again, and the above issue reoccurs.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
This doc (and another like it)
http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
Says
samba-tool user add <username>
wbinfo --name-to-sid <username>
ldbedit -e <editor> -H <path-to-idmap.ldb> objectsid=<SID>
To create a user and get the UID in Samba to match the *nix UID.
Yet, when I do that (the ldbedit), I get back: "no matching records -
cannot edit"
Or is there a better way?
N.B.: This is the second time creating a test user for
experimentation. The first time I did it: At some point the "missing"
record suddenly appeared. I deleted the user in order to start all
over again, and the above issue reoccurs.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Sep 10, 2015, 11:30:04 AM9/10/15
to
On 10/09/15 15:05, Jim Seymour wrote:
> Hi,
>
> This doc (and another like it)
>
> http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
>
> Says
>
> samba-tool user add <username>
> wbinfo --name-to-sid <username>
> ldbedit -e <editor> -H <path-to-idmap.ldb> objectsid=<SID>
>
> To create a user and get the UID in Samba to match the *nix UID.
>
> Yet, when I do that (the ldbedit), I get back: "no matching records -
> cannot edit"
>
> Or is there a better way?
>
> N.B.: This is the second time creating a test user for
> experimentation. The first time I did it: At some point the "missing"
> record suddenly appeared. I deleted the user in order to start all
> over again, and the above issue reoccurs.
>
> Regards,
> Jim
Hmm, works for me:
> Hi,
>
> This doc (and another like it)
>
> http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
>
> Says
>
> samba-tool user add <username>
> wbinfo --name-to-sid <username>
> ldbedit -e <editor> -H <path-to-idmap.ldb> objectsid=<SID>
>
> To create a user and get the UID in Samba to match the *nix UID.
>
> Yet, when I do that (the ldbedit), I get back: "no matching records -
> cannot edit"
>
> Or is there a better way?
>
> N.B.: This is the second time creating a test user for
> experimentation. The first time I did it: At some point the "missing"
> record suddenly appeared. I deleted the user in order to start all
> over again, and the above issue reoccurs.
>
> Regards,
> Jim
root@dc01:~# wbinfo --name-to-sid rowland
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106 SID_USER (1)
root@dc01:~# ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
# editing 1 records
# record 1
dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
type: ID_TYPE_BOTH
xidNumber: 3000021
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
If you only require the contents of the xidNumber attribute, you could
try this:
ldbsearch -H /var/lib/samba/private/idmap.ldb
'(&(objectclass=sidMap)(objectSid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106))'
| grep 'xidNumber' | awk '{print $NF}'
Which when I run it, returns:
3000021
What I cannot understand is, why you cannot find the user ? I take it
you are running the commands on the DC.
Rowland
Jim Seymour
Sep 10, 2015, 12:20:03 PM9/10/15
to
On Thu, 10 Sep 2015 16:20:35 +0100
Rowland Penny <rowlandpe...@gmail.com> wrote:
> On 10/09/15 15:05, Jim Seymour wrote:
> > Hi,
> >
> > This doc (and another like it)
> >
> > http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
Btw: The other doc was at
Rowland Penny <rowlandpe...@gmail.com> wrote:
> On 10/09/15 15:05, Jim Seymour wrote:
> > Hi,
> >
> > This doc (and another like it)
> >
> > http://www.blackhole-networks.com/Cheatsheets/Samba4Map/
https://wiki.samba.org/index.php/Adding_users_with_samba_tool
> >
[snip]
>
> Hmm, works for me:
>
> root@dc01:~# wbinfo --name-to-sid rowland
> S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106 SID_USER (1)
> root@dc01:~# ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
> objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
>
> # editing 1 records
> # record 1
> dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> type: ID_TYPE_BOTH
> xidNumber: 3000021
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
$ samba-tool user add jeffrey
> Hmm, works for me:
>
> root@dc01:~# wbinfo --name-to-sid rowland
> S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106 SID_USER (1)
> root@dc01:~# ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
> objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
>
> # editing 1 records
> # record 1
> dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
> type: ID_TYPE_BOTH
> xidNumber: 3000021
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106
New Password:
Retype Password:
User 'jeffrey' created successfully
$ wbinfo --name-to-sid jeffrey
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1108 SID_USER (1)
$ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1108
no matching records - cannot edit
$
>
> If you only require the contents of the xidNumber attribute, you
> could try this:
>
> ldbsearch -H /var/lib/samba/private/idmap.ldb
> '(&(objectclass=sidMap)(objectSid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106))'
> | grep 'xidNumber' | awk '{print $NF}'
>
> Which when I run it, returns:
>
> 3000021
>
> What I cannot understand is, why you cannot find the user ? I take it
> you are running the commands on the DC.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Rowland Penny
Sep 10, 2015, 12:30:04 PM9/10/15
to
it yourself?
If it was the later, idmap.ldb will be in /usr/local/samba/private (this
is from memory, it has been sometime since I last compiled samba myself)
If it is from packages, how did you provision samba4
Rowland
>
>> If you only require the contents of the xidNumber attribute, you
>> could try this:
>>
>> ldbsearch -H /var/lib/samba/private/idmap.ldb
>> '(&(objectclass=sidMap)(objectSid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1106))'
>> | grep 'xidNumber' | awk '{print $NF}'
>>
>> Which when I run it, returns:
>>
>> 3000021
> The object is not to acquire it, but to change it.
>
>> What I cannot understand is, why you cannot find the user ? I take it
>> you are running the commands on the DC.
> Yes, I am.
>
> Regards,
> Jim
--
Jim Seymour
Sep 10, 2015, 1:20:04 PM9/10/15
to
On Thu, 10 Sep 2015 17:24:59 +0100
Rowland Penny <rowlandpe...@gmail.com> wrote:
> On 10/09/15 17:08, Jim Seymour wrote:
[snip]
Rowland Penny <rowlandpe...@gmail.com> wrote:
> On 10/09/15 17:08, Jim Seymour wrote:
>
> How have you installed samba4, was it from packages, or did you
> compile it yourself?
Packages. Ubuntu 14.04 LTS
> How have you installed samba4, was it from packages, or did you
> compile it yourself?
>
> If it was the later, idmap.ldb will be in /usr/local/samba/private
> (this is from memory, it has been sometime since I last compiled
> samba myself)
/var/lib/samba/private/idmap.ldb
>
> If it is from packages, how did you provision samba4
Using a variation on Louis' script: 4-jessie-samba-DC.sh
As I said, originally: This is the second time creating a test user for
experimentation. The first time I did it: At some point the "missing"
record suddenly appeared. I deleted the user in order to start all
over again, and the above issue reoccurs.
(In case anybody remembers my earlier "fragile" comment, well...)
record suddenly appeared. I deleted the user in order to start all
over again, and the above issue reoccurs.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Jim Seymour
Sep 10, 2015, 1:40:04 PM9/10/15
to
Following-up to myself...
Started over with a new user...
$ samba-tool user add someuser
New Password:
Retype Password:
User 'someuser' created successfully
$ wbinfo --name-to-sid someuser
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110 SID_USER (1)
$ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
type: ID_TYPE_BOTH
xidNumber: 3000024
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
Can somebody 'splain this?
Thanks,
Started over with a new user...
$ samba-tool user add someuser
New Password:
Retype Password:
User 'someuser' created successfully
$ wbinfo --name-to-sid someuser
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110 SID_USER (1)
$ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
no matching records - cannot edit
Login on my laptop as a domain user (e.g.: SOMEDOM\someuser), then...
$ ldbedit -e vi -H /var/lib/samba/private/idmap.ldb
# editing 1 records
# record 1
dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
# record 1
cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
type: ID_TYPE_BOTH
xidNumber: 3000024
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1110
Can somebody 'splain this?
Thanks,
Rowland Penny
Sep 10, 2015, 2:00:03 PM9/10/15
to
users & groups to Unix users & groups and they only get into idmap.ldb
after samba (on the DC) first pulls the users info from AD, it only does
this when the user or group first contacts the AD DC i.e. the user logs in.
DOH, how did I forget that !
I think you are going to have to rethink this, the users (or groups) RID
will always be unique in the domain, so you could use this to create a
uidNumber or gidNumber and add this to the user (or group) object.
Rowland
Jim Seymour
Sep 10, 2015, 3:20:04 PM9/10/15
to
On Thu, 10 Sep 2015 18:55:08 +0100
Rowland Penny <rowlandpe...@gmail.com> wrote:
[snip]
It's as if the developers set out how to create MS-Win domain support
in a way that is as decoupled from, and as hostile to, *nix as they
possibly could.
And the docs... lead one all over hell's half acre... pointlessly, it
turns out, because much of what the docs say to do simply does not work.
(I'm trying to get roaming profiles going while waiting for answers to
this thread. They don't work, either.)
> I think you are going to have to rethink this, the users (or groups)
> RID will always be unique in the domain, so you could use this to
> create a uidNumber or gidNumber and add this to the user (or group)
> object.
Are you suggesting that, for the existing users with hundreds or even
thousands of files on a server with about 1TB of storage, I need to
change all their UIDs and GIDs, and all the user and group ownerships
for all their network storage files and directories, to suit this thing?
A UID number of "3000024" is *way* outside the UID_MAX value for an
out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
Yeah, you're right: I'm going to have to re-think this. My boss
suggested, in the IT meeting this morning, that this isn't going to be
worth the trouble. I disagreed. Now I'm not so sure. Every step I
take is riddled with incorrect and misleading documentation, and people
telling me "You shouldn't/can't do it that way."
Thanks for your attempt to help, tho. It truly *is* appreciated. I'm
going to walk away from this for the remainder of the day, take care of
a bunch of piddly little annoying admin stuff that's been held in
abeyance while I tackled this project, and decide in the morning. I
rarely give up, but this is looking like throwing good time after bad.
And, yes, to those who might rightfully take offence to my complaining
about the quality of something I'm getting for free: It's all (or
mostly, anyway) volunteers doing it out of the goodness of their
hearts. Believe me: I know. BTDT GTTS to prove it. But still...
Regards,
Rowland Penny <rowlandpe...@gmail.com> wrote:
[snip]
>
> Yes, after I engaged my brain, idmap.ldb contains the mappings of
> Domain users & groups to Unix users & groups and they only get into
> idmap.ldb after samba (on the DC) first pulls the users info from AD,
> it only does this when the user or group first contacts the AD DC
> i.e. the user logs in.
Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
> Yes, after I engaged my brain, idmap.ldb contains the mappings of
> Domain users & groups to Unix users & groups and they only get into
> idmap.ldb after samba (on the DC) first pulls the users info from AD,
> it only does this when the user or group first contacts the AD DC
> i.e. the user logs in.
It's as if the developers set out how to create MS-Win domain support
in a way that is as decoupled from, and as hostile to, *nix as they
possibly could.
And the docs... lead one all over hell's half acre... pointlessly, it
turns out, because much of what the docs say to do simply does not work.
(I'm trying to get roaming profiles going while waiting for answers to
this thread. They don't work, either.)
> I think you are going to have to rethink this, the users (or groups)
> RID will always be unique in the domain, so you could use this to
> create a uidNumber or gidNumber and add this to the user (or group)
> object.
thousands of files on a server with about 1TB of storage, I need to
change all their UIDs and GIDs, and all the user and group ownerships
for all their network storage files and directories, to suit this thing?
A UID number of "3000024" is *way* outside the UID_MAX value for an
out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
Yeah, you're right: I'm going to have to re-think this. My boss
suggested, in the IT meeting this morning, that this isn't going to be
worth the trouble. I disagreed. Now I'm not so sure. Every step I
take is riddled with incorrect and misleading documentation, and people
telling me "You shouldn't/can't do it that way."
Thanks for your attempt to help, tho. It truly *is* appreciated. I'm
going to walk away from this for the remainder of the day, take care of
a bunch of piddly little annoying admin stuff that's been held in
abeyance while I tackled this project, and decide in the morning. I
rarely give up, but this is looking like throwing good time after bad.
And, yes, to those who might rightfully take offence to my complaining
about the quality of something I'm getting for free: It's all (or
mostly, anyway) volunteers doing it out of the goodness of their
hearts. Believe me: I know. BTDT GTTS to prove it. But still...
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Rowland Penny
Sep 10, 2015, 3:40:04 PM9/10/15
to
On 10/09/15 20:06, Jim Seymour wrote:
> On Thu, 10 Sep 2015 18:55:08 +0100
> Rowland Penny <rowlandpe...@gmail.com> wrote:
>
> [snip]
>> Yes, after I engaged my brain, idmap.ldb contains the mappings of
>> Domain users & groups to Unix users & groups and they only get into
>> idmap.ldb after samba (on the DC) first pulls the users info from AD,
>> it only does this when the user or group first contacts the AD DC
>> i.e. the user logs in.
> Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
> It's as if the developers set out how to create MS-Win domain support
> in a way that is as decoupled from, and as hostile to, *nix as they
> possibly could.
Yes, it works just like a windows AD DC :-)
> On Thu, 10 Sep 2015 18:55:08 +0100
> Rowland Penny <rowlandpe...@gmail.com> wrote:
>
> [snip]
>> Yes, after I engaged my brain, idmap.ldb contains the mappings of
>> Domain users & groups to Unix users & groups and they only get into
>> idmap.ldb after samba (on the DC) first pulls the users info from AD,
>> it only does this when the user or group first contacts the AD DC
>> i.e. the user logs in.
> Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
> It's as if the developers set out how to create MS-Win domain support
> in a way that is as decoupled from, and as hostile to, *nix as they
> possibly could.
> And the docs... lead one all over hell's half acre... pointlessly, it
> turns out, because much of what the docs say to do simply does not work.
wrong as disorganised, but as I say, they are being re-written.
>
> (I'm trying to get roaming profiles going while waiting for answers to
> this thread. They don't work, either.)
>
>> I think you are going to have to rethink this, the users (or groups)
>> RID will always be unique in the domain, so you could use this to
>> create a uidNumber or gidNumber and add this to the user (or group)
>> object.
> Are you suggesting that, for the existing users with hundreds or even
> thousands of files on a server with about 1TB of storage, I need to
> change all their UIDs and GIDs, and all the user and group ownerships
> for all their network storage files and directories, to suit this thing?
works just like one.
If you have existing users and groups, you can user their existing
UID/GID numbers in AD, investigate the 'uidNumber' & 'gidNumber'
attributes in AD.
>
> A UID number of "3000024" is *way* outside the UID_MAX value for an
> out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
because 'nobody' is 65534 on debian.
>
> Yeah, you're right: I'm going to have to re-think this. My boss
> suggested, in the IT meeting this morning, that this isn't going to be
> worth the trouble. I disagreed. Now I'm not so sure. Every step I
> take is riddled with incorrect and misleading documentation, and people
> telling me "You shouldn't/can't do it that way."
time when admins have problems with a samba4, it is usually because the
admin is trying to 'bend' it do something it isn't capable of.
>
> Thanks for your attempt to help, tho. It truly *is* appreciated. I'm
> going to walk away from this for the remainder of the day, take care of
> a bunch of piddly little annoying admin stuff that's been held in
> abeyance while I tackled this project, and decide in the morning. I
> rarely give up, but this is looking like throwing good time after bad.
>
> And, yes, to those who might rightfully take offence to my complaining
> about the quality of something I'm getting for free: It's all (or
> mostly, anyway) volunteers doing it out of the goodness of their
> hearts. Believe me: I know. BTDT GTTS to prove it. But still...
Rowland
>
> Regards,
> Jim
Sketch
Sep 10, 2015, 4:50:03 PM9/10/15
to
On Thu, 10 Sep 2015, Jim Seymour wrote:
> A UID number of "3000024" is *way* outside the UID_MAX value for an
> out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
I think Rowland already gave you the answer to your uid/gid problems (take
> A UID number of "3000024" is *way* outside the UID_MAX value for an
> out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
your existing uid/gids and assign them to the users directly in ldap), but
I just wanted to point out that UID_MAX is probably not what you think it
is:
http://linux.die.net/man/5/login.defs
UID_MAX (number), UID_MIN (number)
Range of user IDs used for the creation of regular users by useradd or newusers.
You won't be using useradd or newuser to create users in Samba. In fact,
it's best to keep LDAP user ids assigned to a higher range which will
never conflict with local users, so I would consider this a positive
"limitation", and might even consider lowering UID_MAX if i had
pre-existing domain UIDs inside this range.
Jim Seymour
Sep 11, 2015, 10:40:04 AM9/11/15
to
On Thu, 10 Sep 2015 20:30:17 +0100
about AD, in trying to figure out how to do things... *shudder*...
>
[snip]
do has so far not resulted in working roaming profiles.
>
[snip]
dozens of groups. This is a living, breathing production LAN that's
been in existence for over 25 years.
>
> >
> > A UID number of "3000024" is *way* outside the UID_MAX value for an
> > out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
>
> Actually it is a 16bit number, so I suppose it will 65536, it must be
> because 'nobody' is 65534 on debian.
$ grep UID_MAX /etc/login.defs
UID_MAX 60000
Not certain it's actually a 16-bit value, tho. It's whatever UID_TYPE
is, which, on my Ubuntu boxen, evaluates to a __U32_TYPE, which
evaluates to an unsigned int, which is 32 bits.
>
[snip]
I'm running it on what will be the file- and everything-else-server.
But the AD DC *is* in its own sub-domain and appears to be happy.
As for configuring users, clients, roaming profiles: I'm following the
docs *to the letter*.
>
[snip]
We have an existing does-everything-server. It's currently running
Samba3, built and installed from a tarball. I'm building a replacement
server. I had *hoped* to move us to an AD, as opposed to using simply
workgroups.
This machine *will* be the "does everything" server. We will sacrifice
AD before that will change.
So, we have users. Nearly a hundred real users and a few
"pseudo-users" (which aren't germane to this discussion). We have
about 1TB of storage, approximately 70-80% of which is consumed. We
have a bit over 100 desktops.
Currently users log in and can see a variety of network shares--some of
which any particular user can access to one-degree-or-another. Others
they cannot. This is currently controlled by Unix UID and GID, and
sometimes by Unix (POSIX) ACLs.
Each user also sees his or her \\Server\username share, automatically.
We require a high degree of interoperability between MS-Win desktops
and Unix/Linux logins, being as, while most of the end-users are purely
MS-Win point-and-click users, a not insignificant number are Linux/Unix
users. (Some network shares will also be shared-out to some clients via
NFS, tho it's unlikely I'll wade into Linux' disastrous automounter.)
Linux/Unix users also typically occasionally use MS-Win.
What we had *hoped* to end up with is essentially what we have, but
with domain logins for the MS-Win desktops and laptops--rather than
individual machine accounts, and roaming profiles--so that when a user
went to use a different machine, all their settings would be there
automatically. It would be nice to eliminate the need for hand-creating
user accounts on every PC, and, in the few cases where everybody in a
department must be able to use any PC in the department: Having to do
so multiple times.
I am *strongly* desirous of not having to use MS-Win to administer this
server. I don't currently use MS-Win. I don't like MS-Win (and that's
putting it mildly). I don't plan to use MS-Win.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Rowland Penny <rowlandpe...@gmail.com> wrote:
> On 10/09/15 20:06, Jim Seymour wrote:
> > On Thu, 10 Sep 2015 18:55:08 +0100
[snip]
> On 10/09/15 20:06, Jim Seymour wrote:
> > On Thu, 10 Sep 2015 18:55:08 +0100
> > Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
> > It's as if the developers set out how to create MS-Win domain
> > support in a way that is as decoupled from, and as hostile to, *nix
> > as they possibly could.
>
> Yes, it works just like a windows AD DC :-)
That's kind of scary, actually, and no mistake. The stuff I've read
> > It's as if the developers set out how to create MS-Win domain
> > support in a way that is as decoupled from, and as hostile to, *nix
> > as they possibly could.
>
> Yes, it works just like a windows AD DC :-)
about AD, in trying to figure out how to do things... *shudder*...
>
[snip]
>
> >
> > (I'm trying to get roaming profiles going while waiting for answers
> > to this thread. They don't work, either.)
>
> Roaming profiles do work and I am sure others will back up this
> statement.
By "they don't work, either" I meant: Doing everything the docs say to
> >
> > (I'm trying to get roaming profiles going while waiting for answers
> > to this thread. They don't work, either.)
>
> Roaming profiles do work and I am sure others will back up this
> statement.
do has so far not resulted in working roaming profiles.
>
[snip]
> If you have existing users and groups, you can user their existing
> UID/GID numbers in AD, investigate the 'uidNumber' & 'gidNumber'
> attributes in AD.
There certainly are existing users and groups. About 100 users and
> UID/GID numbers in AD, investigate the 'uidNumber' & 'gidNumber'
> attributes in AD.
dozens of groups. This is a living, breathing production LAN that's
been in existence for over 25 years.
>
> >
> > A UID number of "3000024" is *way* outside the UID_MAX value for an
> > out-of-the-box Linux system. (Ubuntu 14.04 LTS is 60000.)
>
> Actually it is a 16bit number, so I suppose it will 65536, it must be
> because 'nobody' is 65534 on debian.
UID_MAX 60000
Not certain it's actually a 16-bit value, tho. It's whatever UID_TYPE
is, which, on my Ubuntu boxen, evaluates to a __U32_TYPE, which
evaluates to an unsigned int, which is 32 bits.
>
[snip]
>
> All I can say is that it works if it is set up correctly, most of the
> time when admins have problems with a samba4, it is usually because
> the admin is trying to 'bend' it do something it isn't capable of.
I've got a functional AD DC. The only "bending" I've done, so far, is
> All I can say is that it works if it is set up correctly, most of the
> time when admins have problems with a samba4, it is usually because
> the admin is trying to 'bend' it do something it isn't capable of.
I'm running it on what will be the file- and everything-else-server.
But the AD DC *is* in its own sub-domain and appears to be happy.
As for configuring users, clients, roaming profiles: I'm following the
docs *to the letter*.
>
[snip]
>
> It may help us to help you if you explained just what you need to do.
Very well...
> It may help us to help you if you explained just what you need to do.
We have an existing does-everything-server. It's currently running
Samba3, built and installed from a tarball. I'm building a replacement
server. I had *hoped* to move us to an AD, as opposed to using simply
workgroups.
This machine *will* be the "does everything" server. We will sacrifice
AD before that will change.
So, we have users. Nearly a hundred real users and a few
"pseudo-users" (which aren't germane to this discussion). We have
about 1TB of storage, approximately 70-80% of which is consumed. We
have a bit over 100 desktops.
Currently users log in and can see a variety of network shares--some of
which any particular user can access to one-degree-or-another. Others
they cannot. This is currently controlled by Unix UID and GID, and
sometimes by Unix (POSIX) ACLs.
Each user also sees his or her \\Server\username share, automatically.
We require a high degree of interoperability between MS-Win desktops
and Unix/Linux logins, being as, while most of the end-users are purely
MS-Win point-and-click users, a not insignificant number are Linux/Unix
users. (Some network shares will also be shared-out to some clients via
NFS, tho it's unlikely I'll wade into Linux' disastrous automounter.)
Linux/Unix users also typically occasionally use MS-Win.
What we had *hoped* to end up with is essentially what we have, but
with domain logins for the MS-Win desktops and laptops--rather than
individual machine accounts, and roaming profiles--so that when a user
went to use a different machine, all their settings would be there
automatically. It would be nice to eliminate the need for hand-creating
user accounts on every PC, and, in the few cases where everybody in a
department must be able to use any PC in the department: Having to do
so multiple times.
I am *strongly* desirous of not having to use MS-Win to administer this
server. I don't currently use MS-Win. I don't like MS-Win (and that's
putting it mildly). I don't plan to use MS-Win.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Jim Seymour
Sep 11, 2015, 11:00:04 AM9/11/15
to
On Thu, 10 Sep 2015 15:44:01 -0500 (CDT)
Sketch <smb...@rednsx.org> wrote:
[snip]
> ... it's best to keep LDAP user ids assigned to a higher range
kind of astonishing. Perhaps it goes a long way to explaining just
why Samba4 is, essentially, so "Unix-hostile."
I guess few? none? of you are operating in a heterogeneous environment,
where there is a mix of Unix, Linux and MS-Win users. Ours is. And
some of those users use both MS-Win *and* Linux. One or two use Sun
Sparc Solaris, one-or-another flavour Linux (mostly Mint or Ubuntu,
these days) *and* MS-Win.
It may seem odd, to some of you, but when my multi-platform users log on
to MS-Win or *nix: They expect to see their files and directories,
regardless of which platform they're using. They don't expect to see
their "Windows stuff" in one place and their "Unix stuff" in another.
So, yes, the UIDs/GIDs have to be *nix user UIDs and GIDs.
No offense intended, to you, anybody else on this mailing list or the
Samba4 devs: But if we wanted separate MS-Win and *nix environments we
could just go out and buy a MS-Win server and run AD from that. Would
certainly save *me* a lot of trouble.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Sketch <smb...@rednsx.org> wrote:
[snip]
> ... it's best to keep LDAP user ids assigned to a higher range
> which will never conflict with local users, so I would consider this
> a positive "limitation", and might even consider lowering UID_MAX if
> i had pre-existing domain UIDs inside this range.
TBH: I find this kind of view, similar to others I see posted, here,
> a positive "limitation", and might even consider lowering UID_MAX if
> i had pre-existing domain UIDs inside this range.
kind of astonishing. Perhaps it goes a long way to explaining just
why Samba4 is, essentially, so "Unix-hostile."
I guess few? none? of you are operating in a heterogeneous environment,
where there is a mix of Unix, Linux and MS-Win users. Ours is. And
some of those users use both MS-Win *and* Linux. One or two use Sun
Sparc Solaris, one-or-another flavour Linux (mostly Mint or Ubuntu,
these days) *and* MS-Win.
It may seem odd, to some of you, but when my multi-platform users log on
to MS-Win or *nix: They expect to see their files and directories,
regardless of which platform they're using. They don't expect to see
their "Windows stuff" in one place and their "Unix stuff" in another.
So, yes, the UIDs/GIDs have to be *nix user UIDs and GIDs.
No offense intended, to you, anybody else on this mailing list or the
Samba4 devs: But if we wanted separate MS-Win and *nix environments we
could just go out and buy a MS-Win server and run AD from that. Would
certainly save *me* a lot of trouble.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Rowland Penny
Sep 11, 2015, 11:30:05 AM9/11/15
to
was a windows AD DC, but you don't have to use samba4 as an AD DC,
samba4 will do everything that samba3 can as well.
If you already have samba3 running as an NT4-style domain, you could try
using the 'classicupgrade' method, this should setup everything for you,
but of course you should try this out first in a test network.
See here for info on the classicupgrade:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29
If you have to start again with a new AD domain, you could export your
users & groups info from your old setup, but there is one big thing you
will need to get your head around, out of the box, a brand new AD domain
knows little about Unix, you need to tell it about it. Luckily, samba4
comes with all the required attributes, samba-tool can create a user
just like windows does, it can also create a user with the required Unix
attributes.
If you are prepared to work with a samba4 AD domain, it can do
everything that you want, without having to pay out for windows CALs
If you want further info, send me a private email and lets discuss your
problems.
Rowland
Sketch
Sep 11, 2015, 11:40:03 AM9/11/15
to
On Fri, 11 Sep 2015, Jim Seymour wrote:
> It may seem odd, to some of you, but when my multi-platform users log on
> to MS-Win or *nix: They expect to see their files and directories,
> regardless of which platform they're using. They don't expect to see
> their "Windows stuff" in one place and their "Unix stuff" in another.
>
> So, yes, the UIDs/GIDs have to be *nix user UIDs and GIDs.
I think you misunderstood my response. Let me restate:
> It may seem odd, to some of you, but when my multi-platform users log on
> to MS-Win or *nix: They expect to see their files and directories,
> regardless of which platform they're using. They don't expect to see
> their "Windows stuff" in one place and their "Unix stuff" in another.
>
> So, yes, the UIDs/GIDs have to be *nix user UIDs and GIDs.
The actual maximum UID on modern Linux systems is 2147483647 (2^31).
UID_MAX does not define the maximum number for UIDs, it defines the
maximum number that adduser will use when creating local users in
/etc/passwd. When you are creating users in Samba or LDAP or any other
non-local directory, you are not using adduser or similar tools, so
UID_MAX is irrelevant.
On my active directory domain member CentOS Linux workstation:
$ uname -o -r
3.10.0-229.7.2.el7.x86_64 GNU/Linux
$ grep ^UID_MAX /etc/login.defs
UID_MAX 60000
$ id -u
3000046
My suggestion for non-overlapping UID ranges is merely a way to try to
avoid human error in the case of potentially creating both local
(/etc/passwd) and non-local (LDAP) users with the same UID. That would
result in the kernel and filesystem treating them as the same user, which
could at best be confusing, and at worst be a security issue.
0 new messages