On Mon, Oct 4, 2010 at 4:53 PM, Haven <[email protected]> wrote: > Its taken a lot of fairly random experimentation but I've finally got > configs that work under samba 3.5.5 on both Gentoo and Debian with 2008 > server. The sections in my old config that seemed to be causing the problems > and their replacements are shown below:
I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap working in rfc2307 mode, wbinfo -u and -g return users and groups, but wbinfo -i <user> fails, other test I tried is: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P Which shows that I have 3 users and 2 groups which have rfc2307 attributes, however mapping is not working, files owned by the mapped uid/gid do not show the username or group when listed, and users are unable to authenticate to the samba server. I've noticed some errors in winbindd log: [2010/10/12 08:24:53.276576, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8296]: request interface version [2010/10/12 08:24:53.276748, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8296]: request location of privileged pipe [2010/10/12 08:24:53.276975, 3] winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users [2010/10/12 08:24:56.764312, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8381]: request interface version [2010/10/12 08:24:56.764473, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8381]: request location of privileged pipe [2010/10/12 08:24:56.794828, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam test [2010/10/12 08:24:56.927925, 3] libads/ldap_schema.c:324(ads_check_posix_schema_mapping) ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED [2010/10/12 08:24:56.927999, 2] winbindd/idmap_ad.c:185(ad_idmap_cached_connection) ad_idmap_cached_connection: Failed to obtain schema details! > > Old broken: > > idmap backend = ad > winbind nss info = rfc2307 > > New working: > > idmap uid = 10000-20000 > idmap gid = 10000-20000 > Doesn't that change work around the problem by disabling idmap altogether? it may work but the mappings will not be consistent if you have multiple samba servers. Andy > No changes were needed to my kerberos setup. > > I've included a copy of my current smb.conf that is working for me after > upgrading from 3.4.8 to 3.5.5: > >> [global] >> >> workgroup = DOMAIN >> security = ADS >> kerberos method = system keytab >> winbind use default domain = true >> realm = DOMAIN.NET >> >> disable netbios = yes >> name resolve order = host lmhosts >> hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119 >> hosts deny = 0.0.0.0/0 >> >> password server = 192.168.1.2, 192.168.1.3, * >> >> idmap config DOMAIN : default = yes >> idmap config DOMAIN : schema_mode = rfc2307 >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 10000-20000 >> >> idmap uid = 10000-20000 >> idmap gid = 10000-20000 >> >> winbind offline logon = yes >> winbind nested groups = yes >> winbind separator = + >> >> template homedir = /home/%U >> template shell = /bin/bash >> client ntlmv2 auth = yes >> encrypt passwords = yes >> >> local master = no >> domain master = no >> preferred master = no >> dns proxy = no >> >> server string = Samba Server Version %v >> >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 >> SO_SNDBUF=8192 >> >> # Fix character set issues: >> # http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html >> dos charset = 850 >> unix charset = UTF-8 > > There is still a slight discrepancy with debian returning more groups for > users when you type "id <user>" than gentoo, but it appears to be a gentoo > error i.e. "10005(denied rodc password replication group)". Something to > look at another day as auth works for now which is the main thing. > > Regards > > Simon > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
