Just an FYI, we are currently on 3.0.28. This server was built when 3.0 was just coming around.
-----Original Message----- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Friday, February 15, 2008 12:30 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: [email protected] Subject: RE: [Samba] Winbind problem with more details. Ross S. W. Walker wrote: > > Trimble, Ronald D wrote: > > > > Here you go... > > I forgot to ask which version of samba your now running, but > assuming it is something around '3.0.25', then here is my > suggestion config. If it is an earlier version let me know. I just realized that your config is pre-RID mapping so your uid/gid base is in a single tdb file that if lost or broken will seriously mess up your user base! If that is the case then I suggest this: idmap domains = default idmap config default:default = yes idmap alloc backend = tdb idmap uid = 16777216 - 33554431 idmap gid = 16777216 - 33554431 Forget this: idmap config NA:backend = rid idmap config NA:range = 16777216 - 33554431 But remove these: winbind uid = 16777216-33554431 winbind gid = 16777216-33554431 Backup your tdb cache directory and smb.conf first though to be on the safe side. -Ross > > [global] > > workgroup = NA > > realm = NA.UIS.UNISYS.COM > > netbios name = ustr-linux-1 > > server string = USTR-LINUX-1 Samba Server > > encrypt passwords = yes > > security = ADS > > password server = 192.xx.xxx.xxx > > I believe for an AD domain, if you set the password server > equal to the local domain name it will round-robin query > the closest domain controller. Test it out, it will eliminate > the single point of failure if it works in your environment. > > > passdb backend = smbpasswd > > I tend to use tdb for my passwd backend, especially if the number > of users is large, tdb can speed lookups tremendously. > > > log level = 2 winbind:10 ads:10 auth:10 > > syslog = 0 > > log file = /var/log/samba/%m.log > > # debug level = 10 > > max log size = 5000 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > I see no idmap entries here, and don't understand how winbind > is working at all without them, maybe some old compatibility > feature... > > I suggest, and of course I don't know your full topology, so it > will most definitely need adjusting: > > idmap domains = default NA > idmap config default:default = yes > idmap config NA:backend = rid > idmap config NA:range = 16777216 - 33554431 > > Is that id range valid? I have never used anything over 999999, it > seems very oddly arbitrary, but I suppose you have a reason... > > Normally I allocate a 100000 id range per domain, so NA would have > range 100000 - 199999, domain NA2 would have 200000 - 299999 and > so on, makes it easier to determine the RID if the base of the > range is on a power of ten and if you have multiple domains. > > idmap alloc backend = tdb > idmap uid = 90000 - 99999 > idmap gid = 90000 - 99999 > > This section here is for local mappings, BUILTINs and such, I > set it as the default, but I'm sure other people will have > their preferences or recommendations. > > > winbind use default domain = no > > winbind enum users = no > > winbind enum groups = no > > template homedir = /home/%D/%U > > template shell = /bin/bash > > admin users = root, NA\TRIMBLRD, +"NA\EPS Admin" > > nt acl support = yes > > map acl inherit = yes > > Notice I removed these lines: > > winbind uid = 16777216-33554431 > > winbind gid = 16777216-33554431 > > This is old depreciated syntax, the syntax is now 'idmap uid', > and it applies to id domains not explicitly configured with > the 'id config' directive. > > <snip> > > Let me know if that helps. > > -Ross > > ______________________________________________________________________ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the sender and permanently delete the > original and any copy or printout thereof. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
