Re: [Samba] UID mapping
On Tue, 2011-06-14 at 23:41 +, Peter Shevchenko wrote: [SNIP] I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html That is *not* the method I was suggesting to use. I was suggesting using the idmap_ad backend and winbind directly. No ldap or similar in sight excepting that AD is ldap. This is the configuration that I use in smb.conf # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 200 - 299 idmap gid = 200 - 299 idmap config LIFESCI-AD : backend = ad idmap config LIFESCI-AD : schema_mode = rfc2307 idmap config LIFESCI-AD : readonly = yes idmap config LIFESCI-AD : range = 500 - 199 idmap cache time = 120 idmap negative cache time = 20 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false With nsswitch.conf looking like passwd: files winbind shadow: files group: files winbind I would say the documentation on how to get his working is not great, the biggest stumbling block being the need for the non overlapping range for the plain tdb backend which is all required despite the fact it is never used. Yes you need to have winbind running at all times for it to work but it does work. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/15/2011 10:29 AM, Jonathan Buzzard wrote: On Tue, 2011-06-14 at 23:41 +, Peter Shevchenko wrote: [SNIP] I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html That is *not* the method I was suggesting to use. I was suggesting using the idmap_ad backend and winbind directly. No ldap or similar in sight excepting that AD is ldap. This is the configuration that I use in smb.conf # deal with NSS and the whole UID/SID id mapping stuff idmap backend = tdb idmap uid = 200 - 299 idmap gid = 200 - 299 idmap config LIFESCI-AD : backend = ad idmap config LIFESCI-AD : schema_mode = rfc2307 idmap config LIFESCI-AD : readonly = yes idmap config LIFESCI-AD : range = 500 - 199 idmap cache time = 120 idmap negative cache time = 20 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false With nsswitch.conf looking like passwd: files winbind shadow: files group: files winbind I would say the documentation on how to get his working is not great, the biggest stumbling block being the need for the non overlapping range for the plain tdb backend which is all required despite the fact it is never used. Yes you need to have winbind running at all times for it to work but it does work. JAB. The environment I work in did not fully implement the rfc schema. I would use the hash idmap backend: http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V il8AoIEzjcTbql+mrbqGeprErmJZCN0c =xjsP -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
original message- From: Jonathan Buzzard jonat...@buzzard.me.uk To: Martin Rootes m.j.roo...@shu.ac.uk CC: Samba samba@lists.samba.org Date: Tue, 14 Jun 2011 23:28:49 +0100 - Martin Rootes wrote: Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see http://samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I also noticed that, to quote the HowTo again If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS. see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html. This is the solution that I am now implementing. It looks to be working but I still have some testing to do. This is the way that another system works here and we have had no trouble with it. If you have multiple domains then you have to be vary careful doing this. We have one master OpenLDAP server and we create accounts on all domains from that. We know that John on one domain is the same person as John on all the others. The linux samba servers are just setup so that nss gets account info from the master LDAP server but the smb.conf gets Auth info from the AD Domian controller. Password changing on the windows and linux machines have been disabled and all password changes are done through a website. This site then updates the LDAP and AD passwords. Peter -- -- Peter Shevchenko Ph: +61 2 6125 1548 Email: peter.shevche...@anu.edu.au IT Administrator ANU College of Engineering and Computer Science -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] UID mapping
Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Martin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
Martin Rootes wrote: Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
On Tue, 14 Jun 2011 23:28:49 +0100, Jonathan Buzzard wrote: Martin Rootes wrote: Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I also noticed that, to quote the HowTo again If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS. see www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html . This is the solution that I am now implementing. It looks to be working but I still have some testing to do. This is the way that another system works here and we have had no trouble with it. If you have multiple domains then you have to be vary careful doing this. We have one master OpenLDAP server and we create accounts on all domains from that. We know that John on one domain is the same person as John on all the others. The linux samba servers are just setup so that nss gets account info from the master LDAP server but the smb.conf gets Auth info from the AD Domian controller. Password changing on the windows and linux machines have been disabled and all password changes are done through a website. This site then updates the LDAP and AD passwords. Peter -- -- Peter Shevchenko Email:peter.shevche...@rsise.anu.edu.au IT Administrator ANU College of Engineering and Computer Science -- /home/users/petershev/signature-file.txt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] uid mapping
Hi It's me again ;-) I have set idmap uid = 1-4. But my ads users have now uid's starting from 5000. And the new Files from this users have MYDOMAIN:MYDOMAIN as owner. I think this should be MYDOMAINUSERNAME:MYDOMAINGROUP. Any ideas? I think it's almost done... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] UID mapping for Organizational Unit
I am running samba 3.0.10-1.4E on Red Hat using winbind to allow windows users to authenticate nfs shares. The problem I am having is with the UID mappings of Active Directory users. When I run the command getent passwd not only am I getting users, I am also getting computer objects. This is using all of the allocated idmap uids. I can increase the number, but I am looking at entries that I don't need to see. Is there a way to only see certain OUs from Active Directory? Thanks Wendell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba