Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Did you ever get a resolution to your issue with UIDs not matching? I have the same problem and I cannot for the life of me get my UIDs to come from Active Directory. If you did solve it with using the idmap config DOMAIN : backend = ad would you be so kind as to share? I am only able to get idmap config * : backend = tdb to work. I have never been able to get UIDs for particular domain to work. Onlly the * seems to 'hit' Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi On Friday, 9 December 2011, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Your two ranges are overlapping and it just don't work if you do that. I have no idea why and it is not well documented why it does not work. Also you have to the plain idmap backend config line setup as a tdb backend. Something like this what you need. idmap backend = tdb idmap uid = 200-299 idmap gid = 200-299 idmap config ALLORATECH : backend = ad idmap config ALLORATECH : schema_mode = rfc2307 idmap config ALLORATECH : readonly = yes idmap config ALLORATECH : range = 1000-199 Seems to come up fairly regularly this one and I can tell you it took me ages to work out a working configuration. This has been really stable for me however other than some random winbind deaths which I papered over with monit. Though a more recent 3.5.x version of Samba might fix that as there seems to have been a lot of bug fixes for it. Note this is for 3.5.x and it has all been changed again in 3.6.x so god only knows how you configure it for that. Thanks for your answer. If you do it that way, will it use the uidNumber LDAP entry as uid for the domain user? Also, what is the read only config for? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Jean-Yves Avenard wrote: Hi On 7 December 2011 22:06, Jean-Yves Avenard jyaven...@gmail.com wrote: Is there a way to make so the uid/SID are matched in such a way that a username keeps the same uid as before. For example, editing on the domain controller the ldap entries that contain the uid/SID map or something like that (just thinking out loud here) Amending this troubleshooting. Unix extension has been added to the active directory, and the uidNumber for each user have been added in order to match the previous uid as discovered by winbind. smb.conf was amended as follow: winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind nss info = rfc2307 allow trusted domains = No idmap uid = 1000-199 idmap gid = 1000-199 idmap backend = ad idmap config ALLORATECH : backend = ad idmap config ALLORATECH : range = 1000-99 idmap config ALLORATECH : schema_mode = rfc2307 Looking at the winbind_ad module, it seems to me that should the nss info and schema mode be set to rfc2307 ; it should use the uidNumber entry for determining the uid of the user. However, winbind still assign the RID + 1 for the user's uid... Is there a way to tell winbind precisely which uid to use ? what am I missing? Your two ranges are overlapping and it just don't work if you do that. I have no idea why and it is not well documented why it does not work. Also you have to the plain idmap backend config line setup as a tdb backend. Something like this what you need. idmap backend = tdb idmap uid = 200-299 idmap gid = 200-299 idmap config ALLORATECH : backend = ad idmap config ALLORATECH : schema_mode = rfc2307 idmap config ALLORATECH : readonly = yes idmap config ALLORATECH : range = 1000-199 Seems to come up fairly regularly this one and I can tell you it took me ages to work out a working configuration. This has been really stable for me however other than some random winbind deaths which I papered over with monit. Though a more recent 3.5.x version of Samba might fix that as there seems to have been a lot of bug fixes for it. Note this is for 3.5.x and it has all been changed again in 3.6.x so god only knows how you configure it for that. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi there. Our IT moved all the user accounts to a new domain controller. It wasn't much of a migration, more so a complete setup on a new machine, new OS, new domain ; it just happens that the username and group names remained the same. I have been asked to look after the migration of the existing unix servers (linux and freebsd running samba 3.4). All the unix machine use winbind for authentication purposes Previously the mapping between uid and sids were mapped as follow: idmap backend = idmap_rid:MEL=1-1 idmap uid = 1-1 idmap gid = 1-1 That was simple and easy. Problem is, on the new domain controller, while the username are the same, the SIDs are not. So should I move the unix machines to the new domain, all ownerships and permissions will be screwed up. The new winbind setup is supposed to use the following config for idmap backend: idmap backend = ad ldap idmap suffix = dc=alloratech,dc=local ldap admin dn = cn=access,ou=Alloratech,dc=alloratech,dc=local ldap suffix = dc=alloratech,dc=local Which actually gives similar uid/gid in relation to the SID as the previous setup (1 + last digits of SID) Now, going through all the files and folders found on those servers (they are used as file server) to fix the ownership and permission is going to take forever. Is there a way to make so the uid/SID are matched in such a way that a username keeps the same uid as before. For example, editing on the domain controller the ldap entries that contain the uid/SID map or something like that (just thinking out loud here) Any help and/or advices will be greatly appreciated Thank you in advance Jean-Yves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi On 7 December 2011 22:06, Jean-Yves Avenard jyaven...@gmail.com wrote: Is there a way to make so the uid/SID are matched in such a way that a username keeps the same uid as before. For example, editing on the domain controller the ldap entries that contain the uid/SID map or something like that (just thinking out loud here) Amending this troubleshooting. Unix extension has been added to the active directory, and the uidNumber for each user have been added in order to match the previous uid as discovered by winbind. smb.conf was amended as follow: winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind nss info = rfc2307 allow trusted domains = No idmap uid = 1000-199 idmap gid = 1000-199 idmap backend = ad idmap config ALLORATECH : backend = ad idmap config ALLORATECH : range = 1000-99 idmap config ALLORATECH : schema_mode = rfc2307 Looking at the winbind_ad module, it seems to me that should the nss info and schema mode be set to rfc2307 ; it should use the uidNumber entry for determining the uid of the user. However, winbind still assign the RID + 1 for the user's uid... Is there a way to tell winbind precisely which uid to use ? what am I missing? Thanks JY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
