Re: [Samba] RE Samba (winbind) troubles
hijacked the winbind threat.. but.. Really,. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. . Novell NDS is much better the MS its (nds kopied) AD but thats not the issue. Als big point is, not thinking in AD, its making better manuals/howtos based on realworld examples. Im working with Novell/Windows/ over 20 years now. Linux about 15. and really, the manuals and howtos arent easy to read, sorry.. that is for me since im dutch. There are to many senarios, and combined with the wiki, its a mess in my head... Some howto's simplified would be nice. like for example. ( choose ) - Single server setup, with samba4 AD, choose internal dns or bind. etc.. - 2 Samba4 DC servers, using bind, etc. etc. - 1 samba4 server, added to windows AD. - 1 windows server, added to samba4 ad. - 2 samba4 DC servers and remote 1 samba DC server. These 5 are are the start of all other senarios. ( some extra's ) - samba4 setup with DRDB or GLUSTER ( sinds its default in most distros ) ( management ) GUI - Windows tools CLI - some needed commands as example. etc .. Put the pro/cons in a matrix what works what not. and i preferred something like this with for example the sernet packages. This way is always the same, no compiling needed, so less questions here, and bugs are faster found. looks a win win for me. and if a setup if make for example with ubuntu, is usable for all debian bases install. same for centos/redhet. Im using this stratigy for al my servers i install and manage. bugs are very fast found and fixed with upstream packages. I dont compile on any production server, as should everyone else. Any suggestions samba team? please do so, lets make the best software even better. My now running setup, is done by howto ( make my own at the time ), and is running sinds 2004, with 0 errors, ok, some failing hardware, but samba never let me down. I still use the manual to install new servers in my environment now. I've been testing samba4 since alpha 8, and for now, im still not running it. Why, setting up samba4 is to complex in my situation, yes, documentation is good, but for me its to much. but if its for me, how about other people,... what would you like to see to simpilfy the samba4 install. A simple thing as installing samba4 and adding it as DC to a windows domain. really try it with only the wiki info. Such a simple thing like this, is very complex explaind in the wiki. but ok this is my point of view. I do like samba, but wiki/howtos are lots to improve. I promise to the samba communitie, when i start my install, ill document it and make a nice howto of it. A howto everyone can read and understand. ( will be debian/ubuntu base, with sernet packages ) Still samba team/sernet team, thanks for providing this software, lets make it better with all of us. there al lots of very good people here on the mailing which have the knowlidge to make such howtos. ow... and sorry for my bad english.. ;-) i dont write much in english these days. Best regards, Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: hijacked the winbind threat.. but.. Don't feel threatened. There _are_ alternatives. I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. Anyway, hopefully complex DC's and windows domains will soon be a thing of the past. You don't need winbind for Cloud. You won't need sysadmins either. Just someone who can read the quickstart guide. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. I wish developers would routinely budget, oh, 10% of their time to writing docs. I spend at least twice that much on documenting my own software, because I find it helps me write better organized code if I first have to explain what it's going to do, or how to use it. Write the manual first, then implement it, modifying the manual as you discover logical flaws during the process of writing and debugging. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. I don't know what they do at Microsoft, but there must be some organized way of getting the software writers to convey the information to the people who actually write the documentation. In my opinion (as someone who's been spending a big chunk of his life reading documentation lately), the MSDN content ranges from marginal to excellent, while Linux-land documentation ranges from practically non-existent (e.g., ALSA) to very good (the kernel man pages). So far, I think Samba's docs get about a C-, but that's because I know next to nothing about networking; they may look much better to someone who already knows all about SMB from the Windows world. -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
Look, your still not getting the point steve. Yes, you made some good howtos, i've read them. But because there are so many options, so many roads to rome... It hard to decide what to use. Yes, developers needs to be developers, but if the developers dont document. Who can make then the documentation, so yes, the devs need to do some documentation. And what er is, is good, thats not the point. My point is, there are lots of people installing samba4, on different ways. I would be nice if there are some guideline howto setup such a thing. Ans yes, even microsoft of novell have such guidelines. But thats not the point. Im asking here, if the people how really understand samba4, and this can be dev of communitie people. can make some simple howtos. As i already sad, im going to make one, like the one before. For example look at my old setup. http://lists.samba.org/archive/samba/2005-December/114817.html Its still usable, ok, the layout is bit messed up, but it still works. ( dont be to hard on it, it was my first howto. ) and, is stated in 2005... quote I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. and all these same questions are taking precious time of the dev's. Samba4 can be much much better in use, when there are beter howto's. Which dont need compiling to make it more accessable for others, and most important, no compiling software on production servers, its not safe and not needed! Keep things as standard as it can be, you live gets so much easier if you do. For example, my backups, are just /etc /home/MYDATA. and my ldap export. If i have a crash, happend 1 time, i just reinstall my server, put back my configs. and reset rights if needed, im always up and running within 1-2 hours. ( with about 40-60GB data ) Even if my building burns out. ( ok ,tape restore takes 1,5 hours, so, total restore time 3-4 hours ) I can replicate every installation very easy because of no compiling, and keep it as standard as i can. Debian is a star of keeping the install files original, and use include.d dirs for extra settings. This is power in upgradeing and reinstalls. Thats my point. So lets help one and other, im looking for sernet based howtos, please e-mail them to me if you have one. I'll try to make a new big howto for samba. Louis -Oorspronkelijk bericht- Van: st...@steve-ss.com [mailto:samba-boun...@lists.samba.org] Namens steve Verzonden: woensdag 24 juli 2013 11:08 Aan: samba@lists.samba.org Onderwerp: Re: [Samba] RE Samba (winbind) troubles On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP] For the record, sssd pulls all it's info from AD. I never said otherwise. A user does not need a gidNumber, it is drawn from the primaryGroupID.For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. Hum, according to Rowland it uses the gidNumber in the users DN, though his posted proof was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 24 July 2013 11:59, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Hum, according to Rowland it uses the gidNumber in the users DN, though his posted proof was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. Look you prat, I agreed with you that it is best practise to keep the users gidNumber primaryGroupID the same, I also said that it probably does not matter where the gidNumber comes from as long it is the right one. The storage of Unix attributes in AD is what windows does so it must done the way that windows does it. I also said that we were never going to agree on this, this was a hint, PLEASE SHUT UP! Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 11:59 +0100, Jonathan Buzzard wrote: On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP] For the record, sssd pulls all it's info from AD. I never said otherwise. A user does not need a gidNumber, it is drawn from the primaryGroupID.For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. I apologise for misleading the list before I tested it live. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 14:09 +0200, steve wrote: [SNIP] Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. Thank you for the clarification. I do feel that the winbind approach is the better of the two when interacting with an Active Directory controller as opposed to an LDAP server. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? I'll go try the sssd as suggested below on ubuntu 12.04. Best regards, Louis -Oorspronkelijk bericht- Van: rowlandpe...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Rowland Penny Verzonden: maandag 22 juli 2013 23:45 Aan: steve CC: samba@lists.samba.org Onderwerp: Re: [Samba] Winbind troubles If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 09:40 +0200, L.P.H. van Belle wrote: Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? With AD you get exactly what _you_ put into the directory. There are no algorithms or separate databases used to confuse an already complicated issue. You put rfc2307 in AD and you get it back out when you need it, e.g. when a user logs in. I'll go try the sssd as suggested below on ubuntu 12.04. +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. ¡Suerte! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:15 +0200, steve wrote: [SNIP] +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. Winbind just works if you configure it properly. There is also plain English documentation available for winbind as well. The problem is that Matthew either did not read it or did not follow it. From man idmap_ad The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad. This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Good point, never run winbind and nscd at the same time on the same box. It's a recipe for trouble. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 10:05, Jonathan Buzzard jonat...@buzzard.me.uk wrote: This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 11:40, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. Darned right it is confusing. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. Yet people still get it wrong. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? Rowland JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Your turn ;-) Rowland On 23 July 2013 13:48, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Rowland On 23 July 2013 13:54, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:20 +0100, Rowland Penny wrote: OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 14:53, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. OK, so it is in your vocabulary, but it it is not in mine, nor I believe the vast number of the English speaking world. You think that you know what it means, but have a look here: http://www.merriam-webster.com/dictionary/orthogonal Your definition is not mentioned. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. Well perhaps they should be now, the problem that I see is that RHEL etc uses 0-500 for local users and Debian uses 0-999, so perhaps reserve 1100 - 1200 for the BUILTIN users from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). ER, isn't RHEL THE enterprise distro? What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. For me it is a lot easier to configure, I don't have to worry about orthogonal numbers for instance (drat, now you have got me at it ) ;-0 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hallo, Jonathan, Du meintest am 23.07.13: Why use a word like orthogonal? Orthogonal is a single word, is precise and describes what is required exactly. Sorry - that depends. I know this word as a synonym of rectangular, and I mostly know it in a geometrical environment. 90 degrees = pi/2 = 100 gon. These degrees not to be mistaken with degrees Fahrenheit or degrees Celsius. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:53 +0100, Jonathan Buzzard wrote: What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. The main difference is that even though sssd may involve copying and pasting a configuration file to /etc somewhere and changing the domain name therein, once you've done it, you just start it and forget it. Unfortunately most mortles here cannot do that with winbind. That's why we always try and help users with winbind. Don't let's forget the OP in all this: the winbind documentations seems to be written for devs for devs. There is nothing written in simple terms to help us nor the OP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion. You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. Basically adding a gidNumber to each user is a redundant feature of RFC2307. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. It might well be what you claim is true, it is just your example does not demonstrate it to be conclusively the case. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 16:44 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. To me AD is LDAP. If I'd never setup openLDAP in a Linux only environment a few years back, I'd be totally and utterly knackered with S4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 16:44, Jonathan Buzzard jonat...@buzzard.me.uk wrote: You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. I suppose that you have noticed that the primaryGroupID is the RID from the group's SID and yes I had taken it on board. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. I would agree with you here, the users primary group needs to be the same in windows linux Basically adding a gidNumber to each user is a redundant feature of RFC2307. Redundant it may be, but it is the way that windows wants it to be done. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote: On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) Well, I don't think we're here to decide what is better and I don't think we're helping the OP at all, rather serving to confuse:( For the record, sssd pulls all it's info from AD. A user does not need a gidNumber, it is drawn from the primaryGroupID. For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Have you tried 'getent passwd username' Rowland On 22 July 2013 19:56, Matthew Daubenspeck m...@oddprocess.org wrote: I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
/etc/nsswitch.conf setup correctly? On 22 July 2013 20:52, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 15:52 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 Can you post smb.conf on SRV2? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:59:47PM +0100, Rowland Penny wrote: /etc/nsswitch.conf setup correctly? passwd: compat winbind group: compat winbind shadow: compat snipped -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland On 22 July 2013 21:46, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 16:46 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh root@srv2:~# id user1 uid=1(user1) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) root@srv2:~# id user2 uid=10001(user2) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:19:26PM +0200, steve wrote: Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? Like this? idmap config *:backend = tdb idmap config *:range = 3000-3500 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 3501-4 That makes no difference. Still no results. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:36:26PM +0200, steve wrote: Amazing;) Amazing all right. I have a headache :) You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. So if I plan on using this for Windows clients ONLY, uidNumber, gidNumber, homedirs and shells shouldn't really be a problem to me. Key word being shouldn't? Not being able to add a backup DC WOULD be a problem, however. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:45:28PM +0100, Rowland Penny wrote: If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Something like this? http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html That's about the most verbose thing Google seems to come up with. I'll wait as long as it takes, this is all just initial testing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind does not update groups
On Wed, May 29, 2013 at 04:17:33PM +, Michael Schmitz wrote: I setup winbind as an authentication method on my Ubuntu server and the only issue I have is when I change a user's group in Active Director it doesn't update after a relogin. It shows up with a wbinfo -G but when I use the groups command or try to operate as a member. The only groups I am in are the ones that I was in when I first logged into the server. Does anyone know of why this is and if there is a work around. I am on samba 3.6 on Ubuntu 12.04.2 Are you running nscd? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind does not update groups
It is not even installed. So no, im still lost --Mike -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Wednesday, May 29, 2013 2:42 PM To: Michael Schmitz Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind does not update groups On Wed, May 29, 2013 at 04:17:33PM +, Michael Schmitz wrote: I setup winbind as an authentication method on my Ubuntu server and the only issue I have is when I change a user's group in Active Director it doesn't update after a relogin. It shows up with a wbinfo -G but when I use the groups command or try to operate as a member. The only groups I am in are the ones that I was in when I first logged into the server. Does anyone know of why this is and if there is a work around. I am on samba 3.6 on Ubuntu 12.04.2 Are you running nscd? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
[2013/05/13 07:08:58.730027, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2367]: request location of privileged pipe [2013/05/13 07:08:58.730252, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:04.052509, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2370]: request interface version [2013/05/13 07:09:04.052806, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2370]: request location of privileged pipe [2013/05/13 07:09:04.054553, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:42.241190, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2374]: request interface version [2013/05/13 07:09:42.241383, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2374]: request location of privileged pipe [2013/05/13 07:09:42.241504, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Im not sure why this keeps getting scrubbed :( Smb.conf http://pastebin.com/8hbKm1cm Krb5.conf http://pastebin.com/kJvPFR05 Commands output: http://pastebin.com/XfVMNUeD From: Nathan Frankish Sent: Monday, 13 May 2013 7:12 AM To: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Hi Samba Team, Im at a bit of a loss. Ive been setting up samba with winbind authentication in our domain under redhat 6 and ive run into quite a few issues. My 3.3.8 boxes (redhat 5) works fine in the domain, but I cant get the 3.6.9 boxes (redhat 6.4) to work. I have an independent test active directory domain that is at the same functional level (2008R2 Native) as the production domain which my configuration works fine (once I change it to use the other domain name of course) so I don't think it's a configuration issue, but im stumped as to why its not working. I've checked that the domain controller policies are the same on both environments, which they are. I can successfully join the domain with net ads join I can kinit fine, and it gets a token, but getent passwd nathan_adm fails to return anything either. Ives straced getent and I can see it shooting of to winbind, but it doesn't seem to get anything back Ive stripped the domain out of my configuration files, but its QLDMOTORWAYS.COM.AU. my uat domain is UAT.DOM. Any thoughts or help or ideas would be great. Nathan Frankish | Senior Systems Engineer Queensland Motorways Pty Limited -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind and User Private Groups
Jacob Seeley wrote: Hello, My question revolves around 'User Private Groups'. I noticed my AD users UID's do not have matching GID's. I came across the following: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644 This seems to indicate I cannot implement UPG because Windows will not allow user and groups of the same name. From an administrative point of view, how do I handle this? Should I be concerned about this? How will a non UPG setup be different for us Linux users who are accustomed to having private groups? Essentially, I'm trying to avoid any unforeseen pitfalls as a result of not having UPGs. Well one pitfall I can think of -- is on the linux side. i.e. on Windows, you an put both users and groups in 'groups', and I think samba supports such nesting (needs enabling). But then lets say you use the idmap_rid -- How would you specify group-nesting as separate from the user? FWIW , I allocate the groupid's w/users, but I alter the groupnames for the ones I care to have working with any reliability. I try to setup my groups to mirror the wingroups, though ran into some problems with domain groups =512... But a snippet from my passwd file: rsvd_Domain Users_g:x:513:513:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Guests_g:x:514:514:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Computers_g:x:515:515:Group-Reserved:/var/lib/nobody:/bin/bash rsvd_Domain Controllers_g:x:516:516:Group-Reserved:/var/lib/nobody:/bin/bash --- I do have the numbers reserved in both files so they line up. I'm not happy with several limitations in the standard samba setup.. like artificially limiting rids to 512 (which, means I'd have to move groups/users as I'm using 'idmap_nss'. But would something similar work for you -- suffixes or prefixes? But I also don't like that samba doesn't list back its well-known groups - as those are often only well-known if they you have a windows server. Dumping out my non-domain, well known groups (and a few domain groups at the end for comparison. The number in the middle is the unix GID...Note -- most of those are not used anywhere and I put them in as reference, and I noted a few inconsistencies...oh well... Need 128 bit user numbers!... ;-) (net groups list -- massaged; S-1-0 :10100 - Null Authority S-1-1 :10101 - World Authority S-1-2 :10102 - Local Authority S-1-3 :10103 - Creator Authority S-1-4 :10104 - Non-unique Authority S-1-5 :10105 - NT Authority S-1-0-0 :11000 - Nobody S-1-1-0 :11100 - Everyone S-1-3-0 :11300 - Creator Owner S-1-3-1 :11301 - Creator Group S-1-3-2 :11302 - Creator Owner Server S-1-5-1 :11501 - Dialup S-1-5-2 :11502 - Network S-1-5-3 :11503 - Batch S-1-5-4 :11504 - Interactive S-1-5-6 :11506 - Service S-1-5-7 :11507 - Anonymous S-1-5-8 :11508 - Proxy S-1-5-9 :11509 - Enterprise Domain Controllers S-1-5-10 :11510 - Principal Self S-1-5-11 :11511 - Authenticated Users S-1-5-12 :11512 - Restricted Code S-1-5-13 :11513 - TSUsersGroup S-1-5-19 :11519 - Local Service S-1-5-20 :11520 - Network Service S-1-16-4096 : 11604096 - Low Mandatory Level S-1-16-8192 : 11608192 - Medium Mandatory Level S-1-16-8448 : 11608448 - Medium Plus Mandatory Level S-1-16-12288 : 11612288 - High Mandatory Level S-1-16-16384 : 11616384 - System Mandatory Level S-1-5-32-516 : 516 - Domain Controllers S-1-5-32-544 : 544 - Administrators S-1-5-32-545 : 545 - Users S-1-5-32-546 : 546 - Guests S-1-5-32-547 : 547 - Power Users S-1-5-32-548 : 548 - Account Operators S-1-5-32-549 : 549 - Server Operators S-1-5-32-550 : 550 - Print Operators S-1-5-32-551 : 551 - Backup Operators S-1-5-32-552 : 552 - Replicators S-1-5-21-1-2-3-512 : 512 - Domain Admins S-1-5-21-1-2-3-513 : 513 - Domain Users S-1-5-21-1-2-3-514 : 514 - Domain Guests S-1-5-21-1-2-3-515 : 515 - Domain
Re: [Samba] Winbind strip domain from username?
On 15/04/13 22:12, Luc Lalonde wrote: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Hi, I doubt that getent showing your domain is the problem, I am trying to get something similar to work but with libpam-script and I can get the users home directory to mount, but then my problems start. One problem I think you have, is that you have added the line 'template homedir = /home/%U', if you have, then I am sorry but you will have to remove this, I am fairly sure that you are stuck with the default 'template homedir = /home/%D/%U' (unless anybody knows differently). With the template homedir line as 'template homedir = /home/%U' every-bodies homedir is set to literally that, '/home/%U'. I am also fairly sure that you are trying to mount the home directory from the samba 4 server, correct? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
Hello Geza, Here's my 'smb.conf': [global] workgroup = FOO realm = foo.example.com netbios name = ROQUEFORT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind offline logon = false winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template homedir = /usagers/%U winbind use default domain = yes map untrusted to domain = no [netlogon] path = /usr/local/samba/var/locks/sysvol/foo.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks for your help! Cheers! On 2013-04-16, at 12:09 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - I had something similar, but i can not look what it was from where i am now, but i think i did change the %U in %u in my home share regards Johan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind use default domain = Yes (not working in 4.0.5)
This must be something that changed recently -- version 4.0.3 works with winbind use default domain = yes (i.e. getent passwd does *not* return DOMAIN\username, but just username). - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Johan Hendriks jo...@double-l.nl Cc: samba@lists.samba.org Sent: Tuesday, April 16, 2013 8:54:06 AM Subject: [Samba] winbind use default domain = Yes (not working in 4.0.5) Hello folks, Well it seems that I'm not the only one having this problem: https://bugzilla.samba.org/show_bug.cgi?id=9780 I am able to bypass the problem with PAM_MOUNT by using '%(DOMAIN_USER)' instead of '%(USER). Bye. - Original Message - From: Johan Hendriks jo...@double-l.nl To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Tuesday, April 16, 2013 8:27:30 AM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Winbind strip domain from username? Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - I had something similar, but i can not look what it was from where i am now, but i think i did change the %U in %u in my home share regards Johan -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
Hi again, I think a have a workaround: Add an local user with ID 300 so that winbind never see querys of that ID: useradd -d /tmp -M -s /bin/false -u 300 -g 100 -o -l samba4-workaround (Ubuntu 12.04) Ive tested it a few times and it seems to work. Mit freundlichen Gren Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de Von: seme...@syndetics.net [mailto:seme...@syndetics.net] Im Auftrag von Nick Semenkovich Gesendet: Dienstag, 16. April 2013 19:48 An: tn Cc: samba@lists.samba.org Betreff: Re: [Samba] winbind problem I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de mailto:sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 1008 1016 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de http://www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-16 12:33 keltezéssel, Luc Lalonde írta: Hello Geza, Here's my 'smb.conf': [global] workgroup = FOO realm = foo.example.com netbios name = ROQUEFORT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind offline logon = false winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template homedir = /usagers/%U winbind use default domain = yes map untrusted to domain = no [netlogon] path = /usr/local/samba/var/locks/sysvol/foo.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks for your help! Cheers! On 2013-04-16, at 12:09 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba So it is your AD DC then (server role = active directory domain controller) unfortunately in that role samba uses the winbind bundled into the samba binary which has many deficients compared to the standalone winbind binary (but which cannot be run on a DC) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind using 100% CPU
On Wed, Apr 10, 2013 at 06:46:48PM -0400, Dylan Klomparens wrote: I am trying to figure out why winbind is using 100% CPU on my file server. I am using Samba version 4.0.4. Everything is fine for a few minutes when I start winbind, however after a while it begins using 100% CPU. I haven't been able to narrow down what triggers this CPU usage spike, but I did attach the GNU debugger to find out what's going on in the process. The backtrace revealed this information: #0 0x0041cf30 in _talloc_free@plt () #1 0x00452320 in winbindd_reinit_after_fork () #2 0x004524e6 in fork_domain_child () #3 0x00453585 in wb_child_request_trigger () #4 0x00381d2048e2 in tevent_common_loop_immediate () from /lib64/libtevent.so.0 #5 0x7fbed6b98e17 in run_events_poll () from /lib64/libsmbconf.so.0 #6 0x7fbed6b9922e in s3_event_loop_once () from /lib64/libsmbconf.so.0 #7 0x00381d204060 in _tevent_loop_once () from /lib64/libtevent.so.0 #8 0x0042049a in main () Apparently it's stuck in the winbindd_reinit_after_fork (and more specifically the _talloc_free function). This code resides in $SOURCE_HOME\source3\winbindd\winbindd_dual.c. Perhaps I have configured Samba incorrectly? Here are the parameters I am using that have to do with winbind: idmap config * : backend = nss idmap config * : range = 1000 - 30 What are some reasons that winbind is using 100% CPU and how can I resolve this? (Also, would this be an appropriate question to post to the Samba developer's list? If so, I will repost it there.) Yes - please post to samba-technical, I'll follow up there. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Did you ever get a resolution to your issue with UIDs not matching? I have the same problem and I cannot for the life of me get my UIDs to come from Active Directory. If you did solve it with using the idmap config DOMAIN : backend = ad would you be so kind as to share? I am only able to get idmap config * : backend = tdb to work. I have never been able to get UIDs for particular domain to work. Onlly the * seems to 'hit' Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind against samba4 AD DC
On Thursday, February 21, 2013 04:03:53 PM Ali Bendriss wrote: Hello, Could you please give me some precision about the current state of the winbind support on a member server. I have tried to list what I understand about it. (I suppose that the libnss_winbind symlink are correct in /lib and/or lib64) * samba4 join as member join: samba-tool domain join dnsdomain MEMBER smb.conf should contain: idmap_ldb:use rfc2307 = yes the AD DC doesn't need to be provisioned with the option --use-rfc2307 then the member should be able to read uidNumber gidNumber from the directory. * smbd + winbindd samba4: compile with --with-shared-modules=...,idmap_ad samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads join: net ads join smb.conf should contain (from the wiki): idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 But the AD have to be provisioned with --use-rfc2307 You then should add the objectclass: posixAccount in the AD samdb for each user and posixGroup for the group Is it mandatory to have provioned the AD with --use-rfc2307 ? mac OSX client seems to be OK without, they can read uid/gid Number, but not linux client using smbd/winbindd. If yes what is the best way to add rfc2307 support to an already provisioned AD ? Applying ypServ30.ldif will it be good enough ? I reply to myself after some more testing using winbindd against samba ADDC It looks like that there is no need to provision the AD with --use-rfc2307. the wiki page https://wiki.samba.org/index.php/Samba4/Domain_Member#Make_domain_users.2Fgroups_available_locally_through_winbind is correct but it should emphasize that the primary group of the users must have the gid set. And then every thing work out of the box, without the need to add the objectClass posixAccount and posixGroup as well. Thanks Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hello Clodonil, I just got to this point in my testing. Be sure you link the files to /lib64 if you are running a 64 bit version of CentOS. I was having the same problem and realized the files needed to go in /lib64. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hello Thomas, That was it. I made a link in / lib64 and resolved. Clodonil 2012/12/13 Thomas Simmons twsn...@gmail.com I just got to this point in my testing. Be sure you link the files to /lib64 if you are running a 64 bit version of CentOS. I was having the same problem and realized the files needed to go in /lib64. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind losing Trust with the AD domain
Peace, To answer my own question/post, I seem to have found the culprit. It looks like it is indeed something very simple, and I could even blame it on the AD ( more or less)... :o) The userAccountControl attribute is a structure that contains flags pertaining to the user account: (See http://www.selfadsi.org /ads-attributes/user-userAccountControl.htm) As the AD guys on request set the attribute to 33554432 it was actually set to 33554432+512 making the account a normal user UF_NORMAL_ACCOUNT with the UF_NO_AUTH_DATA_REQUIRED flags set. And that explains the lost of TRUST. Solution: The join used to set it to: 69632 (4096 (UF_WORKSTATION_TRUST_ACCOUNT) + 65536 (UF_DONT_EXPIRE_PASSWD)) So knowing all this: the value needs to be set to 33624064. The original join value + the 33554432 (UF_NO_AUTH_DATA_REQUIRED). Simple. -- \\\// ( o o ) +-oooO--(_)--Oooo--+ | Pascal Kolijn First Snow, Then Silence. | |This Thousand Dollar Screen Dies | | p.kol...@vu.nlSo Beautifully. | | .oooO -- Error Messages in Haiku | +--( )---Oooo.---+ \ (( ) UC IT - EC(L) \_)) / T:(020)(59)85385 (_/ http://www.vu.nl/e-maildisclaimer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hi Andrew, The pipe is in /usr/local/samba/var/run/winbindd. The winbind this working because the wbinfo returns successfully. I think that is something between the centos and the lib's winbind. Clodonil Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/4 Andrew Bartlett abart...@samba.org On Mon, 2012-12-03 at 22:11 +0200, Hleb Valoshka wrote: On 12/3/12, Clodonil Trigo clodo...@nisled.org wrote: I am using centos 6.3 and did the migration from samba3 to Samba4. More the getent passwd does not return users. I made the link: ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 I had similar problem but with Debian package, so I'm not sure that I'll help you (debian samba4 package is rather interesting thing) but in my case the problem was that libnss_winbind expects socket to be in /tmp/.winbind/ (or .winbindd? Check with strings.) while winbind component stores it in /var/run/samba4/winbind/ (I don't know the correct path for your case). Try to make bind mount of socket directory or set correct path in smb.conf. If the package is expecting a different path, then it is almost certainly also expecting a different version of the winbind pipe protocol, so this would not help. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 12/5/12, Clodonil Trigo clodo...@nisled.org wrote: The pipe is in /usr/local/samba/var/run/winbindd. The winbind this working because the wbinfo returns successfully. I think that is something between the centos and the lib's winbind. Yep, I wasn't correct: in Debian one can have the opposite issue -- working nss but not wbinfo. Sorry :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hello, I solved the problem; solution: # ln-s / usr/local/samba/lib/libnss_winbind.so.2 / lib64/libnss_winbind.so # ln-s / lib / libnss_winbind.so / lib/libnss_winbind.so.2 to: # ln-s / usr/local/samba/lib/libnss_winbind.so.2 / lib64/libnss_winbind.so # ln-s / lib64/libnss_winbind.so / lib64/libnss_winbind.so.2 success with getent. thank you, Migration completed successfully Clodonil Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/5 Hleb Valoshka 375...@gmail.com On 12/5/12, Clodonil Trigo clodo...@nisled.org wrote: The pipe is in /usr/local/samba/var/run/winbindd. The winbind this working because the wbinfo returns successfully. I think that is something between the centos and the lib's winbind. Yep, I wasn't correct: in Debian one can have the opposite issue -- working nss but not wbinfo. Sorry :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hi Hleb, I did not think the process of winbind, I believe it is internal to samba. I did several test before migrating to the samba3 Samba4 and had success in all cases. More time to make real the problem gave winbind. What line you changed in smb.conf? Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/3 Hleb Valoshka 375...@gmail.com On 12/3/12, Clodonil Trigo clodo...@nisled.org wrote: I am using centos 6.3 and did the migration from samba3 to Samba4. More the getent passwd does not return users. I made the link: ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 I had similar problem but with Debian package, so I'm not sure that I'll help you (debian samba4 package is rather interesting thing) but in my case the problem was that libnss_winbind expects socket to be in /tmp/.winbind/ (or .winbindd? Check with strings.) while winbind component stores it in /var/run/samba4/winbind/ (I don't know the correct path for your case). Try to make bind mount of socket directory or set correct path in smb.conf. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
I used this howto. Several tests made prior to migration, and in any case worked. Its make a debug this? Clodonil 2012/12/3 Rowland Penny rpe...@f2s.com Hi, I take it that you have followed the upgrade howto at: https://wiki.samba.org/index.**php/Samba4/samba-tool/domain/** classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO If you haven't, go there and see if you have missed a step. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 04/12/12 11:52, Clodonil Trigo wrote: I used this howto. Several tests made prior to migration, and in any case worked. Its make a debug this? Clodonil 2012/12/3 Rowland Penny rpe...@f2s.com mailto:rpe...@f2s.com Hi, I take it that you have followed the upgrade howto at: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO If you haven't, go there and see if you have missed a step. -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. This is strange, wbinfo -u shows all your users in samba 4, but getent returns nothing, getent should at least return your unix users, i.e. root etc. I take it that after the classicupgrade you have turned samba3 off, so could this be Selinux? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Yes, this Samba4 running. Add users normally. All other features of Samba4 this OK. Only winbind not. The Winbind there is pid or socket? Clodonil Prof. Msc. Clodonil H. Trigo www.nisled.org E-mail: clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/4 Rowland Penny rpe...@f2s.com On 04/12/12 13:13, Clodonil Trigo wrote: Olá Rowland, Yes, the command getent returns the users of the /etc/passwd, more not return of Samba4. look selinux: [root@lost samba]# cat /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted I do not know what can be. Clodonil 2012/12/4 Rowland Penny rpe...@f2s.com This is strange, wbinfo -u shows all your users in samba 4, but getent returns nothing, getent should at least return your unix users, i.e. root etc. I take it that after the classicupgrade you have turned samba3 off, so could this be Selinux? -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. OK, are sure that Samba4 is running? what does 'ps ax | grep samba' return? and does 'ps ax | grep winbind' return anything? Rowland -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 04/12/12 14:17, Clodonil Trigo wrote: Yes, this Samba4 running. Add users normally. All other features of Samba4 this OK. Only winbind not. The Winbind there is pid or socket? Clodonil Prof. Msc. Clodonil H. Trigo www.nisled.org http://www.nisled.org E-mail: clodo...@nisled.org mailto:clodo...@nisled.org Classificação: () Confidencial (X) Interna As informações contidas nesta mensagem e respectivos anexos são de interesse exclusivo a quem foram dirigidos, podendo ser confidenciais, portanto fica proibida sua retenção, distribuição, divulgação, reprodução ou utilização, sob as penas da lei. Caso tenha recebido esta mensagem por engano, pedimos a gentileza de informar ao seu autor, eliminando-a de sua caixa de entrada, registros ou sistema de controle. 2012/12/4 Rowland Penny rpe...@f2s.com mailto:rpe...@f2s.com On 04/12/12 13:13, Clodonil Trigo wrote: Olá Rowland, Yes, the command getent returns the users of the /etc/passwd, more not return of Samba4. look selinux: [root@lost samba]# cat /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted I do not know what can be. Clodonil 2012/12/4 Rowland Penny rpe...@f2s.com mailto:rpe...@f2s.com This is strange, wbinfo -u shows all your users in samba 4, but getent returns nothing, getent should at least return your unix users, i.e. root etc. I take it that after the classicupgrade you have turned samba3 off, so could this be Selinux? -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. OK, are sure that Samba4 is running? what does 'ps ax | grep samba' return? and does 'ps ax | grep winbind' return anything? Rowland -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. Please post the output of 'ps ax | grep samba' and 'ps ax | grep winbind' Winbindd is a pipe and should be in /usr/local/samba/var/run/winbindd Also could you please post your /usr/local/samba/etc/smb.conf Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hi, Commands: [root@lost var]# ps ax | grep samba 23756 ?S 0:00 /usr/local/samba/sbin/samba 23757 ?S 0:38 /usr/local/samba/sbin/samba 23758 ?S 0:03 /usr/local/samba/sbin/samba 23761 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23803 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23818 ?S 1:04 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23826 ?S 0:36 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground [root@lost var]# ps ax | grep winbind 30147 pts/2S+ 0:00 grep winbind /usr/local/samba/etc/smb.conf [global] workgroup = KEEPERS.BRASIL realm = KEEPERSBRASIL.COM netbios name = LOST server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307=Yes [usuarios] path = /V01/Dados/usuarios read only = No create mask = 2777 directory mask = 2777 [netlogon] path = /usr/local/samba4-migracao/var/locks/sysvol/keepersbrasil.com/scripts read only = No [sysvol] path = /usr/local/samba4-migracao/var/locks/sysvol read only = No Clodonil 2012/12/4 Rowland Penny rpe...@f2s.com 'ps ax | grep samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 04/12/12 14:44, Clodonil Trigo wrote: Hi, Commands: [root@lost var]# ps ax | grep samba 23756 ?S 0:00 /usr/local/samba/sbin/samba 23757 ?S 0:38 /usr/local/samba/sbin/samba 23758 ?S 0:03 /usr/local/samba/sbin/samba 23761 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23803 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23818 ?S 1:04 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 23826 ?S 0:36 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground [root@lost var]# ps ax | grep winbind 30147 pts/2S+ 0:00 grep winbind /usr/local/samba/etc/smb.conf [global] workgroup = KEEPERS.BRASIL realm = KEEPERSBRASIL.COM http://KEEPERSBRASIL.COM netbios name = LOST server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307=Yes [usuarios] path = /V01/Dados/usuarios read only = No create mask = 2777 directory mask = 2777 [netlogon] path = /usr/local/samba4-migracao/var/locks/sysvol/keepersbrasil.com/scripts http://keepersbrasil.com/scripts read only = No [sysvol] path = /usr/local/samba4-migracao/var/locks/sysvol read only = No Clodonil 2012/12/4 Rowland Penny rpe...@f2s.com mailto:rpe...@f2s.com 'ps ax | grep samba -- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean. Well, I am lost now, you only have the samba smbd daemons running. The users must be there as wbinfo -u shows them. Selinux is Disabled (I take it that the server has been restarted since selinux was disabled) Is there anything in any of the logs? /var/log/messages /usr/local/samba/var/log.samba Have you tried joining another unix pc to the domain and running getent from there? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 12/4/12, Clodonil Trigo clodo...@nisled.org wrote: I did not think the process of winbind, I believe it is internal to samba. There is no separate winbindd process in samba4. There are several *.so providing this service. I did several test before migrating to the samba3 Samba4 and had success in all cases. More time to make real the problem gave winbind. But have you tried? What line you changed in smb.conf? I'm still using bind mount :) But option you need is winbindd socket directory. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On Mon, 2012-12-03 at 22:11 +0200, Hleb Valoshka wrote: On 12/3/12, Clodonil Trigo clodo...@nisled.org wrote: I am using centos 6.3 and did the migration from samba3 to Samba4. More the getent passwd does not return users. I made the link: ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 I had similar problem but with Debian package, so I'm not sure that I'll help you (debian samba4 package is rather interesting thing) but in my case the problem was that libnss_winbind expects socket to be in /tmp/.winbind/ (or .winbindd? Check with strings.) while winbind component stores it in /var/run/samba4/winbind/ (I don't know the correct path for your case). Try to make bind mount of socket directory or set correct path in smb.conf. If the package is expecting a different path, then it is almost certainly also expecting a different version of the winbind pipe protocol, so this would not help. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 03/12/12 12:07, Clodonil Trigo wrote: Hi, I am using centos 6.3 and did the migration from samba3 to Samba4. More the getent passwd does not return users. I made the link: ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 And change in /etc/nsswitch: passwd: files winbind shadow: files group: files winbind When I run the command: /usr/local/samba/bin/wbinfo-u Returns correctly. Can anyone help me. Hi, have you tried restarting Samba4? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 03/12/12 17:01, Clodonil Trigo wrote: On 03/12/12 12:07, Clodonil Trigo wrote: * Hi, I am using centos 6.3 and did the migration from samba3 to Samba4. More the** getent passwd does not return users. I made the link:** ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so** ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 And change in /etc/nsswitch: passwd: files winbind** shadow: files** group: files winbind When I run the command: /usr/local/samba/bin/wbinfo-u Returns correctly. Can anyone help me.*Hi, have you tried restarting Samba4? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.** I did restart, but it did not work. The Samba4 is working normal. Only getent not. Clodonil Hi, I take it that you have followed the upgrade howto at: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO If you haven't, go there and see if you have missed a step. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
On 12/3/12, Clodonil Trigo clodo...@nisled.org wrote: I am using centos 6.3 and did the migration from samba3 to Samba4. More the getent passwd does not return users. I made the link: ln-s /usr/local/samba/lib/libnss_winbind.so.2 / lib/libnss_winbind.so ln-s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 I had similar problem but with Debian package, so I'm not sure that I'll help you (debian samba4 package is rather interesting thing) but in my case the problem was that libnss_winbind expects socket to be in /tmp/.winbind/ (or .winbindd? Check with strings.) while winbind component stores it in /var/run/samba4/winbind/ (I don't know the correct path for your case). Try to make bind mount of socket directory or set correct path in smb.conf. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue using samba 3.6.3
Getting closer! Thank You! I am able to see the users, but cannot see the groups. 10513 should be the Domain Users group. getent passwd works but getent group only shows the local groups. When I su into a domain user I get this error: groups: cannot find name for group ID 10513 - Original Message - From: Heather Choi hceute...@gmail.com To: Steve Snedeker st...@imninjas.com Cc: samba@lists.samba.org Sent: Friday, September 28, 2012 11:12:11 PM Subject: Re: [Samba] Winbind issue using samba 3.6.3 Looks like you have a potentially conflicting idmap block here: idmap backend = rid:DOMAN=1-2 and here: idmap uid = 1-2 idmap gid = 1-2 This is more contemporary with Samba 3.6: idmap config * : backend = tdb idmap config * : range = 20001-3 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1-2 idmap config DOMAIN : base_rid = 0 [me@LINUX ~](14)$ wbinfo --user-info=testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash [me@LINUX ~](15)$ getent passwd testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash (My low-end range starts lower than 1, btw). Also, you sure you want to keep your idmap range within just 1? Seems quite low to me. On 09/24/2012 04:31 PM, Steve Snedeker wrote: We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: files winbind group: files winbind shadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis -- /etc/samba/smb.conf [global] security = ads realm = DOMAIN.COM password server = pdc.domain.com bdc.domain.com workgroup = DOMAIN idmap backend = rid:DOMAN=1-2 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /vhome/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 I've seen other posts out there with similar problems, but haven't seen a solution that works for me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue using samba 3.6.3
On 01/10/12 21:47, Steve Snedeker wrote: Getting closer! Thank You! I am able to see the users, but cannot see the groups. 10513 should be the Domain Users group. getent passwd works but getent group only shows the local groups. When I su into a domain user I get this error: groups: cannot find name for group ID 10513 - Original Message - From: Heather Choihceute...@gmail.com To: Steve Snedekerst...@imninjas.com Cc: samba@lists.samba.org Sent: Friday, September 28, 2012 11:12:11 PM Subject: Re: [Samba] Winbind issue using samba 3.6.3 Looks like you have a potentially conflicting idmap block here: idmap backend = rid:DOMAN=1-2 and here: idmap uid = 1-2 idmap gid = 1-2 This is more contemporary with Samba 3.6: idmap config * : backend = tdb idmap config * : range = 20001-3 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1-2 idmap config DOMAIN : base_rid = 0 [me@LINUX ~](14)$ wbinfo --user-info=testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash [me@LINUX ~](15)$ getent passwd testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash (My low-end range starts lower than 1, btw). Also, you sure you want to keep your idmap range within just 1? Seems quite low to me. On 09/24/2012 04:31 PM, Steve Snedeker wrote: We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: files winbind group: files winbind shadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis -- /etc/samba/smb.conf [global] security = ads realm = DOMAIN.COM password server = pdc.domain.com bdc.domain.com workgroup = DOMAIN idmap backend = rid:DOMAN=1-2 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /vhome/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 I've seen other posts out there with similar problems, but haven't seen a solution that works for me. Hi, samba 3.6.3 on Ubuntu 12.04 using winbind does not show domain groups using 'getent group' but 'getent group domain group will, provided that the domain group has the posix objectclass 'posixGroup' and a gidNumber. If all is correct, it will work, try creating a file and chown domainuser:domaingroup it Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue using samba 3.6.3
Looks like you have a potentially conflicting idmap block here: idmap backend = rid:DOMAN=1-2 and here: idmap uid = 1-2 idmap gid = 1-2 This is more contemporary with Samba 3.6: idmap config * : backend = tdb idmap config * : range = 20001-3 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1-2 idmap config DOMAIN : base_rid = 0 [me@LINUX ~](14)$ wbinfo --user-info=testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash [me@LINUX ~](15)$ getent passwd testuser testuser:*:13102:1513:Test User:/home/testuser:/bin/bash (My low-end range starts lower than 1, btw). Also, you sure you want to keep your idmap range within just 1? Seems quite low to me. On 09/24/2012 04:31 PM, Steve Snedeker wrote: We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: files winbind group: files winbind shadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis -- /etc/samba/smb.conf [global] security = ads realm = DOMAIN.COM password server = pdc.domain.com bdc.domain.com workgroup = DOMAIN idmap backend = rid:DOMAN=1-2 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /vhome/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 I've seen other posts out there with similar problems, but haven't seen a solution that works for me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue using samba 3.6.3
On 24/09/12 22:31, Steve Snedeker wrote: We have a cross platform environment with a Windows 2008 server running Active Directory and many of our workstations are running ubuntu 10.10 using winbind for user authentication. The version of samba running on these boxes is 3.5.4 We are looking to upgrade to Ubuntu 12.04 which runs samba 3.6.3 I am able to connect to the DC, and am able to see the users running the wbinfo -u command, but when I run the getent passwd command I do not see the domain users. I was able to successfully downgrade to samba 3.5.4 and after connecting to the DC I ran the command getent passwd and was able to see the domain users, and su to that particular user successfully. The only issue here was due to dependency issues downgrading to samba 3.5.4 resulted in libwbclient0 being downgraded which resulted in the removal of ubuntu-desktop. /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: files winbind group: files winbind shadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis -- /etc/samba/smb.conf [global] security = ads realm = DOMAIN.COM password server = pdc.domain.com bdc.domain.com workgroup = DOMAIN idmap backend = rid:DOMAN=1-2 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /vhome/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 I've seen other posts out there with similar problems, but haven't seen a solution that works for me. Hi, I use samba 3.6.3 to connect to a samba4 AD server, but my smb.conf looks nothing like yours. The idmap lines have changed to: idmap config HOME:schema_mode = rfc2307 idmap config HOME:range = 2-310 idmap config HOME:backend = ad idmap config *:range = 1100-2000 idmap config *:backend = tdb You also should not use the password server line anymore, but you also seem to have a spelling mistake: idmap backend = rid:DOMAN=1-2 The final thing is, if there is no unix info on the windows server, winbind cannot pull it, you need the unix extension on the server Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Note you can get nested groups this way, something I don't think nss-ldapd provides. It does work I have it in production for over 1500 users right now with some 900 active SMB sessions. Hi Jonathan Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory in AD. I removed template homedir =, created the user directory and gave it the correct permissions, but logging in, winbind tries to create the directory: su steve2 Creating directory ''. Unable to create and initialize directory ''. su: Permission denied Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Hey Steve, I knew the error Can't initialize directory with the auto-create method of pam+winbind for home directories as well, but I think my setup is a little bit different than yours... My setup looks like this: - 50 linux-server - 5 AD secondary DC's (Active Directory w2k8 R2) - 1 Master-DC (Active Directory w2k8 R2) The linux-server were setup with RHEL 5 (nearly half of all). Approx. 15 server were setup with Oracle Linux 6.2 (nearly the same like RHEL). Do you use the same Linux-Version for your clients (e.g. servers)? If so just try to put the same pam-lines (/etc/pam.d/system-auth) into the file password-auth file (/etc/pam.d/password-auth). These are my files: -- /etc/pam.d/system-auth -- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 -- /etc/pam.d/password-auth -- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 And my smb.conf looks like this: # GLOBAL PARAMETERS [global] workgroup = MY-WORKGROUP realm = MY-DOMAIN.LCL password server = * preferred master = no server string = YOUR File-Server security = ads encrypt passwords = yes local master = no log level = 1 log file = /var/log/samba/%m max log size = 50 #printcap name = cups #printcap = cups printcap = /dev/null winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = \\ winbind refresh tickets = yes winbind offline logon = true winbind trusted domains only = no #winbind trusted domains only = yes map untrusted to domain = Yes allow trusted domains = yes obey pam restrictions = no idmap backend = tdb idmap uid = 1-60 idmap gid = 1-60 #idmap config EOS : tdb #idmap config EOS : 1-10 #idmap config DFD : tdb #idmap config DFD : 11-20 #idmap config * : backend = tdb #idmap config * : range = 1-60 passdb backend = tdbsam ;template primary group = domain users #template shell = /bin/false template shell = /bin/bash winbind nss info = rfc2307 client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Heimatverzeichnisse valid users = %S path = /home/DOMAIN/ read only = yes browseable = no #verstecke nicht-lesbare Verzeichnisse hide unreadable = yes #verstecke nicht-schreibbare Dateien u. Ordner hide unwriteable files = yes create mask = 0700 directory mask = 0700 When you login to one of my linux box with a user called schlegels, the home directory will be created like this: /home/DOMAIN/schlegels Oddjobd is not working for me... I don't know exactly if my setup is the same like yours, because I'm not able to read the whole conversation (too many things to do). Cheers and good luck, Steven 2012/8/8 steve st...@steve-ss.com: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il
Re: [Samba] winbind: uid range is ignored
On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Note you can get nested groups this way, something I don't think nss-ldapd provides. It does work I have it in production for over 1500 users right now with some 900 active SMB sessions. Hi Jonathan Is that with Samba3 or 4? Do you think it is likely that I would have a production file server system in place with over 900 active SMB connections using an Alpha release piece of software? I don't even use 3.6 yet because it is showing too many issues in testing. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/12 10:40, Jonathan Buzzard wrote: On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Thanks Jonathan I got it working. It needed a schema_mode line: idmap config MYDOMAIN:schema_mode = rfc2307 I can now finally remove wide links = Yes :-) nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/12 16:41, steve wrote: On 08/08/12 10:40, Jonathan Buzzard wrote: On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Thanks Jonathan I got it working. It needed a schema_mode line: idmap config MYDOMAIN:schema_mode = rfc2307 I can now finally remove wide links = Yes :-) nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) Noting that nscd and winbind don't work properly together, the settings I use are idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 Performance seems good to me, especially once cached. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On Wed, Aug 08, 2012 at 09:40:02AM +0100, Jonathan Buzzard wrote: Do you think it is likely that I would have a production file server system in place with over 900 active SMB connections using an Alpha release piece of software? I don't even use 3.6 yet because it is showing too many issues in testing. Don't forget to log bugs against 3.6.x if you are seeing problems in test ! That's the only way we'll get to know about them and fix them. Cheers, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/2012 05:57 PM, Jonathan Buzzard wrote: On 08/08/12 16:41, steve wrote: On 08/08/12 10:40, Jonathan Buzzard wrote: On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) Noting that nscd and winbind don't work properly together, the settings I use are idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 Performance seems good to me, especially once cached. Much better. After e.g. 4 or 5 getent's it speeds up considerably. Presumably getent populates the cache? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Note you can get nested groups this way, something I don't think nss-ldapd provides. It does work I have it in production for over 1500 users right now with some 900 active SMB sessions. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
NdK wrote: Il 04/08/2012 12:00, steve ha scritto: You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4. Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's why I'm stuck with rid. A supported version of Windows Server 2003 (aka the 2003R2) has the RFC2307 extensions in the schema. The installation of the R2 service pack extends the schema to include RFC2307, your windows admins simply don't get a choice over that bit. They don't get populated by default however so that is another battle to be had, but it is a lot easier to win than a schema extension. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 05/08/2012 12:32, Jonathan Buzzard ha scritto: A supported version of Windows Server 2003 (aka the 2003R2) has the RFC2307 extensions in the schema. The installation of the R2 service pack extends the schema to include RFC2307, your windows admins simply don't get a choice over that bit. Good to know. They can't use unmaintained servers (Italian law requires to update at least every 6 months...), so they must have it... They don't get populated by default however so that is another battle to be had, but it is a lot easier to win than a schema extension. That's for sure :) But maybe I can win this (after summer holidays). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
Il 03/08/2012 16:21, steve ha scritto: That's quite easy in Samba3 but which tdb's must I remove in Samba4? In fact, how would I rejoin the DC to itself? You shouldn't use DCs for anything else other than DC. No file server. No gateway. *Nothing*. They're a crytical piece of your network infrastructure and must be as closed as possible. The NFS server doesn't care about Samba at all: it reveives UIDs adn GIDs and stores 'em as given. No mapping happens here. What makes me think you have a *big* misunderstanding about what winbnd mapping does is this sentence from another message: If winbind is doing the mapping correctly it should map 327 to 302 No. Winbind maps back and forth between user *names* (and groups) and *UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't know if an UID is local or from a server. So, that means that (given no other kind of access to the NFS server is allowed) it's enough that all your *clients* use the same mapping between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem. You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. Hope this helps to clarify. BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 09:39, NdK wrote: Il 03/08/2012 16:21, steve ha scritto: That's quite easy in Samba3 but which tdb's must I remove in Samba4? In fact, how would I rejoin the DC to itself? You shouldn't use DCs for anything else other than DC. No file server. No gateway. *Nothing*. They're a crytical piece of your network infrastructure and must be as closed as possible. Hi Diego. Hi everyone I'd like to have a separate fileserver running s3fs on another Samba4 installation. Could I do that by installing Samba4 and joining the domain as a member rather than a DC? The NFS server doesn't care about Samba at all: it reveives UIDs adn GIDs and stores 'em as given. No mapping happens here. Yep. Got that bit What makes me think you have a *big* misunderstanding about what winbnd mapping does is this sentence from another message: If winbind is doing the mapping correctly it should map 327 to 302 Yes, I did misunderstand that. I've now adjusted my brain to match:-) No. Winbind maps back and forth between user *names* (and groups) and *UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't know if an UID is local or from a server. So, that means that (given no other kind of access to the NFS server is allowed) it's enough that all your *clients* use the same mapping between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem. You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4. Hope this helps to clarify. Yes it does. Thank you. My aim is to have: idmap config : MYDOMAIN : backend = ad and idmap config : MYDOMAIN : range = abc-def recognised and with the uidNumber and gidNumber attributes being pulled from AD rather than any other mapping. To this end I have a test user user object with: objectClass: posixAccount uidNumber: xyz gidNumber abc and a test group object: objectClass: posixGroup gidNumber: abc I assume that with the ad backend both the user and group will come from AD and not idmap. Just waiting for the test lan to install and compile a totally new openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install. How am I doing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba