Re: [Samba] UID/GID mapping consistency across at least two Linux machines
Thanks! But how is this related to my problem? is there any pitfalls when some user is a member of many groups? is their uid idepends on their group membership ? -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4551082.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
I also only use ldap the same way without any winbind. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von steve Gesendet: Dienstag, 10. April 2012 18:30 An: samba@lists.samba.org Betreff: Re: [Samba] UID/GID mapping consistency across at least two Linux machines On 09/04/12 21:00, Gaiseric Vandal wrote: On 04/09/12 13:11, bakytn wrote: I found this: http://lists.samba.org/archive/samba/2004-January/078411.html How to implement a scenario? Are you using winbind for idmapping? The files you want may be /var/samba/locks (check testparm -v for the locks and cache directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump will show you what is in them. Hi I've never understood why we have to use winbind when using Linux clients. It seems a complicated way to go about uid/gid mapping. All we do is add posixAccount, uidNumber and gidNumber +any of other 2307 stuff you may need to the user record in LDAP. Maybe the problem before has been with the poor performance of nss-ldap. But with the new nss-ldapd nslcd, the user and group mapping is perfect and very fast. It's just as good as reading from a local file even on a busy lan. HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 11/04/12 09:09, Daniel Müller wrote: I also only use ldap the same way without any winbind. Hi Thanks. I was beginning to wonder if we were the only ones. It seems such an easy alternative to using winbind. The uid/gid is _exactly_ wysiwyg. Always. I think this is the sort of consistency the op was looking for. The sid-rid idmap winbind stuff seems horrendously complicated. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
Hi, Wed, Apr 11, 2012 at 11:02:09AM +0200, steve napsal(a): On 11/04/12 09:09, Daniel Müller wrote: I also only use ldap the same way without any winbind. Thanks. I was beginning to wonder if we were the only ones. It seems such an easy alternative to using winbind. The uid/gid is _exactly_ I don't use winbind and also I don't use posixAccount on Samba4 Frenky. wysiwyg. Always. I think this is the sort of consistency the op was looking for. The sid-rid idmap winbind stuff seems horrendously complicated. It's just easy from my point of view. But I don't want to have running winbind and I don't see very nice way to manage posixAccount too. The man who creates user accounts isn't very keen in IT ... So I use nslcd to map uid/gid with last part of SID + some constant and I created very small patch to the samba ads backend with the same behaviour. I don't need DOMAIN trusts so it's enough for my small environment. Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On Tue, Apr 10, 2012 at 2:27 PM, bakytn bak...@gmail.com wrote: Would you recommend me to use IDMAP_RID with Winbind? I use it successfully. idmap backend = idmap_rid:DOMAIN=2000-1 Depending upon your Samba version the syntax may be a bit different. idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1000-99 What would change? Would it mess my current UID/GID's??? Probably, but that's as easy one time fix using find with xargs to update the old uid, gid to the new one. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 11/04/12 15:00, John Drescher wrote: I also only use ldap the same way without any winbind. For years I used to do that however my domain member servers (not PDCs / BDCs) would not enumerate the users correctly for the windows security tab without using winbind. Does this work for you? John Yes. Even in s3 (we are using 3.6 setup under openSUSE) In Samba4 there was a bug in the schema mapping for rfc2307. Now it's fixed, Why not store the user uid/gid in the directory alongside their sid stuff? The m$ schema has it bolted in. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On Wed, Apr 11, 2012 at 3:50 PM, bakytn bak...@gmail.com wrote: I tried the old config and newer. idmap backend = rid:DOMAIN=4000-2 idmap uid = 4000-2 idmap gid = 4000-2 Doesn't look right - man smb.conf - for the correct syntax. For your version I think it should be more like: idmap backend = tdb idmap uid = 30-40 idmap gid = 30-40 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 2000-29 from man smb.conf: winbind uses this parameter to find the backend that is authoritative for a unix ID to SID mapping, so it must be set for each individually configured domain, and it must be disjoint from the ranges set via idmap uid and idmap gid. My version is SAMBA 3.5.11 If you check the release notes you'll find that 3.5.12 fixed a winbind race issue in 3.5.11. Also there's a security exploit and it's a good idea to update to 3.5.14, or 3.6.4. I'm still a bit leery of the 3.6 series for production and hopefully 3.6.5 will be released soon fixing some outstanding issues. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
I have also cleared the /var/run/samba folder and it's now working properly. you helped a lot! Thank you! -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4549992.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 11/04/12 22:35, bakytn wrote: I have also cleared the /var/run/samba folder and it's now working properly. you helped a lot! Thank you! Hi Just remembered a gotcha with the rfc2307 stuff. Hope you don't mind me including it here for completeness and to save head scratching. If the user is a member of more than one group, then the memberUid attribute must be specified in the group dn I think that this is one of the pieces missing from the samba3Upgrade script. Here is a LDAP example which complies with the schema from Samba4: dn: CN=teachers,CN=Users,DC=hh3,DC=site objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site objectClass: top objectClass: posixGroup objectClass: group gidNumber: 1119 member: CN=steve2,CN=Users,DC=hh3,DC=site member: CN=lynn2,CN=Users,DC=hh3,DC=site memberUid: steve2 memberUid: lynn2 HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 09/04/12 21:00, Gaiseric Vandal wrote: On 04/09/12 13:11, bakytn wrote: I found this: http://lists.samba.org/archive/samba/2004-January/078411.html How to implement a scenario? Are you using winbind for idmapping? The files you want may be /var/samba/locks (check testparm -v for the locks and cache directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump will show you what is in them. Hi I've never understood why we have to use winbind when using Linux clients. It seems a complicated way to go about uid/gid mapping. All we do is add posixAccount, uidNumber and gidNumber +any of other 2307 stuff you may need to the user record in LDAP. Maybe the problem before has been with the poor performance of nss-ldap. But with the new nss-ldapd nslcd, the user and group mapping is perfect and very fast. It's just as good as reading from a local file even on a busy lan. HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 04/10/12 12:29, steve wrote: On 09/04/12 21:00, Gaiseric Vandal wrote: On 04/09/12 13:11, bakytn wrote: I found this: http://lists.samba.org/archive/samba/2004-January/078411.html How to implement a scenario? Are you using winbind for idmapping? The files you want may be /var/samba/locks (check testparm -v for the locks and cache directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump will show you what is in them. Hi I've never understood why we have to use winbind when using Linux clients. It seems a complicated way to go about uid/gid mapping. All we do is add posixAccount, uidNumber and gidNumber +any of other 2307 stuff you may need to the user record in LDAP. Maybe the problem before has been with the poor performance of nss-ldap. But with the new nss-ldapd nslcd, the user and group mapping is perfect and very fast. It's just as good as reading from a local file even on a busy lan. HTH Cheers, Steve Winbind mapping should not be necessary on domain controllers, except if you have domain trusts. I have ldap backend so my LDAP users have both unix and samba attributes.Samba member servers are a little trickier, when settings permissions from a Windows client. The server does need some sort of idmap to connect the samba account to the local unix account. I had to use ldap backend for idmap to make sure the idmapping was consistent on samba member server. In theory the idmap_nss backend should do this, but I don't think it was available in samba 3.0.x.I haven't had much luck with it in samba 3.4 or 3.5. I found it easier just to make sure that my primary file servers were also DC's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 10/04/12 18:45, Gaiseric Vandal wrote: On 04/10/12 12:29, steve wrote: On 09/04/12 21:00, Gaiseric Vandal wrote: On 04/09/12 13:11, bakytn wrote: Winbind mapping should not be necessary on domain controllers, except if you have domain trusts. I have ldap backend so my LDAP users have both unix and samba attributes. That's what we have too. Samba member servers are a little trickier, when settings permissions from a Windows client. The server does need some sort of idmap to connect the samba account to the local unix account. But you wouldn't need local accounts for network users would you? Or at least we don't. They can use either a windows client or a Linux client. None of them are attached to any box locally. All the windows and linux data is stored centrally in LDAP. The windows clients pull the sid and whatever else they need and the Linux clients use nss-ldapd to automagically pull the 2307 stuff that they need. Having said that, this is quite a simple setup of a heterogeneous lan under 3.6. If the post is about 2 or more linux machines then that ought to do it I think. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
Would you recommend me to use IDMAP_RID with Winbind? I don't have domain trusts (which is required to be off when using rid). It's a small domain with about 300 users at the very maximum. Also..if I just add idmap backend = idmap_rid:DOMAIN=2000-1 What would change? Would it mess my current UID/GID's??? -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4546516.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
I found this: http://lists.samba.org/archive/samba/2004-January/078411.html How to implement a scenario? but..how about simpler way...like, may be, running rsync to copy necessary fiels from server 1 to server 2. I could do this..but I don't know which files to replicate? -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543292.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
On 04/09/12 13:11, bakytn wrote: I found this: http://lists.samba.org/archive/samba/2004-January/078411.html How to implement a scenario? but..how about simpler way...like, may be, running rsync to copy necessary fiels from server 1 to server 2. I could do this..but I don't know which files to replicate? -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543292.html Sent from the Samba - General mailing list archive at Nabble.com. Are you using winbind for idmapping? The files you want may be /var/samba/locks (check testparm -v for the locks and cache directories.) Look at the winbind*tdb and idmap*tdb files. tdbdump will show you what is in them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
Here ist he global section of my smb.conf: I am not sure if I am using Winbind (I guess yes). [global] workgroup = DOMAIN realm = DOMAIN.LOCAL preferred master = no server string = SAMBA security = ADS encrypt passwords = yes log level = 1 log file = /var/log/samba/log.%m max log size = 1000 idmap uid = 3000-2 idmap gid = 3000-2 template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind separator = + winbind use default domain = Yes winbind nested groups = Yes template homedir = /data/files/%U syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID/GID mapping consistency across at least two Linux machines
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/09/2012 04:09 PM, bakytn wrote: Here ist he global section of my smb.conf: I am not sure if I am using Winbind (I guess yes). [global] workgroup = DOMAIN realm = DOMAIN.LOCAL preferred master = no server string = SAMBA security = ADS encrypt passwords = yes log level = 1 log file = /var/log/samba/log.%m max log size = 1000 idmap uid = 3000-2 idmap gid = 3000-2 template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind separator = + winbind use default domain = Yes winbind nested groups = Yes template homedir = /data/files/%U syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes -- View this message in context: http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html Sent from the Samba - General mailing list archive at Nabble.com. I have some notes on what I have done with my machines. I hope it may help you out. Just read it all over and the template files closely before just jumping on into it. https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+DiG4ACgkQup357T5MfTaMKQCg0HMM00tuKtxZUMWwzWC1lOSM fxkAoLd8HO0otegVuye7dIf2c/UO1dc/ =lgc5 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba