Re: [Samba] winbind nss info = sfu is not so much working
* Jonathan C. Detert [EMAIL PROTECTED] [060427 12:40]: one problem ... * Jonathan C. Detert [EMAIL PROTECTED] [060427 12:11]: * Guenther Deschner [EMAIL PROTECTED] [060427 11:56]: On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). -- snip -- And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Yes, thanks! I don't understand that at all. What is 'netlogon proxy only' I spoke too soon: _most_ things work now. The things which didn't work before, are now working. However, one thing is not working: the inability to map a uid or gid into a name. For example: - 'id -G detertj' works, but 'id -Gn detertj' does not. - when i login on the console of the samba box, my shell prompt, which would usually say '[EMAIL PROTECTED]', says instead 'I have no [EMAIL PROTECTED]'. This problem mysteriously fixed itself. I had to stop working on this problem for a while. By the time I came back to it, about 2 hours later, the problem was gone. Everything works as desired now. My guess is that there was some sort of timing issue that kept winbind from knowing how to mad names to uids, and that I just hadn't waited long enough at first. -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
suggestion to change idmap parameter usage [Was : Re: [Samba] winbind nss info = sfu is not so much working]
I wanted to use winbind to get user and group (i.e. nss) info from a Microsoft Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. I was unable to make that work until Guenther Deschner (see below) explained that I still had to specify idmap guid and idmap uid ranges. That need is not intuitively obvious. I suggest it be removed, or at least explained in the smb.conf manpage. The man page suggests that 'idmap backend' and the idmap uid/gid ranges are mutually exclusive (except for when idmap backend = idmap_rid). To illustrate this, consider the first sentence under the description of the idmap backend parameter: idmap backend (G) The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. If we are to use LDAP for the map, then what good is it to specify the range of numbers that can be used in the map? Hasn't the range already been set by whatever process populated LDAP with the uid/gid's? Or are we to assume that winbind is the agent that will make the maps within the LDAP backend? Obviously the answers are, 'Yes, the range has already been set', and 'No, winbind is not making the maps within the LDAP backend. Something else must have assigned the uid/gids within the LDAP backend server.'. So, what is the reasoning behind requiring the specification of idmap uid and gid ranges when the backend is MsAD? Suppose there is a good reason. Then, what do we do with the problem of how to specify the idmap uid/gid ranges? Do we query LDAP to determine the current range in order to make sure the range we specify includes all uids/gids already set within LDAP? That is crazy. If we don't, then it must not matter what ranges we specify. So again, setting the range seems to have no natural, reasonable purpose. Lastly, if it really does make sense to set the idmap uid/gid ranges, then please update the smb.conf manual. It is very misleading (at least in the v3.0.22 rendition). Besides the misleading opening paragraph (pointed out above), there is another bit that implies setting the uid/gid ranges is not needed when using idmap backend, _except_ when the idmap backend is set to 'idmap_rid': An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter``allow trusted domains = No'' must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be speci- fied. I suspect that as the code currently stands, it would be more accurate to remove that last sentence from the paragraph describing the idmap_rid plugin, and put it as part of the opening paragraph. I.e. I suspect that the current code requires you to specify the idmap uid/gid ranges no matter what your idmap backend is. In any case, thank you for the wonderful software we have in samba. Sincerely, Jon Detert * Jonathan C. Detert [EMAIL PROTECTED] [060427 12:11]: * Guenther Deschner [EMAIL PROTECTED] [060427 11:56]: On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). -- snip -- And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Yes, thanks! I don't understand that at all. What is 'netlogon proxy only' mose? If winbind is mapping a sid to the uid/gid recorded in AD via the sfu schema attributes, then why would I tell winbind what range it can use for the uids and gids that it maps the sids to? Also, what relationship do my idmap id ranges have to the actual values in AD for the msSFU30UidNumber and msSFU30GidNumber attributes? Do I need to ensure that my idmap id ranges match the ranges of values used in AD for msSFU30UidNumber and msSFU30GidNumber? -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of
Re: [Samba] winbind nss info = sfu is not so much working
On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). I am guessing that either there is something wrong or lacking in my config, or that some kind of caching is messing me up. Here is my pertinent smb.conf stuff when winbind is configed to use local id maps: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind use default domain = yes idmap gid = 1-55000 idmap uid = 1-55000 template homedir = /home/%D/%U template shell = /bin/bash And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Guenther -- Günther DeschnerGPG-ID: 8EE11688 Novell / SUSE LINUX [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] pgpMpcL0XVB6e.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss info = sfu is not so much working
* Jonathan C. Detert [EMAIL PROTECTED] [060427 11:39]: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). a couple notes to add: a) the AD box i'm using is running Win2k3 with SFU schema extensions applied. b) 'wbinfo -n detertj' returns the correct sid, regardless of whether idmap backend is set to ad or not. 'wbinfo -S detertjsid' fails to convert the sid to a uid when idmap backend is set to ad, but succeeds when idmap backend is NOT set. c) the 'detertj' account does have the appropriate msad attributes, as can be seen here: ldapsearch -x -LLL -s sub -H ldap://xx.msoe.edu -D 'cn=ldap,ou=ccsd,ou=people,dc=msoe,dc=edu' -w '' -b'ou=people,dc=msoe,dc=edu' samaccountname=detertj msSFU30UidNumber msSFU30GidNumber msSFU30HomeDirectory msSFU30LoginShell dn: CN=detertj,OU=Administration,OU=People,DC=msoe,DC=edu msSFU30UidNumber: 20225 msSFU30GidNumber: 21795 msSFU30LoginShell: /bin/bash msSFU30HomeDirectory: /home/staff/detertj I am guessing that either there is something wrong or lacking in my config, or that some kind of caching is messing me up. Here is my pertinent smb.conf stuff when winbind is configed to use local id maps: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind use default domain = yes idmap gid = 1-55000 idmap uid = 1-55000 template homedir = /home/%D/%U template shell = /bin/bash And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad Can you see anything wrong/lacking in my config? Btw, I have also tried setting idmap backend to 'idmap_ad' as the smb.conf man page has it, but either way, as 'ad' or as 'idmap_ad', I get the same result. As to cache possibly messing me up, I do the following when switching from local tdb maps to using ad as the map: -- /etc/init.d/winbind stop; /etc/init.d/samba stop cat /dev/null /var/cache/samba/winbindd_cache.tdb mv /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/winbindd_idmap.tdb.orig /etc/init.d/samba start; /etc/init.d/winbind start Is there something else to consider re. caching? Thanks -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss info = sfu is not so much working
* Guenther Deschner [EMAIL PROTECTED] [060427 11:56]: On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). -- snip -- And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Yes, thanks! I don't understand that at all. What is 'netlogon proxy only' mose? If winbind is mapping a sid to the uid/gid recorded in AD via the sfu schema attributes, then why would I tell winbind what range it can use for the uids and gids that it maps the sids to? Also, what relationship do my idmap id ranges have to the actual values in AD for the msSFU30UidNumber and msSFU30GidNumber attributes? Do I need to ensure that my idmap id ranges match the ranges of values used in AD for msSFU30UidNumber and msSFU30GidNumber? Thanks again! This is good news. -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss info = sfu is not so much working
one problem ... * Jonathan C. Detert [EMAIL PROTECTED] [060427 12:11]: * Guenther Deschner [EMAIL PROTECTED] [060427 11:56]: On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD by using winbind for authentication as well as for the source of nss info. When winbind is configured to use its own local id maps, everything works fine. But when i configure winbind to use 'ad' as the source of nss info, authentication fails, 'getent' commands return no results, and 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work correctly). -- snip -- And here is how smb.conf looks when winbind is configed to use AD for nss: -- winbind enum groups = yes winbind enum users = yes winbind separator = + winbind nested groups = yes winbind nss info = sfu winbind use default domain = yes idmap backend = ad You still need to have the idmap ranges set so that winbind does not fall into the netlogon proxy only mode. Does it work then? Yes, thanks! I don't understand that at all. What is 'netlogon proxy only' I spoke too soon: _most_ things work now. The things which didn't work before, are now working. However, one thing is not working: the inability to map a uid or gid into a name. For example: - 'id -G detertj' works, but 'id -Gn detertj' does not. - when i login on the console of the samba box, my shell prompt, which would usually say '[EMAIL PROTECTED]', says instead 'I have no [EMAIL PROTECTED]'. I can turn a name into a sid, and a sid into a uid, but not a name into a uid. -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
