Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi On 7 December 2011 22:06, Jean-Yves Avenard wrote: > Is there a way to make so the uid/SID are matched in such a way that a > username keeps the same uid as before. > For example, editing on the domain controller the ldap entries that > contain the uid/SID map or something like that (just thinking out loud > here) Amending this troubleshooting. Unix extension has been added to the active directory, and the uidNumber for each user have been added in order to match the previous uid as discovered by winbind. smb.conf was amended as follow: winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind nss info = rfc2307 allow trusted domains = No idmap uid = 1000-199 idmap gid = 1000-199 idmap backend = ad idmap config ALLORATECH : backend = ad idmap config ALLORATECH : range = 1000-99 idmap config ALLORATECH : schema_mode = rfc2307 Looking at the winbind_ad module, it seems to me that should the nss info and schema mode be set to rfc2307 ; it should use the uidNumber entry for determining the uid of the user. However, winbind still assign the RID + 1 for the user's uid... Is there a way to tell winbind precisely which uid to use ? what am I missing? Thanks JY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC & file server on same machine?
How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and "echo %logonserver%", it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: Changing DC's IP address (Bind 9.8.x) for testing
2011-12-07 15:41 keltezéssel, Adam Tauno Williams írta: > I upgraded by S3 domain to S4 using the upgrade script. To do that i > had to have the S4 test box connected to the production network. Now I > want to take it to the test network. But the Bind 9.8.x instance using > the DLZ still has the old address... dynamic dns update doesn't work > because the tool can't find the KDC because DNS returns the wrong IP > address. > > Can I modify the DNS zone using an ldb tool [ldbmodify]? To change the > IP of the DC (the only address in DNS at this point, everything seems to > CNAME back to the address). > > Under the older Bind config I just changed the one or two lines in the > text zone file when I moved the VM from production to testing. > > > samba-tool dns is your friend here. Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] bind errors for latest samba 4 checkout
Hi everyone openSUSE 12.1 After a recent Samba 4 pull I have these errors: Dec 7 19:53:37 hh3 named[3121]: command channel listening on 127.0.0.1#953 Dec 7 19:53:37 hh3 named[3121]: the working directory is not writable Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loading from master file /var/lib/named/dyn//managed-keys.bind failed: file not found Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loaded serial 0 Dec 7 19:53:37 hh3 named[3093]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 19:53:37 hh3 named[3121]: running Bind was recently updated in openSUSE. Setting /var/lib/named to named:named got rid of the first error. Is that OK? But then: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links rm -r /var/run/named/ and restarting bind gives the same error. I can't find much about the managed keys. I've asked here before abou this and on the openSUSE list. The only change to the /etc/named.conf supplied by the distro is including: /usr/local/samba/private/named.conf Apart from this, bind and kebreros, pass all the tests as specified in the samba 4 howto. If I: touch /var/lib/named/dyn//managed-keys.bind and restart named, it's almost clean: Dec 7 20:23:13 hh3 named[3302]: command channel listening on 127.0.0.1#953 Dec 7 20:23:13 hh3 named[3302]: couldn't add command channel ::1#953: address not available Dec 7 20:23:13 hh3 named[3302]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone localhost/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: managed-keys-zone ./IN: loaded serial 0 Dec 7 20:23:13 hh3 named[3275]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 20:23:13 hh3 named[3302]: running Before I can test and draw conclusions about the latest checkout I must know if these errors are significant. Any ideas anyone? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and Bind with DLZ
On Wed, 2011-12-07 at 13:13 -0500, fe...@epepm.cupet.cu wrote: > Could you, please, give me some clue on how to configure dlz in Bind to > work with Samba4? > I installed samba4 from git check out from a week ago, then I provisioned > it but DNS is not working. What error do you get when you try to start bind? What version of bind? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 and Bind with DLZ
Could you, please, give me some clue on how to configure dlz in Bind to work with Samba4? I installed samba4 from git check out from a week ago, then I provisioned it but DNS is not working. Best regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo -r not listing domain local groups
Hi, Between Samba 3.4.15 and 3.5.11 there was a change in how 'wbinfo -r' gathers the groups of which a given user is member of. Assume there is a Windows 2003 domain called DOMA. This domain has a child domain DOMB. On DOMA there is a security group G-DL-DOMA which has domain local scope. On DOMB there is a security group G-U-DOMB which has universal scope. Group G-U-DOMB is member of group G-DL-DOMA. Due to the domain local scope of G-DL-DOMA, this membership is only known to DOMA. Group G-U-DOMB has a user john from DOMB as member. DOMA G-DL-DOMA | DOMB G-U-DOMB | DOMB john A Linux system that is running winbind is joined into DOMA. On this system "wbinfo -r DOMB+john" is run to get the Unix GIDs of the groups in which the user from DOMB is member of. With Samba 3.4.15 (and 3.3.13) the GID of group G-DL-DOMA is shown, with Samba 3.5.11 (and 3.5.12) it is missing. This probably has to do with which DC the Samba host is asking about membership of group G-U-DOMB. A DC from DOMB does not know that this group is member of G-DL-DOMA because the latter is from another domain and has domain local scope. Only a DC in DOMA will know that the group from DOMB is member of the domain local group of DOMA. Does the behaviour of Samba 3.5 have to be considered a bug? Does anyone know what caused this change of behaviour? Was this intentional? Are there any plans to change the behaviour back to how it was in Samba 3.3 and 3.4? Regards, Fabian smb.conf from host running 'wbinfo -r': [global] netbios name = PHI server string = phi workgroup = DOMA realm = doma.com security = ads winbind separator = + winbind cache time = 1800 winbind offline logon = true winbind use default domain = yes name resolve order = host wins encrypt passwords = yes template shell = /bin/false template homedir = /home/%D/%U syslog only = yes log file = /dev/null idmap uid = 1-99 idmap gid = 1-99 idmap cache time = 3600 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] openldap authentication
On Wed, 2011-11-30 at 13:18 -0700, James Devine wrote: > I have an existing openldap schema which is handling mail, web and ftp > services right now. I am trying to get a windows machine talking to the > same filesystem as apache on linux via samba and read/write using the > correct uid/gid. I was trying to shy away from using pam_ldap as there is > no need to tie the user in ldap directly to the filesystem. The problem is > it looks like the samba ldap module requires a specific ldap schema to > function, whereas currently I map needed functionality to the ldap schema > as depicted below > # fxmul...@nsab.us, gwis > dn: cn=fxmul...@nsab.us,dc=gwis > objectClass: top > objectClass: person > objectClass: posixAccount > accountid: 65534 > uidNumber: 65534 > gidNumber: 65534 > active: 1 > cn: fxmul...@nsab.us > loginShell: /usr/sbin/nologin > sn: nsab.us > wenable: 1 > wpass: testpass > whome: /www/nsab.us/nsab.us/fx/fxmulder > > I don't suppose there is a similar way to map attributes with samba? You need to use the Samba [Samba 3] schema. The sambaAccount objectclass is auxillary; so you can add it to your existing account objects. The [nearly obsolete, look at Samba 4] Samba 3 LDAP overlays on the RFC2307 schema you are currently using. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA4: Changing DC's IP address (Bind 9.8.x) for testing
I upgraded by S3 domain to S4 using the upgrade script. To do that i had to have the S4 test box connected to the production network. Now I want to take it to the test network. But the Bind 9.8.x instance using the DLZ still has the old address... dynamic dns update doesn't work because the tool can't find the KDC because DNS returns the wrong IP address. Can I modify the DNS zone using an ldb tool [ldbmodify]? To change the IP of the DC (the only address in DNS at this point, everything seems to CNAME back to the address). Under the older Bind config I just changed the one or two lines in the text zone file when I moved the VM from production to testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Configure samba to not look for domain master browser
On Tue, 2011-12-06 at 17:26 +0200, Timothy Madden wrote: > On my network there is no domain master browser, and my nmbd is spamming > my /var/log/messages file with messages that it cound not find one. Can > I configure nmbd not to look for the domain master browser ? Do you have a WINS server? If so set that in the smb.conf file. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Hi there. Our IT moved all the user accounts to a new domain controller. It wasn't much of a migration, more so a complete setup on a new machine, new OS, new domain ; it just happens that the username and group names remained the same. I have been asked to look after the migration of the existing unix servers (linux and freebsd running samba 3.4). All the unix machine use winbind for authentication purposes Previously the mapping between uid and sids were mapped as follow: idmap backend = idmap_rid:MEL=1-1 idmap uid = 1-1 idmap gid = 1-1 That was simple and easy. Problem is, on the new domain controller, while the username are the same, the SIDs are not. So should I move the unix machines to the new domain, all ownerships and permissions will be screwed up. The new winbind setup is supposed to use the following config for idmap backend: idmap backend = ad ldap idmap suffix = dc=alloratech,dc=local ldap admin dn = cn=access,ou=Alloratech,dc=alloratech,dc=local ldap suffix = dc=alloratech,dc=local Which actually gives similar uid/gid in relation to the SID as the previous setup (1 + last digits of SID) Now, going through all the files and folders found on those servers (they are used as file server) to fix the ownership and permission is going to take forever. Is there a way to make so the uid/SID are matched in such a way that a username keeps the same uid as before. For example, editing on the domain controller the ldap entries that contain the uid/SID map or something like that (just thinking out loud here) Any help and/or advices will be greatly appreciated Thank you in advance Jean-Yves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
