[Samba] winbind sometimes only get partial groups

[d tbsky]

hi:
I setup samba4  DC server with windows client and 6 linux
workstations.windows client works fine, but linux samba client is strange.
I have one user, which belongs to 21 AD groups. but "groups my-user" only
return some of them. at one workstation, it may return all the 21 groups,
but others retrun 18 or 19 groups. and at one specific workstation, only
return 1 group!!

   I backup "/var/lib/samba/*.tdb" and issue command: "service winbind
stop; rm -f /var/lib/samba/*; service winbind start". then I get all 21
groups with "groups my-user". after that I restore the backup of
"/var/lib/samba/*.tdb". I only get a few groups as before.

  the most strange part is if I delete the tdb file at "var/lib/samba" one
by one, the returned information of "groups my-user" won't change. only
when I remove all the tdb files at once, then I get different result of
"groups my-user".

  I have good and broken "/var/lib/samba/*.tdb" files in hand if someone
want to check.
  my server and client environment below. thanks a lot for help!!

server enviroment: scientific linux 6.4 64bit with samba 4.0.5, 4.0.7
(I compiled and test these two versions).
client environment: scientific linux 6.4 64bit with samba  3.6.9 (come
with the linux distribution).

samba4 server configuration:
[global]
workgroup = MY-DOMAIN
realm = AD.MY-DOMAIN.COM
netbios name = DC
server role = active directory domain controller
dns forwarder = 10.11.1.3
idmap_ldb:use rfc2307 = yes
# resolve interface bug
interfaces = 127.0.0.1 10.11.1.2
bind interfaces only = Yes
strict allocate = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
winbind use default domain = yes
# winbind nss info = rfc2307
# DC won't read rfc2307 shell and home
# template homedir = /share/samba/home/%U
template shell = /sbin/nologin
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.my-domain.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


samba3 client workstation configuration. all 6 clients are the same:

[global]
   workgroup = MY-DOMAIN
   realm = AD.MY-DOMAIN.COM
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 3001-4000
   idmap config MY-DOMAIN:backend = ad
   idmap config MY-DOMAIN:default = yes
   idmap config MY-DOMAIN:range = 1000-3000
   idmap config MY-DOMAIN:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = no
   winbind use default domain = yes
   winbind offline logon = yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 password sync howto?

[d tbsky]

hi:
winbind and ldap authentication are both used when services are
supported. but some services has local password database and need external
script to sync them.

I think it is not too hard if I don't want a perfect solution. if SSOD
can not work, can someone give me a hint which source file I can modify, so
samba can call an external script when password change.

thanks a lot for help!!

Regards,
tbskyd


2013/6/10 David Gonzalez - [DGHVOIP] 

Hey,

I'm no expert on Samba 4 and I might be wrong but can't you use winbind for
that, can you?

Cheers.

Sent from my iPhone


2013/6/10 David Gonzalez - [DGHVOIP] 

> Hey,
>
> I'm no expert on Samba 4 and I might be wrong but can't you use winbind
> for that, can you?
>
> Cheers.
>
> Sent from my iPhone
>
> On 9/06/2013, at 21:52, d tbsky  wrote:
>
> > hi:
> >   after searching the mail archive, I found the same question was asked
> > last month. and indeed samba4 didn't support "unix password sync"
> > currently. I am surprised because it seems an very easy function =>  just
> > call some external program when password change.
> >
> >   anyway, I wonder if there are some alternative ways to do this now? I
> > found someone store the password in cleartext but that's not a good idea
> > for me. in theory, can I install another windows 2008 R2 domain
> controller
> > and use windows SSOD to do the job? and when samba4 finally has the
> ability
> > to do the work, I can shutdown windows domain controller.  is that
> > workable? or I should wait for samba 4.1 or even 4.2?
> >
> >
> >
> > 2013/6/10 d tbsky 
> >
> >> hi:
> >>we have some service which store local password. and we want to sync
> >> samba4 (4.0.5) passwords to them.
> >>
> >> when we use windows server before, we can use ssod and write our own
> >> program to do that.
> >>
> >> at first I think it should be easy with settings like below:
> >>
> >> unix password sync = yes
> >> passwd program = /share/bin/samba_passwd_sync.pl %u
> >> passwd chat = *new*password* %n\n *changed*
> >> passwd chat debug = Yes
> >> log level = 100
> >>
> >> but when I try to change password at windows ADUC nothing happened. I
> open
> >> log.samba, I didn't see anything about password sync, and of course the
> >> custom script is not run.
> >>
> >> do I miss something? is "unix password sync" supported in samba4? at
> >> least the option is at the man page...
> >>
> >>  thanks a lot for help!
> >>
> >> Regards,
> >> tbskyd
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 password sync howto?

[d tbsky]

hi:
   after searching the mail archive, I found the same question was asked
last month. and indeed samba4 didn't support "unix password sync"
currently. I am surprised because it seems an very easy function =>  just
call some external program when password change.

   anyway, I wonder if there are some alternative ways to do this now? I
found someone store the password in cleartext but that's not a good idea
for me. in theory, can I install another windows 2008 R2 domain controller
and use windows SSOD to do the job? and when samba4 finally has the ability
to do the work, I can shutdown windows domain controller.  is that
workable? or I should wait for samba 4.1 or even 4.2?



2013/6/10 d tbsky 

> hi:
> we have some service which store local password. and we want to sync
> samba4 (4.0.5) passwords to them.
>
>  when we use windows server before, we can use ssod and write our own
> program to do that.
>
>  at first I think it should be easy with settings like below:
>
>  unix password sync = yes
>  passwd program = /share/bin/samba_passwd_sync.pl %u
>  passwd chat = *new*password* %n\n *changed*
>  passwd chat debug = Yes
>  log level = 100
>
> but when I try to change password at windows ADUC nothing happened. I open
> log.samba, I didn't see anything about password sync, and of course the
> custom script is not run.
>
>  do I miss something? is "unix password sync" supported in samba4? at
> least the option is at the man page...
>
>   thanks a lot for help!
>
> Regards,
> tbskyd
>
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 password sync howto?

[d tbsky]

hi:
we have some service which store local password. and we want to sync
samba4 (4.0.5) passwords to them.

 when we use windows server before, we can use ssod and write our own
program to do that.

 at first I think it should be easy with settings like below:

 unix password sync = yes
 passwd program = /share/bin/samba_passwd_sync.pl %u
 passwd chat = *new*password* %n\n *changed*
 passwd chat debug = Yes
 log level = 100

but when I try to change password at windows ADUC nothing happened. I open
log.samba, I didn't see anything about password sync, and of course the
custom script is not run.

 do I miss something? is "unix password sync" supported in samba4? at
least the option is at the man page...

  thanks a lot for help!

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[d tbsky]

2013/4/15 steve 

> Yes. To get the rfc2307 info out from the directory you can use winbind,
> nslcd or sssd on the client. If you want to get all of the rfc2307
> attributes on the DC, your choice is narrowed down to the latter two. As
> Geza posted earlier,  winbind can only manage uidNumber and gidNumber.
>
> I've put our nslcd method here:
> http://linuxcostablanca.**blogspot.com.es/2013/04/**
> ubuntu-client-for-samba4.html
> Will post the sssd solution sometime today.
> HTH
> Steve
>

 I remeber that samba team suggest to use winbind instead of ldap to
work with samba server, although I don't know why or is it still true for
samba 4 DC. so what's the benefit of winbind?
since RHEL 6 comes with sssd, I think maybe I will use that instead of
winbind. and thanks a lot for your information!!

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[d tbsky]

2013/4/14 Gémes Géza 

>
> Unfortunately the winbind implementation samba as an AD DC uses (the one
> in the samba binary) is not able to read other posix information from AD
> other than the uidNumber and gidNumber.


   I think I can live with that since we use it only for a few people. but
the broken
"template homedir"  seems a bug to me. or is it limited by something else
also?


> I have read many times complaints like this, it seems, that some
> distributions/relases bundle a version of samba, that has some bugs, a
> similar setup (just the ranges are different) works for me using ubuntu
> 12.04.
>

   so you mean with samba 4 as DC and samba 3.x as winbind client, you can
get correct rfc2307 gidnumber(and working getent group)?

   I don't think samba 3.x comes with RHEL has this kind of bug,since they
already have detailed document abount how to link to Active Directory. and
I also tried the lasted binary rpm at samba web site, the behavior is the
same.

I think the problem is at server side. I use microsoft remote
administration tool(ADUC) under windows 7 to managent the domain rfc2307
settings, I think maybe that's problem. since samba  minic microsoft AD,
use microsoft tool to manage it looks reasonable, even samba AC DC HOWTO
suggest it. but it seems few people in this email list use that tool?

   and today I found another interesting bug/featuer with windows ADUC. my
short domain name is "DOM", and if I create a group who's namd is "dom",
samba4 DC will be angry. the
"getent group" at samba4 DC will refuse to return this entry, and all the
entries created after that (has larger xidnumber) will also disappear. as
long as I rename the group to something else, "getent group" will become
normal.

since there are so many strange behaviors, I don't know what's the best
practice to treat samba 4 DC. but I am glad that at least some people in
the email list do have a working environment. maybe I can find out what's
my problem one day.

thanks a lot.

Regards,
tbskyd





>
> Geza Gemes
>
>>
>> Regards,
>> tbskyd
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 rfc2307 practice and confuse

[d tbsky]

hi:
   I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.

  samba4 DC provsion command as below:
  samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--interactive

   and smb.conf global section for samba4 DC below:
workgroup = DOM
realm = AD.DOM.COM.TW
netbios name = DC
server role = active directory domain controller
dns forwarder = 10.11.1.254
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
winbind nss info = rfc2307

 under samba4 DC, with "getent passwd" command,the situation is below:
 1. the uid and gid are correct. "getent group" works.
 2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir".  so not setting any
"template homedir" is the only way you can get under samba4 DC.

under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
   workgroup = DOM
   password server = DC.AD.DOM.COM.TW
   realm = AD.DOM.COM.TW
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 2001-3000
   idmap config DOM:backend = ad
   idmap config DOM:default = yes
   idmap config DOM:range = 1000-2000
   idmap config DOM:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

  situation below:
  1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
  2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".

  I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?

 thanks for advice.

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 AD DC as file server?

[d tbsky]

hi:
   I want to setup a small samba4 server with AD and file server function.
I know that samba4 AD DC has no netbios browsing support. are there other
missing functions, like winbindd or something else?

  and if I install two samba4 instance, one to "/usr/local/samba"(for file
server), one to "/usr/local/samba-ad"(for AD DC). and give them two seprate
ip to bind. will it work better?

   thanks a lot for suggestion!!

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Re: what's good for security=ads ?

[d tbsky]

hi:
  thanks a lot for your explain !!
  i will keep an eys on vista issue, although i think we will just by
pass this os.
 with "security = domain", the "rid"  idmap backend seems the best i can get.
  i hope i can migrate to samba 4.0 smoothly in the future.
  thanks again for your kindly help!!

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] what's good for security=ads ?

[d tbsky]

hi:
   we have a 2003 R2 domain. it is running on 2003 native mode. we
want to setup some samba member file servers. our client is windows
xp.

   i try samba 3.2 with "security = domain" and "idmap backend = rid".
it seems fine. but i saw there are more advanced options in samba like
"security = ads" and even parameter about "rfc2307"  to mix windows
and samba. they are complex settings and i wonder what benefits they
bring to us.

our situation is:  we want to use samba as file server for windows
xp,and we have one single 2003 R2 domain. we may want to migrate to
samba 4.0 when it is ready.

is simple "security = domain" enough?, or we should setup
"security = ads" to prepare for the future?

thanks a lot for your help!!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba