[Samba] Samba Winbind and NTLM
Hi, I have a setup where two Domain's exist. 1 domain is in a DMZ and the other on an internal network. Both running Window 2003 R2. They have an external NTLM trust setup between them, from DMZ to Internal. Linux clients in the DMZ are joined to the DMZ AD. I'm trying to get the Linux clients to authenticate users that exist on the internal AD Domain, but it is failing. When attempting to auth users as INT\username it is trying to connect to the INT server but can't as it's in the DMZ. Is there a way to force clients to negotiate the NTLM trust and avoid attempting to connect to the INT server? I.e using the DMZ server to pass through the authentication? Or setup some sort of NTLM auth? Windows clients appear to do this without issue. Thanks, Dan. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind UID mismatch.
That did not work. But on the bright side, it looks like it is doing that only for one user and only via smb. Other services which use the same winbind authentication seem to work fine for that user such ftp and afp. I am going to recreate the user and see if it resolves the issue. Thanks for your help. - Pramod On Aug 12, 2013, at 4:52 AM, steve st...@steve-ss.com wrote: On 12/08/13 13:04, Pramod Venugopal wrote: Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod Hi A quick fix maybe. 1. Add the line: idmap_ldb use:rfc2307 = Yes to smb.conf 2. add: uidNumber: 318 to the DN of the user 3. Always work on the DC either by ssh or at the console. Then the uidNumber will _always_ be 318. There are many ways to do the same but I don't know Arch so dare not suggest. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind UID mismatch.
Even stranger. This happens only when the user is a member of the domain admins group. When I removed the user from Domain Admins , the uid is correct. On Aug 13, 2013, at 9:06 AM, Pramod Venugopal pra...@dvnull.org wrote: That did not work. But on the bright side, it looks like it is doing that only for one user and only via smb. Other services which use the same winbind authentication seem to work fine for that user such ftp and afp. I am going to recreate the user and see if it resolves the issue. Thanks for your help. - Pramod On Aug 12, 2013, at 4:52 AM, steve st...@steve-ss.com wrote: On 12/08/13 13:04, Pramod Venugopal wrote: Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod Hi A quick fix maybe. 1. Add the line: idmap_ldb use:rfc2307 = Yes to smb.conf 2. add: uidNumber: 318 to the DN of the user 3. Always work on the DC either by ssh or at the console. Then the uidNumber will _always_ be 318. There are many ways to do the same but I don't know Arch so dare not suggest. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind UID mismatch.
From a google search it looks like that is how it was intended. http://thr3ads.net/samba/2013/03/2189446-Samba4-File-ownership-for-Domain-Admins-members Thanks for your help. - Pramod On Aug 13, 2013, at 9:18 AM, Pramod Venugopal pra...@dvnull.org wrote: Even stranger. This happens only when the user is a member of the domain admins group. When I removed the user from Domain Admins , the uid is correct. On Aug 13, 2013, at 9:06 AM, Pramod Venugopal pra...@dvnull.org wrote: That did not work. But on the bright side, it looks like it is doing that only for one user and only via smb. Other services which use the same winbind authentication seem to work fine for that user such ftp and afp. I am going to recreate the user and see if it resolves the issue. Thanks for your help. - Pramod On Aug 12, 2013, at 4:52 AM, steve st...@steve-ss.com wrote: On 12/08/13 13:04, Pramod Venugopal wrote: Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod Hi A quick fix maybe. 1. Add the line: idmap_ldb use:rfc2307 = Yes to smb.conf 2. add: uidNumber: 318 to the DN of the user 3. Always work on the DC either by ssh or at the console. Then the uidNumber will _always_ be 318. There are many ways to do the same but I don't know Arch so dare not suggest. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/winbind UID mismatch.
Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod signature.asc Description: Message signed with OpenPGP using GPGMail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/winbind UID mismatch.
On 12/08/13 13:04, Pramod Venugopal wrote: Hello everyone, I am running Samba 4.0.8 on Arch Linux (installed from the Arch Repo) I have winbind authentication configured and working. I am able to login via ssh, and at the machine console with my samba credentials. I also have a Windows 8 client and an OS X client which is able to connect to this system via smb. However, when I create files or directories via smb I seem to have a UID mismatch compared to when I create files/directories via shell or at the console When I type id at the shell, it tells me my uid is 318 . Files created at the shell or console have this as the owner. When I copy files via smb the uid is 300. In idmap.ldb , my xidNumber is 318. Am I missing something ? Thanks in advance, - Pramod Hi A quick fix maybe. 1. Add the line: idmap_ldb use:rfc2307 = Yes to smb.conf 2. add: uidNumber: 318 to the DN of the user 3. Always work on the DC either by ssh or at the console. Then the uidNumber will _always_ be 318. There are many ways to do the same but I don't know Arch so dare not suggest. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind sometimes only get partial groups
hi: I setup samba4 DC server with windows client and 6 linux workstations.windows client works fine, but linux samba client is strange. I have one user, which belongs to 21 AD groups. but groups my-user only return some of them. at one workstation, it may return all the 21 groups, but others retrun 18 or 19 groups. and at one specific workstation, only return 1 group!! I backup /var/lib/samba/*.tdb and issue command: service winbind stop; rm -f /var/lib/samba/*; service winbind start. then I get all 21 groups with groups my-user. after that I restore the backup of /var/lib/samba/*.tdb. I only get a few groups as before. the most strange part is if I delete the tdb file at var/lib/samba one by one, the returned information of groups my-user won't change. only when I remove all the tdb files at once, then I get different result of groups my-user. I have good and broken /var/lib/samba/*.tdb files in hand if someone want to check. my server and client environment below. thanks a lot for help!! server enviroment: scientific linux 6.4 64bit with samba 4.0.5, 4.0.7 (I compiled and test these two versions). client environment: scientific linux 6.4 64bit with samba 3.6.9 (come with the linux distribution). samba4 server configuration: [global] workgroup = MY-DOMAIN realm = AD.MY-DOMAIN.COM netbios name = DC server role = active directory domain controller dns forwarder = 10.11.1.3 idmap_ldb:use rfc2307 = yes # resolve interface bug interfaces = 127.0.0.1 10.11.1.2 bind interfaces only = Yes strict allocate = yes # disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes winbind use default domain = yes # winbind nss info = rfc2307 # DC won't read rfc2307 shell and home # template homedir = /share/samba/home/%U template shell = /sbin/nologin [netlogon] path = /usr/local/samba/var/locks/sysvol/ad.my-domain.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No samba3 client workstation configuration. all 6 clients are the same: [global] workgroup = MY-DOMAIN realm = AD.MY-DOMAIN.COM security = ads idmap config *:backend = tdb idmap config *:range = 3001-4000 idmap config MY-DOMAIN:backend = ad idmap config MY-DOMAIN:default = yes idmap config MY-DOMAIN:range = 1000-3000 idmap config MY-DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = no winbind use default domain = yes winbind offline logon = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wheezy Samba+Winbind+AD+PAM
Greetings fellow Samba enthusiasts! I am having an issue after upgrading to the latest version of wheezy from my former squeeze on my testing node. I am unable to login anymore as my AD user erin. i can do the following commands successfully but not getent passwd erin or logging in to the system via the console. It is currently a fresh install all i did was copy my krb.conf, samba.conf, and pam.d/* directories or files over. I also installed all the packages i though i needed. I have this same setup work on 7 other (squeeze) machines and i got no issue with them at all. I am enclosing a couple pastebin as well. There is a lot of information to look at. If you have any questions or need more info send me an email and i will respond after work tonight. Thanks so much! Aaron G. ##INFO PASTEBIN: http://sprunge.us/MXbS ERROR: root@testing:~# login erin Password: Login incorrect testing login: ^C root@testing:~# tail /var/log/auth.log Jul 11 04:14:44 testing login[4821]: pam_securetty(login:auth): access denied: tty '/dev/pts/0' is not secure ! Jul 11 04:14:50 testing login[4821]: pam_unix(login:auth): check pass; user unknown Jul 11 04:14:50 testing login[4821]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): getting password (0x0050) Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): pam_get_item returned a password Jul 11 04:14:50 testing login[4821]: pam_winbind(login:auth): user 'erin' granted access Jul 11 04:14:53 testing login[4821]: FAILED LOGIN (1) on '/dev/pts/0' FOR 'UNKNOWN', User not known to the underlying authentication module root@testing:~# oot@testing:~# ./samba-check.sh + klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: e...@thrace.lan Valid startingExpires Service principal 10/07/2013 20:27 11/07/2013 06:26 krbtgt/thrace@thrace.lan renew until 11/07/2013 20:27 + net ads info LDAP server: 192.168.1.219 LDAP server name: bkdc.thrace.lan Realm: THRACE.LAN Bind Path: dc=THRACE,dc=LAN LDAP port: 389 Server time: Thu, 11 Jul 2013 04:14:43 EDT KDC server: 192.168.1.219 Server time offset: -51 + wbinfo -u guest administrator krbtgt teddy erin camaron sarah matt ripper nancy summer justin dummy pcthrace nathan + wbinfo -g domain computers cert publishers domain users domain guests ras and ias servers domain admins schema admins enterprise admins group policy creator owners allowed rodc password replication group denied rodc password replication group enterprise read-only domain controllers read-only domain controllers domain controllers dnsadmins dnsupdateproxy nagios http ssh lan-login computers-group + getent passwd erin root@testing:~# -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/Winbind GID/IDs not the same using AD RID
Typo? idmap config THRACE : backed = rid should be idmap config THRACE : backend = rid I also suggest that you remove these lines password server = livia bkdc Socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ldap ssl = no Rowland On 24 July 2013 23:00, erin gibson bbelt1...@gmail.com wrote: Hello everyone, I recent upgraded to wheezy debian and the syntax of the smb.conf changed when i moved up versions. It took about a week but i think i am almost there. I got my systems to join the WIn2008 domain and can authenticate and login on linux now with my AD users. Now I just need to figure out how to change my SID and GID of my users and groups. On some systems they are the same and a few other they are different. I am not sure if i am using the right method for my smb.confg or not. here are my pastebin details. http://sprunge.us/BgAW http://sprunge.us/BgAW http://pastebin.com/YHWSC7DK Thanks Erin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
hijacked the winbind threat.. but.. Really,. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. . Novell NDS is much better the MS its (nds kopied) AD but thats not the issue. Als big point is, not thinking in AD, its making better manuals/howtos based on realworld examples. Im working with Novell/Windows/ over 20 years now. Linux about 15. and really, the manuals and howtos arent easy to read, sorry.. that is for me since im dutch. There are to many senarios, and combined with the wiki, its a mess in my head... Some howto's simplified would be nice. like for example. ( choose ) - Single server setup, with samba4 AD, choose internal dns or bind. etc.. - 2 Samba4 DC servers, using bind, etc. etc. - 1 samba4 server, added to windows AD. - 1 windows server, added to samba4 ad. - 2 samba4 DC servers and remote 1 samba DC server. These 5 are are the start of all other senarios. ( some extra's ) - samba4 setup with DRDB or GLUSTER ( sinds its default in most distros ) ( management ) GUI - Windows tools CLI - some needed commands as example. etc .. Put the pro/cons in a matrix what works what not. and i preferred something like this with for example the sernet packages. This way is always the same, no compiling needed, so less questions here, and bugs are faster found. looks a win win for me. and if a setup if make for example with ubuntu, is usable for all debian bases install. same for centos/redhet. Im using this stratigy for al my servers i install and manage. bugs are very fast found and fixed with upstream packages. I dont compile on any production server, as should everyone else. Any suggestions samba team? please do so, lets make the best software even better. My now running setup, is done by howto ( make my own at the time ), and is running sinds 2004, with 0 errors, ok, some failing hardware, but samba never let me down. I still use the manual to install new servers in my environment now. I've been testing samba4 since alpha 8, and for now, im still not running it. Why, setting up samba4 is to complex in my situation, yes, documentation is good, but for me its to much. but if its for me, how about other people,... what would you like to see to simpilfy the samba4 install. A simple thing as installing samba4 and adding it as DC to a windows domain. really try it with only the wiki info. Such a simple thing like this, is very complex explaind in the wiki. but ok this is my point of view. I do like samba, but wiki/howtos are lots to improve. I promise to the samba communitie, when i start my install, ill document it and make a nice howto of it. A howto everyone can read and understand. ( will be debian/ubuntu base, with sernet packages ) Still samba team/sernet team, thanks for providing this software, lets make it better with all of us. there al lots of very good people here on the mailing which have the knowlidge to make such howtos. ow... and sorry for my bad english.. ;-) i dont write much in english these days. Best regards, Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: hijacked the winbind threat.. but.. Don't feel threatened. There _are_ alternatives. I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. Anyway, hopefully complex DC's and windows domains will soon be a thing of the past. You don't need winbind for Cloud. You won't need sysadmins either. Just someone who can read the quickstart guide. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. I wish developers would routinely budget, oh, 10% of their time to writing docs. I spend at least twice that much on documenting my own software, because I find it helps me write better organized code if I first have to explain what it's going to do, or how to use it. Write the manual first, then implement it, modifying the manual as you discover logical flaws during the process of writing and debugging. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. I don't know what they do at Microsoft, but there must be some organized way of getting the software writers to convey the information to the people who actually write the documentation. In my opinion (as someone who's been spending a big chunk of his life reading documentation lately), the MSDN content ranges from marginal to excellent, while Linux-land documentation ranges from practically non-existent (e.g., ALSA) to very good (the kernel man pages). So far, I think Samba's docs get about a C-, but that's because I know next to nothing about networking; they may look much better to someone who already knows all about SMB from the Windows world. -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
Look, your still not getting the point steve. Yes, you made some good howtos, i've read them. But because there are so many options, so many roads to rome... It hard to decide what to use. Yes, developers needs to be developers, but if the developers dont document. Who can make then the documentation, so yes, the devs need to do some documentation. And what er is, is good, thats not the point. My point is, there are lots of people installing samba4, on different ways. I would be nice if there are some guideline howto setup such a thing. Ans yes, even microsoft of novell have such guidelines. But thats not the point. Im asking here, if the people how really understand samba4, and this can be dev of communitie people. can make some simple howtos. As i already sad, im going to make one, like the one before. For example look at my old setup. http://lists.samba.org/archive/samba/2005-December/114817.html Its still usable, ok, the layout is bit messed up, but it still works. ( dont be to hard on it, it was my first howto. ) and, is stated in 2005... quote I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. and all these same questions are taking precious time of the dev's. Samba4 can be much much better in use, when there are beter howto's. Which dont need compiling to make it more accessable for others, and most important, no compiling software on production servers, its not safe and not needed! Keep things as standard as it can be, you live gets so much easier if you do. For example, my backups, are just /etc /home/MYDATA. and my ldap export. If i have a crash, happend 1 time, i just reinstall my server, put back my configs. and reset rights if needed, im always up and running within 1-2 hours. ( with about 40-60GB data ) Even if my building burns out. ( ok ,tape restore takes 1,5 hours, so, total restore time 3-4 hours ) I can replicate every installation very easy because of no compiling, and keep it as standard as i can. Debian is a star of keeping the install files original, and use include.d dirs for extra settings. This is power in upgradeing and reinstalls. Thats my point. So lets help one and other, im looking for sernet based howtos, please e-mail them to me if you have one. I'll try to make a new big howto for samba. Louis -Oorspronkelijk bericht- Van: st...@steve-ss.com [mailto:samba-boun...@lists.samba.org] Namens steve Verzonden: woensdag 24 juli 2013 11:08 Aan: samba@lists.samba.org Onderwerp: Re: [Samba] RE Samba (winbind) troubles On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: From: steve On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP] For the record, sssd pulls all it's info from AD. I never said otherwise. A user does not need a gidNumber, it is drawn from the primaryGroupID.For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. Hum, according to Rowland it uses the gidNumber in the users DN, though his posted proof was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 24 July 2013 11:59, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Hum, according to Rowland it uses the gidNumber in the users DN, though his posted proof was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. Look you prat, I agreed with you that it is best practise to keep the users gidNumber primaryGroupID the same, I also said that it probably does not matter where the gidNumber comes from as long it is the right one. The storage of Unix attributes in AD is what windows does so it must done the way that windows does it. I also said that we were never going to agree on this, this was a hint, PLEASE SHUT UP! Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 11:59 +0100, Jonathan Buzzard wrote: On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP] For the record, sssd pulls all it's info from AD. I never said otherwise. A user does not need a gidNumber, it is drawn from the primaryGroupID.For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. I apologise for misleading the list before I tested it live. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 14:09 +0200, steve wrote: [SNIP] Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. Thank you for the clarification. I do feel that the winbind approach is the better of the two when interacting with an Active Directory controller as opposed to an LDAP server. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/Winbind GID/IDs not the same using AD RID
Hello everyone, I recent upgraded to wheezy debian and the syntax of the smb.conf changed when i moved up versions. It took about a week but i think i am almost there. I got my systems to join the WIn2008 domain and can authenticate and login on linux now with my AD users. Now I just need to figure out how to change my SID and GID of my users and groups. On some systems they are the same and a few other they are different. I am not sure if i am using the right method for my smb.confg or not. here are my pastebin details. http://sprunge.us/BgAW http://sprunge.us/BgAW http://pastebin.com/YHWSC7DK Thanks Erin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? I'll go try the sssd as suggested below on ubuntu 12.04. Best regards, Louis -Oorspronkelijk bericht- Van: rowlandpe...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Rowland Penny Verzonden: maandag 22 juli 2013 23:45 Aan: steve CC: samba@lists.samba.org Onderwerp: Re: [Samba] Winbind troubles If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 09:40 +0200, L.P.H. van Belle wrote: Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? With AD you get exactly what _you_ put into the directory. There are no algorithms or separate databases used to confuse an already complicated issue. You put rfc2307 in AD and you get it back out when you need it, e.g. when a user logs in. I'll go try the sssd as suggested below on ubuntu 12.04. +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. ¡Suerte! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:15 +0200, steve wrote: [SNIP] +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. Winbind just works if you configure it properly. There is also plain English documentation available for winbind as well. The problem is that Matthew either did not read it or did not follow it. From man idmap_ad The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad. This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Good point, never run winbind and nscd at the same time on the same box. It's a recipe for trouble. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 10:05, Jonathan Buzzard jonat...@buzzard.me.uk wrote: This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 11:40, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. Darned right it is confusing. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. Yet people still get it wrong. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? Rowland JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Your turn ;-) Rowland On 23 July 2013 13:48, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Rowland On 23 July 2013 13:54, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:20 +0100, Rowland Penny wrote: OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 14:53, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. OK, so it is in your vocabulary, but it it is not in mine, nor I believe the vast number of the English speaking world. You think that you know what it means, but have a look here: http://www.merriam-webster.com/dictionary/orthogonal Your definition is not mentioned. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. Well perhaps they should be now, the problem that I see is that RHEL etc uses 0-500 for local users and Debian uses 0-999, so perhaps reserve 1100 - 1200 for the BUILTIN users from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). ER, isn't RHEL THE enterprise distro? What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. For me it is a lot easier to configure, I don't have to worry about orthogonal numbers for instance (drat, now you have got me at it ) ;-0 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hallo, Jonathan, Du meintest am 23.07.13: Why use a word like orthogonal? Orthogonal is a single word, is precise and describes what is required exactly. Sorry - that depends. I know this word as a synonym of rectangular, and I mostly know it in a geometrical environment. 90 degrees = pi/2 = 100 gon. These degrees not to be mistaken with degrees Fahrenheit or degrees Celsius. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:53 +0100, Jonathan Buzzard wrote: What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. The main difference is that even though sssd may involve copying and pasting a configuration file to /etc somewhere and changing the domain name therein, once you've done it, you just start it and forget it. Unfortunately most mortles here cannot do that with winbind. That's why we always try and help users with winbind. Don't let's forget the OP in all this: the winbind documentations seems to be written for devs for devs. There is nothing written in simple terms to help us nor the OP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion. You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. Basically adding a gidNumber to each user is a redundant feature of RFC2307. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. It might well be what you claim is true, it is just your example does not demonstrate it to be conclusively the case. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 16:44 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. To me AD is LDAP. If I'd never setup openLDAP in a Linux only environment a few years back, I'd be totally and utterly knackered with S4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 16:44, Jonathan Buzzard jonat...@buzzard.me.uk wrote: You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. I suppose that you have noticed that the primaryGroupID is the RID from the group's SID and yes I had taken it on board. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. I would agree with you here, the users primary group needs to be the same in windows linux Basically adding a gidNumber to each user is a redundant feature of RFC2307. Redundant it may be, but it is the way that windows wants it to be done. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote: On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) Well, I don't think we're here to decide what is better and I don't think we're helping the OP at all, rather serving to confuse:( For the record, sssd pulls all it's info from AD. A user does not need a gidNumber, it is drawn from the primaryGroupID. For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind troubles
I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Have you tried 'getent passwd username' Rowland On 22 July 2013 19:56, Matthew Daubenspeck m...@oddprocess.org wrote: I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
/etc/nsswitch.conf setup correctly? On 22 July 2013 20:52, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 15:52 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 Can you post smb.conf on SRV2? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:59:47PM +0100, Rowland Penny wrote: /etc/nsswitch.conf setup correctly? passwd: compat winbind group: compat winbind shadow: compat snipped -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland On 22 July 2013 21:46, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 16:46 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh root@srv2:~# id user1 uid=1(user1) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) root@srv2:~# id user2 uid=10001(user2) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:19:26PM +0200, steve wrote: Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? Like this? idmap config *:backend = tdb idmap config *:range = 3000-3500 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 3501-4 That makes no difference. Still no results. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:36:26PM +0200, steve wrote: Amazing;) Amazing all right. I have a headache :) You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. So if I plan on using this for Windows clients ONLY, uidNumber, gidNumber, homedirs and shells shouldn't really be a problem to me. Key word being shouldn't? Not being able to add a backup DC WOULD be a problem, however. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:45:28PM +0100, Rowland Penny wrote: If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Something like this? http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html That's about the most verbose thing Google seems to come up with. I'll wait as long as it takes, this is all just initial testing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind in Samba 4 suite and the template homedir parameter
Hi! The command samba-tool testparm -v returns template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%. Is there other variables that can be used? It is possible to add one or more uPNSuffixes to Samba 4 AD DC to alter the userPrincipalName. Both on the domain level (cn=uPNSuffixes,cn=Partitions,...) and on OU-level (cn=uPNSuffixes,ou=example.org,dc=...) But is it possible to return the dns domain part, %UPNSUFFIXES%, in winbind? And use it for domain separated paths to home directories? For example: uPNSuffixes = example.org, example.net [global] template homedir = /home/%UPNSUFFIXES%/%ACCOUNTNAME% And winbind returns /home/example.org/username and /home/example.net/username respectivly. Regards Davor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Winbind ID Mapping Issue
Hi Everyone, Not sure if this is the correct place to be asking this but here goes: We currently are using Samba 3.5.x and Winbind to do ID mapping for our Active Directory environment. We are currently experiencing an issue where new users/computers/groups created in the domain, occasionally but not always will take the UID of someone that already exists. It is important to note that both the new user and old will have the same UID; this results in neither user being able to access those files. We are looking at moving the idmap range in the smb config to a range outside of what has already been assigned; will this affect users already in our tdb (database). Regards -- ANDREW B andrew.brun...@bundaberg.qld.gov.au Bundaberg Regional Council PO Box 3130 Bundaberg QLD 4670 Tel: 1300 883 699 Fax: (07) 4150 5410 http://bundaberg.qld.gov.au/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind Authentication on HP-UX 11 works
Hi Expert , I need to integrate HPUX (B.11.31 U ia64 ) machine with windows AD server using winbind .Please provide the document for the same . Regards, Jagan M -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind authentication AD Kerberos Cross Realm
Hello everybody I have a technical question about winbind authentication on Windows AD with a Kerberos Cross Realm authentication. The client use samba-winbind samba-common.i686 1:3.5.15-74.fc15.1 @Fedora 15 - i386 - Updates samba-winbind.i686 1:3.5.15-74.fc15.1 @Fedora 15 - i386 - Updates samba-winbind-clients.i686 1:3.5.15-74.fc15.1 @Fedora 15 - i386 - Updates Active directory is a Windows 2008 The authentication works fine. Now i am trying to do a trust with a kerberos domain with adding the attribute altSecurityIdentities to the AD's users. Everything is working for Windows 7 . But I am not sure if Samba-winbind use the altSecurityIdentities attribute from AD, and how to implemente this ... Has somebody has implemented this solution ? Thanks in advance Serge Conrad Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind does not update groups
I setup winbind as an authentication method on my Ubuntu server and the only issue I have is when I change a user's group in Active Director it doesn't update after a relogin. It shows up with a wbinfo -G but when I use the groups command or try to operate as a member. The only groups I am in are the ones that I was in when I first logged into the server. Does anyone know of why this is and if there is a work around. I am on samba 3.6 on Ubuntu 12.04.2 --Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind does not update groups
On Wed, May 29, 2013 at 04:17:33PM +, Michael Schmitz wrote: I setup winbind as an authentication method on my Ubuntu server and the only issue I have is when I change a user's group in Active Director it doesn't update after a relogin. It shows up with a wbinfo -G but when I use the groups command or try to operate as a member. The only groups I am in are the ones that I was in when I first logged into the server. Does anyone know of why this is and if there is a work around. I am on samba 3.6 on Ubuntu 12.04.2 Are you running nscd? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind does not update groups
It is not even installed. So no, im still lost --Mike -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Wednesday, May 29, 2013 2:42 PM To: Michael Schmitz Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind does not update groups On Wed, May 29, 2013 at 04:17:33PM +, Michael Schmitz wrote: I setup winbind as an authentication method on my Ubuntu server and the only issue I have is when I change a user's group in Active Director it doesn't update after a relogin. It shows up with a wbinfo -G but when I use the groups command or try to operate as a member. The only groups I am in are the ones that I was in when I first logged into the server. Does anyone know of why this is and if there is a work around. I am on samba 3.6 on Ubuntu 12.04.2 Are you running nscd? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind versus nss/pam_ldap
Hi there, Since samba 3.0 I've been using Samba PDC and BDCs backed by OpenLDAP, and I configure my member servers (all running Linux) to use nss and pam to get user information directly from LDAP. I took this way because I had previous experience using LDAP for e-mail and web apps. But it looks from the list and samba docs that most people configure winbind on member servers, and so they don't need direct access to a LDAP server. I'm wondering what are the advantages and disadvantages of each method, and if I should change my setup to use winbind. Can anyone provide some pointers to such a comparison? For example, using winbind seems to be easier: less configuration files to change on linux member servers. On the other side, using LDAP provides centralized identity management for servers which do not run samba (such as database servers), but setting up a server with winbind only (no smbd or nmbd) doesn't seem harder to do than setting up a server with nss/pam_ldap. []s, Fernando Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind failover timeout?
I've got no answers, but I realised that I had a picked up a rather poor title, so here's a better one, combined with a more concise summary of my earlier babbling... Are there any smb.conf settings that control (Samba 3) Winbind's DC failover timeout when security = ADS? I do realise that there is a setting called ldap connection timeout, but I assume it is only related to situations where domain logons have been turned on and ldapsam is being utilised as a password backend. Is this correct? In case such settings do not exist can anyone please explain me the way that Winbind actually handles these failover situations internally? How transparent should the failover process be in practice? Any experiences? Thanks, Pekka L.J. Jalkanen On 10.5.2013 21:14, Pekka L.J. Jalkanen wrote: Hello all, I've a box running Samba 3.5.6 (Debian Squeeze) that retrieves its user accounts from AD, using Winbind. The box is receiving incoming mail. Idmap backend is AD, with rfc2307 schema mode. Currently it's only accessing one AD DC, and the MTA on the Samba box is stopped whenever the DC is temporarily offline to prevent rejection of any incoming mail with user unknown status. However, I'd like to add another DC to the mix, but I'm concerned that mail could get rejected if the active DC suddenly goes offline and winbind doesn't switch to another DC promptly enough. Consider the following scenario: 1. There is an AD account foo. The account hasn't been used for some time, and it's thus not in winbind's cache. It's possibly not even in Winbind's idmap cache. 2. There are two AD DCs, A and B. 3. Samba member server C runs Winbind and is currently using the DC A. 4. Hardware fails and the DC A suddenly drops offline. 5. Just few seconds later an e-mail is arriving for foo. The MTA tries to check for the user. 6. As Winbind is not yet aware of the unavailability of the DC A, it tries to contact it. A. Now, in the ideal world this would continue as follows: 7. Winbind can't contact the DC A anymore, so it promptly contacts the DC B. 8. The DC B confirms the existence of foo. 9. The MTA delivers mail for foo. B. However, I'm afraid that in the real world, the following could result: 7. Winbind frantically tries to contact the DC A, but timeouts and can't confirm the existence of foo. It tells the MTA that there's no account. 8. The MTA replies sender with a 550 5.1.1 f...@my.site... User unknown error. 9. After the timeout Winbind finally manages to switch to the DC B, but the sender has already got the delivery failure message and now thinks that the address f...@my.site is no longer valid. I tried to look at the documentation, but didn't find any recommendations regarding winbind cache settings in situations where availability is critical. Is it recommended to just disable all Winbind caching entirely? Or do just the opposite and try to cache as much as ever possible? What are the practical effects of winbind cache time and idmap cache time smb.conf options in this situation? Also, are the caches for all accounts replenished every time the cache of any account expires, or in per-account basis? And do the idmap cache times even work in a predictable way with this old Samba, where bug 8658 still unfixed? Or should I just try to upgrade as soon as possible? I build a test box similar to the actual box receiving mail (Winbind cache time was the default (300 seconds) and idmap cache time was set to 86,400 seconds (one day)) and flooded it with messages while at the same time switching connections to the DCs back and forth. And sure enough, I did get some delivery errors due to Winbind unavailability, if the account receiving the mail hadn't been queried after the last winbind restart and before the DC went offline. So the likelihood of the scenario 'B' feels all too great. Any recommendations for avoiding it? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
[2013/05/13 07:08:58.730027, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2367]: request location of privileged pipe [2013/05/13 07:08:58.730252, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:04.052509, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2370]: request interface version [2013/05/13 07:09:04.052806, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2370]: request location of privileged pipe [2013/05/13 07:09:04.054553, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:42.241190, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2374]: request interface version [2013/05/13 07:09:42.241383, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2374]: request location of privileged pipe [2013/05/13 07:09:42.241504, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
[2013/05/13 07:08:58.730027, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2367]: request location of privileged pipe [2013/05/13 07:08:58.730252, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:04.052509, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2370]: request interface version [2013/05/13 07:09:04.052806, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2370]: request location of privileged pipe [2013/05/13 07:09:04.054553, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm [2013/05/13 07:09:42.241190, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 2374]: request interface version [2013/05/13 07:09:42.241383, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 2374]: request location of privileged pipe [2013/05/13 07:09:42.241504, 3] winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam nathan_adm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Im not sure why this keeps getting scrubbed :( Smb.conf http://pastebin.com/8hbKm1cm Krb5.conf http://pastebin.com/kJvPFR05 Commands output: http://pastebin.com/XfVMNUeD From: Nathan Frankish Sent: Monday, 13 May 2013 7:12 AM To: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: winbind authentication returning failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Hi Samba Team, Im at a bit of a loss. Ive been setting up samba with winbind authentication in our domain under redhat 6 and ive run into quite a few issues. My 3.3.8 boxes (redhat 5) works fine in the domain, but I cant get the 3.6.9 boxes (redhat 6.4) to work. I have an independent test active directory domain that is at the same functional level (2008R2 Native) as the production domain which my configuration works fine (once I change it to use the other domain name of course) so I don't think it's a configuration issue, but im stumped as to why its not working. I've checked that the domain controller policies are the same on both environments, which they are. I can successfully join the domain with net ads join I can kinit fine, and it gets a token, but getent passwd nathan_adm fails to return anything either. Ives straced getent and I can see it shooting of to winbind, but it doesn't seem to get anything back Ive stripped the domain out of my configuration files, but its QLDMOTORWAYS.COM.AU. my uat domain is UAT.DOM. Any thoughts or help or ideas would be great. Nathan Frankish | Senior Systems Engineer Queensland Motorways Pty Limited -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind in 3.6.14 crashes against NT4 DC
Filed as bug 9847: Customer, in the 3.6.x series, has run 3.6.10 through 3.6.13 successfully. After upgrading to 3.6.14 Winbind crashes and their data is no longer accessible. Reverting to 3.6.13 brings back stability. [2013/05/01 23:15:16.303789, 0] winbindd/winbindd.c:212(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0) [2013/05/02 07:23:15.894065, 0] lib/fault.c:47(fault_report) === [2013/05/02 07:23:15.894202, 0] lib/fault.c:48(fault_report) INTERNAL ERROR: Signal 11 in pid 30869 (3.6.14) Please read the Trouble-Shooting section of the Samba3-HOWTO [2013/05/02 07:23:15.894262, 0] lib/fault.c:50(fault_report) Sorry, could not troubleshoot this during business hours. Can get whatever is requested after hours. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind problem
Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind and User Private Groups
Hello, I'm doing RD on using Winbind to authenticate Active Directory users (W2K3S R2) on RHEL 6 servers. I have a working implementation of this using idmap_rid as the backend. I followed 'configuration 1' in the following guide: http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile My question revolves around 'User Private Groups'. I noticed my AD users UID's do not have matching GID's. I came across the following: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644 This seems to indicate I cannot implement UPG because Windows will not allow user and groups of the same name. From an administrative point of view, how do I handle this? Should I be concerned about this? How will a non UPG setup be different for us Linux users who are accustomed to having private groups? Essentially, I'm trying to avoid any unforeseen pitfalls as a result of not having UPGs. Thank you, -- Jacob Seeley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind and User Private Groups
Jacob Seeley wrote: Hello, My question revolves around 'User Private Groups'. I noticed my AD users UID's do not have matching GID's. I came across the following: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644 This seems to indicate I cannot implement UPG because Windows will not allow user and groups of the same name. From an administrative point of view, how do I handle this? Should I be concerned about this? How will a non UPG setup be different for us Linux users who are accustomed to having private groups? Essentially, I'm trying to avoid any unforeseen pitfalls as a result of not having UPGs. Well one pitfall I can think of -- is on the linux side. i.e. on Windows, you an put both users and groups in 'groups', and I think samba supports such nesting (needs enabling). But then lets say you use the idmap_rid -- How would you specify group-nesting as separate from the user? FWIW , I allocate the groupid's w/users, but I alter the groupnames for the ones I care to have working with any reliability. I try to setup my groups to mirror the wingroups, though ran into some problems with domain groups =512... But a snippet from my passwd file: rsvd_Domain Users_g:x:513:513:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Guests_g:x:514:514:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Computers_g:x:515:515:Group-Reserved:/var/lib/nobody:/bin/bash rsvd_Domain Controllers_g:x:516:516:Group-Reserved:/var/lib/nobody:/bin/bash --- I do have the numbers reserved in both files so they line up. I'm not happy with several limitations in the standard samba setup.. like artificially limiting rids to 512 (which, means I'd have to move groups/users as I'm using 'idmap_nss'. But would something similar work for you -- suffixes or prefixes? But I also don't like that samba doesn't list back its well-known groups - as those are often only well-known if they you have a windows server. Dumping out my non-domain, well known groups (and a few domain groups at the end for comparison. The number in the middle is the unix GID...Note -- most of those are not used anywhere and I put them in as reference, and I noted a few inconsistencies...oh well... Need 128 bit user numbers!... ;-) (net groups list -- massaged; S-1-0 :10100 - Null Authority S-1-1 :10101 - World Authority S-1-2 :10102 - Local Authority S-1-3 :10103 - Creator Authority S-1-4 :10104 - Non-unique Authority S-1-5 :10105 - NT Authority S-1-0-0 :11000 - Nobody S-1-1-0 :11100 - Everyone S-1-3-0 :11300 - Creator Owner S-1-3-1 :11301 - Creator Group S-1-3-2 :11302 - Creator Owner Server S-1-5-1 :11501 - Dialup S-1-5-2 :11502 - Network S-1-5-3 :11503 - Batch S-1-5-4 :11504 - Interactive S-1-5-6 :11506 - Service S-1-5-7 :11507 - Anonymous S-1-5-8 :11508 - Proxy S-1-5-9 :11509 - Enterprise Domain Controllers S-1-5-10 :11510 - Principal Self S-1-5-11 :11511 - Authenticated Users S-1-5-12 :11512 - Restricted Code S-1-5-13 :11513 - TSUsersGroup S-1-5-19 :11519 - Local Service S-1-5-20 :11520 - Network Service S-1-16-4096 : 11604096 - Low Mandatory Level S-1-16-8192 : 11608192 - Medium Mandatory Level S-1-16-8448 : 11608448 - Medium Plus Mandatory Level S-1-16-12288 : 11612288 - High Mandatory Level S-1-16-16384 : 11616384 - System Mandatory Level S-1-5-32-516 : 516 - Domain Controllers S-1-5-32-544 : 544 - Administrators S-1-5-32-545 : 545 - Users S-1-5-32-546 : 546 - Guests S-1-5-32-547 : 547 - Power Users S-1-5-32-548 : 548 - Account Operators S-1-5-32-549 : 549 - Server Operators S-1-5-32-550 : 550 - Print Operators S-1-5-32-551 : 551 - Backup Operators S-1-5-32-552 : 552 - Replicators S-1-5-21-1-2-3-512 : 512 - Domain Admins S-1-5-21-1-2-3-513 : 513 - Domain Users S-1-5-21-1-2-3-514 : 514 - Domain Guests S-1-5-21-1-2-3-515 : 515 - Domain
Re: [Samba] Winbind strip domain from username?
On 15/04/13 22:12, Luc Lalonde wrote: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Hi, I doubt that getent showing your domain is the problem, I am trying to get something similar to work but with libpam-script and I can get the users home directory to mount, but then my problems start. One problem I think you have, is that you have added the line 'template homedir = /home/%U', if you have, then I am sorry but you will have to remove this, I am fairly sure that you are stuck with the default 'template homedir = /home/%D/%U' (unless anybody knows differently). With the template homedir line as 'template homedir = /home/%U' every-bodies homedir is set to literally that, '/home/%U'. I am also fairly sure that you are trying to mount the home directory from the samba 4 server, correct? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
Hello Geza, Here's my 'smb.conf': [global] workgroup = FOO realm = foo.example.com netbios name = ROQUEFORT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind offline logon = false winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template homedir = /usagers/%U winbind use default domain = yes map untrusted to domain = no [netlogon] path = /usr/local/samba/var/locks/sysvol/foo.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks for your help! Cheers! On 2013-04-16, at 12:09 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - I had something similar, but i can not look what it was from where i am now, but i think i did change the %U in %u in my home share regards Johan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind use default domain = Yes (not working in 4.0.5)
Hello folks, Well it seems that I'm not the only one having this problem: https://bugzilla.samba.org/show_bug.cgi?id=9780 I am able to bypass the problem with PAM_MOUNT by using '%(DOMAIN_USER)' instead of '%(USER). Bye. - Original Message - From: Johan Hendriks jo...@double-l.nl To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Tuesday, April 16, 2013 8:27:30 AM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Winbind strip domain from username? Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - I had something similar, but i can not look what it was from where i am now, but i think i did change the %U in %u in my home share regards Johan -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind use default domain = Yes (not working in 4.0.5)
This must be something that changed recently -- version 4.0.3 works with winbind use default domain = yes (i.e. getent passwd does *not* return DOMAIN\username, but just username). - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Johan Hendriks jo...@double-l.nl Cc: samba@lists.samba.org Sent: Tuesday, April 16, 2013 8:54:06 AM Subject: [Samba] winbind use default domain = Yes (not working in 4.0.5) Hello folks, Well it seems that I'm not the only one having this problem: https://bugzilla.samba.org/show_bug.cgi?id=9780 I am able to bypass the problem with PAM_MOUNT by using '%(DOMAIN_USER)' instead of '%(USER). Bye. - Original Message - From: Johan Hendriks jo...@double-l.nl To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Tuesday, April 16, 2013 8:27:30 AM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Winbind strip domain from username? Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - I had something similar, but i can not look what it was from where i am now, but i think i did change the %U in %u in my home share regards Johan -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind problem
Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 331008 10164096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind problem
Hi again, I think a have a workaround: Add an local user with ID 300 so that winbind never see querys of that ID: useradd -d /tmp -M -s /bin/false -u 300 -g 100 -o -l samba4-workaround (Ubuntu 12.04) Ive tested it a few times and it seems to work. Mit freundlichen Gren Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de Von: seme...@syndetics.net [mailto:seme...@syndetics.net] Im Auftrag von Nick Semenkovich Gesendet: Dienstag, 16. April 2013 19:48 An: tn Cc: samba@lists.samba.org Betreff: Re: [Samba] winbind problem I also have this problem, using a very recent version from git. (see also: http://www.mail-archive.com/samba@lists.samba.org/msg124657.html http://www.mail-archive.com/samba@lists.samba.org/msg124657.html ) Periodically, winbind seems to simply crash, and getent passwd other ops (e.g. htop) stall. I'd also be happy to provide any debugging information needed. On Tue, Apr 16, 2013 at 11:29 AM, sa...@nisx.de mailto:sa...@nisx.de wrote: Hi, I have a problem with winbind, could anyone help me? Version: root@leela:~# samba -V Version 4.0.5 root@leela:~# uname -a Linux leela 3.2.0-40-generic #64-Ubuntu SMP Mon Mar 25 21:22:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux - First everything went fine: root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash - For example I change a files owner to root: root@leela:~# chown 0 /opt/samba/var/shares/profiles/svtn/ntuser.dat - Everything is still fine: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 root FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - Now changing owner to 300 (Buildin/Administrator): root@leela:~# chown 300 /opt/samba/var/shares/profiles/svtn/ntuser.dat - It needs many seconds to work. root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 FUTURAMA+svtn FUTURAMA+gf 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 FUTURAMA+gf 3145728 Apr 8 06:54 ntuser.dat [...] - And if I look again, all users shown as numbers, not names: root@leela:~# ll /opt/samba/var/shares/profiles/svtn/ insgesamt 3224 drwxrws--- 33 1008 1016 4096 Apr 6 13:39 Anwendungsdaten [...] -rw-rw 1 300 1016 3145728 Apr 8 06:54 ntuser.dat [...] root@leela:~# - And now all samba users gone. winbind -u is empty too. root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] - in the logfile I found this: [2013/04/16 15:44:09, 0] ../lib/util/fault.c:72(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 26194 (4.0.5) Please read the Trouble-Shooting section of the Samba HOWTO [2013/04/16 15:44:09, 0] ../lib/util/fault.c:75(fault_report) === [2013/04/16 15:44:09, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error - After restart samba root@leela:~# stop samba4 root@leela:~# start samba4 - Alll users back now... root@leela:~# getent passwd root:x:0:0:root:/root:/bin/bash [...] FUTURAMA+Administrator:*:0:513::/home/FUTURAMA/Administrator:/bin/bash FUTURAMA+svtn:*:1008:513:Thomas Nolte as SV:/home/FUTURAMA/svtn:/bin/bash Does anyone has an Idea? I've tried an older version (4.0.1) of samba too, same problem. Regards Thomas Nolte -- Nolte Infosysteme, Im Sikfeld 8, 38304 Wolfenbuettel Tel 05331-946210, Fax 05331-946211, Handy 0170-5508198 Computer, Netzwerk, Kommunikation www.nisx.de http://www.nisx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Winbind ADS on Win2012 AD with Native 2003 domain forest level
Hello, I am trying to connect samba to our NEW DCs running win2012 AD. Now I can join samba using net join and winbind lists users and groups but USER AUTH fails at by using smbclient and wbinfo -a. Error that I get is ACCESS DENIED. Now I'm guessing that something must be blocked on Windows servers that does not allow Winbind to authenticate. I tryed Samba 3.0.33 , 3.6.6 (3x package) , samba 4.0.0. All samba servers give same error. Kerberos is working. nsswitch is configured. I also added PAM auth. GPO policy? Winbind is the main problem currently. RPC server on win2012 (port 139) security. NTLM is allowed on LocalPolicy. SMB signing is enabled and working as I saw the samba logs. Tryed to google and reconfigure smb.conf many times. No sucess in 2 weeks yet. I am not giving up. I really want to know why its not working. Have not tryed samba with SSSD yet because I am a little afraid to upgrade AD schema? should be painless right? because these are prod servers. Linux: Centos 5.2 (will upgrade to 5.9) - tryed a VBOX 5.9- same error version does not matter. Windows: 2x 2012 DC with AD 2003 native domain Windows SBS : still connected to these DCs. Disabled SBcore so server will not shutdown by itself because of EULA and SBS limits. This server is gonna retire once I setup samba to work with new DCs. AD schema was migrated with exchange attributes so it works with postfix. SMBclients error: SPNEGO auth fails. Winbind: ACCESS_DENIED (0x0022) -something like that Hope anyone knows some windows server trick to make winbind work. I do thing its a security feature that needs to be disabled. Any thoughts? -- Andrej Pintar email : api...@gmail.com and...@skrad.com api...@api984.net web: http://www.api984.net contact cell: 00385 98 790 639 home server: http://anetlocal.poweredbyclear.com ICQ: 191748772 Skype: api9841 Twitter: api984 MSN: fatall...@hotmail.com IRC: api984, freenode.net ::Software is like sex: it's better when it's free:: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-16 12:33 keltezéssel, Luc Lalonde írta: Hello Geza, Here's my 'smb.conf': [global] workgroup = FOO realm = foo.example.com netbios name = ROQUEFORT server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind offline logon = false winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes template homedir = /usagers/%U winbind use default domain = yes map untrusted to domain = no [netlogon] path = /usr/local/samba/var/locks/sysvol/foo.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Thanks for your help! Cheers! On 2013-04-16, at 12:09 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba So it is your AD DC then (server role = active directory domain controller) unfortunately in that role samba uses the winbind bundled into the samba binary which has many deficients compared to the standalone winbind binary (but which cannot be run on a DC) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind strip domain from username?
Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind strip domain from username?
2013-04-15 23:12 keltezéssel, Luc Lalonde írta: Hello Folks, This directive works with Samba3 but does not seem to work with Samba-4.0.5: winbind use default domain = Yes I want to get a username that does not contain the domain (GIGL). Instead here's what I get: [root@roquefort ~]# getent passwd | grep GIGL GIGL\Administrator:*:0:100::/usagers/%U:/bin/bash GIGL\Guest:*:302:303::/usagers/%U:/bin/bash GIGL\krbtgt:*:307:100::/usagers/%U:/bin/bash GIGL\dns-stilton:*:308:100::/usagers/%U:/bin/bash GIGL\testuser:*:309:100::/usagers/%U:/bin/bash GIGL\llalonde:*:310:100::/usagers/%U:/bin/bash How do I remove the 'GIGL\' from the username? This is causing me problems mounting the user's home directory at logon with 'PAM_MOUNT' What am I missing? Thank You! Please attach your smb.conf. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind using 100% CPU
I am trying to figure out why winbind is using 100% CPU on my file server. I am using Samba version 4.0.4. Everything is fine for a few minutes when I start winbind, however after a while it begins using 100% CPU. I haven't been able to narrow down what triggers this CPU usage spike, but I did attach the GNU debugger to find out what's going on in the process. The backtrace revealed this information: #0 0x0041cf30 in _talloc_free@plt () #1 0x00452320 in winbindd_reinit_after_fork () #2 0x004524e6 in fork_domain_child () #3 0x00453585 in wb_child_request_trigger () #4 0x00381d2048e2 in tevent_common_loop_immediate () from /lib64/libtevent.so.0 #5 0x7fbed6b98e17 in run_events_poll () from /lib64/libsmbconf.so.0 #6 0x7fbed6b9922e in s3_event_loop_once () from /lib64/libsmbconf.so.0 #7 0x00381d204060 in _tevent_loop_once () from /lib64/libtevent.so.0 #8 0x0042049a in main () Apparently it's stuck in the winbindd_reinit_after_fork (and more specifically the _talloc_free function). This code resides in $SOURCE_HOME\source3\winbindd\winbindd_dual.c. Perhaps I have configured Samba incorrectly? Here are the parameters I am using that have to do with winbind: idmap config * : backend = nss idmap config * : range = 1000 - 30 What are some reasons that winbind is using 100% CPU and how can I resolve this? (Also, would this be an appropriate question to post to the Samba developer's list? If so, I will repost it there.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind using 100% CPU
On Wed, Apr 10, 2013 at 06:46:48PM -0400, Dylan Klomparens wrote: I am trying to figure out why winbind is using 100% CPU on my file server. I am using Samba version 4.0.4. Everything is fine for a few minutes when I start winbind, however after a while it begins using 100% CPU. I haven't been able to narrow down what triggers this CPU usage spike, but I did attach the GNU debugger to find out what's going on in the process. The backtrace revealed this information: #0 0x0041cf30 in _talloc_free@plt () #1 0x00452320 in winbindd_reinit_after_fork () #2 0x004524e6 in fork_domain_child () #3 0x00453585 in wb_child_request_trigger () #4 0x00381d2048e2 in tevent_common_loop_immediate () from /lib64/libtevent.so.0 #5 0x7fbed6b98e17 in run_events_poll () from /lib64/libsmbconf.so.0 #6 0x7fbed6b9922e in s3_event_loop_once () from /lib64/libsmbconf.so.0 #7 0x00381d204060 in _tevent_loop_once () from /lib64/libtevent.so.0 #8 0x0042049a in main () Apparently it's stuck in the winbindd_reinit_after_fork (and more specifically the _talloc_free function). This code resides in $SOURCE_HOME\source3\winbindd\winbindd_dual.c. Perhaps I have configured Samba incorrectly? Here are the parameters I am using that have to do with winbind: idmap config * : backend = nss idmap config * : range = 1000 - 30 What are some reasons that winbind is using 100% CPU and how can I resolve this? (Also, would this be an appropriate question to post to the Samba developer's list? If so, I will repost it there.) Yes - please post to samba-technical, I'll follow up there. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: how to fix uid/SID mapping following migration to a new DC
Did you ever get a resolution to your issue with UIDs not matching? I have the same problem and I cannot for the life of me get my UIDs to come from Active Directory. If you did solve it with using the idmap config DOMAIN : backend = ad would you be so kind as to share? I am only able to get idmap config * : backend = tdb to work. I have never been able to get UIDs for particular domain to work. Onlly the * seems to 'hit' Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/Winbind/LDAP connection issue.
Hi, I been having issue with my samba/winbind, since I update from samba 3.5 to 3.6. below is the error I am getting from my log file and the samba config file. I am running Red Hat 6.4. nmbd[2188]: [2013/03/10 13:25:14.327717, 0] nmbd/nmbd_namequery.c:108(query_name_response) Mar 10 13:25:14 c89005 nmbd[2188]: query_name_response: Multiple (2) responses received for a query on subnet x.x.x.x for name MYDOMAIN1d. Mar 10 13:25:14 c89005 nmbd[2188]: This response was from IP x.x.x.x, reporting an IP address of x.x.x.x. Mar 11 00:01:14 c89005 nslcd[1587]: [88ddb1] ldap_result() timed out Mar 11 05:00:19 c89005 nslcd[1587]: [9be780] ldap_result() timed out Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.385839, 0] lib/smbldap.c:697(smbldap_store_state) Mar 11 14:58:12 c89005 winbindd[23655]: PANIC: assert failed at lib/smbldap.c(697): tmp_ldap_state == smbldap_state Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606028, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) Mar 11 14:58:12 c89005 winbindd[23655]: idmap_alloc module tdb already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606204, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:12 c89005 winbindd[23655]: Idmap module passdb already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606284, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:12 c89005 winbindd[23655]: Idmap module nss already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.614752, 0] lib/smbldap.c:1153(smbldap_connect_system) Mar 11 14:58:12 c89005 winbindd[23655]: failed to bind to server ldap:// ldap.science.purdue.edu/ with dn=cn=SlapHappy,dc=science,dc=lcl Error: Invalid credentials Mar 11 14:58:12 c89005 winbindd[23655]: #011(unknown) Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.762968, 0] winbindd/idmap.c:599(idmap_alloc_init) Mar 11 14:58:27 c89005 winbindd[23655]: ERROR: Initialization failed for alloc backend, deferred! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794053, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) Mar 11 14:58:27 c89005 winbindd[23655]: idmap_alloc module tdb already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794192, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:27 c89005 winbindd[23655]: Idmap module passdb already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794270, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:27 c89005 winbindd[23655]: Idmap module nss already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.803810, 0] lib/smbldap.c:1153(smbldap_connect_system) Mar 11 14:58:27 c89005 winbindd[23655]: failed to bind to server ldap:// ldap.science.purdue.edu/ with dn=cn=SlapHappy,dc=science,dc=lcl Error: Invalid credentials Mar 11 14:58:27 c89005 winbindd[23655]: #011(unknown) Mar 11 14:58:42 c89005 winbindd[23655]: [2013/03/11 14:58:42.950615, 0] winbindd/idmap.c:599(idmap_alloc_init) Mar 11 14:58:42 c89005 winbindd[23655]: ERROR: Initialization failed for alloc backend, deferred! [global] netbios name = C89005 server string = Samba Server Version %v workgroup = MYDOMAIN realm = CENTRAL.MYDOMAN.LCL security = ADS password server = * passdb backend = tdbsam client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes unix extensions = no host msdfs = yes socket options = TCP_NODELAY smb ports = 445 ##LOGS # max 1MB per log file, then rotate max log size = 1024 ## WINS domain master = no local master = no preferred master = no dns proxy = no wins server = 128.210.30.240 ## PRINTING printing = bsd printcap name = /dev/null load printers = no ## WINBIND winbind use default domain = true winbind offline logon = false winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind normalize names = yes obey pam restrictions = no allow trusted domains = yes template shell = /bin/bash template homedir = /home/%D/%U ldap ssl = start tls ldap suffix = dc=science,dc=lcl ldap idmap suffix = ou=idmap ldap admin dn = cn=SlapHappy,dc=science,dc=lcl idmap uid = 5000-20 idmap gid = 5000-20 idmap backend = ldap:ldap://ldap.example.edu/ idmap config:ldap_base_dn = ou=idmap,dc=science,dc=lcl idmap config:ldap_user_dn = cn=SlapHappy,dc=science,dc=lcl idmap alloc backend = ldap idmap alloc config: ldap_url = ldap://ldap.example.edu/ idmap alloc config: ldap_base_dn = ou=idmap,dc=science,dc=lcl idmap alloc config: ldap_user_dn
[Samba] winbind authentication FAILED with error NT_STATUS_NO_SUCH_USER [samba 3.6.12/AD/openindiana(illumos)]
Hi, My OpenIndiana (opensolaris) machine is joined to Active Directory. I'm using samba 3.6.12 from OpenCSW. wbinfo -u is working fine, getent was not working in the beginning, but after some fiddling with libraries it was working ( I had to create the following two symbolic links, not sure if they both are correct) /lib/libnss_winbind.so - /opt/csw/lib/libnss_winbind.so.1 /lib/nss_winbind.so.1 - /opt/csw/lib/libnss_winbind.so.1 root@openindiana-san:/# cat /etc/nsswitch.conf | grep winbind passwd: files winbind group: files winbind root@openindiana-san:/# /opt/csw/bin/wbinfo -u | grep jvanthienen HOME+jvanthienen root@openindiana-san:/# getent passwd | grep jvanthienen HOME+jvanthienen:*:11016:11006:Joeri Vanthienen:/home/HOME/jvanthienen:/bin/false Problem is that I can't authenticate now. It seems that samba/winbind can't find the user. Still some problem with a missed linked library or ... ? Any idea is welcome! Thanks. cat /var/samba/log/1stpc07.log [2013/03/07 12:27:12.062823, 5] auth/auth_util.c:110(make_user_info_map) Mapping user [HOME]\[jvanthienen] from workstation [1STPC07] [2013/03/07 12:27:12.063021, 5] auth/user_info.c:59(make_user_info) attempting to make a user_info for jvanthienen (jvanthienen) [2013/03/07 12:27:12.063072, 5] auth/user_info.c:70(make_user_info) making strings for jvanthienen's user_info struct [2013/03/07 12:27:12.063109, 5] auth/user_info.c:87(make_user_info) making blobs for jvanthienen's user_info struct [2013/03/07 12:27:12.063146, 10] auth/user_info.c:123(make_user_info) made a user_info for jvanthienen (jvanthienen) [2013/03/07 12:27:12.063182, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [HOME]\[jvanthienen]@[1STPC07] with the new password interface [2013/03/07 12:27:12.063222, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [HOME]\[jvanthienen]@[1STPC07] [2013/03/07 12:27:12.063260, 10] auth/auth.c:231(check_ntlm_password) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2013/03/07 12:27:12.063296, 10] auth/auth.c:233(check_ntlm_password) challenge is: [2013/03/07 12:27:12.063329, 5] ../lib/util/util.c:415(dump_data) [] 58 71 97 2B 78 85 EA CAXq.+x.êÊ [2013/03/07 12:27:12.063401, 10] auth/auth_builtin.c:44(check_guest_security) Check auth for: [jvanthienen] [2013/03/07 12:27:12.063436, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: guest had nothing to say [2013/03/07 12:27:12.063476, 10] auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [jvanthienen] [2013/03/07 12:27:12.063511, 8] lib/util.c:1521(is_myname) is_myname(HOME) returns 0 [2013/03/07 12:27:12.063547, 6] auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: HOME is not one of my local names (ROLE_DOMAIN_MEMBER) [2013/03/07 12:27:12.063585, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: sam had nothing to say [2013/03/07 12:27:12.063624, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [jvanthienen] [2013/03/07 12:27:12.063660, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/03/07 12:27:12.063698, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/03/07 12:27:12.063734, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/03/07 12:27:12.063772, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/03/07 12:27:12.063806, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/03/07 12:27:12.081737, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/03/07 12:27:12.081797, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user HOME+jvanthienen [2013/03/07 12:27:12.081833, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is home+jvanthienen [2013/03/07 12:27:12.081956, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is HOME+jvanthienen [2013/03/07 12:27:12.082073, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is HOME+JVANTHIENEN [2013/03/07 12:27:12.082188, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in home+jvanthienen [2013/03/07 12:27:12.082229, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [HOME+jvanthienen]! [2013/03/07 12:27:12.082267, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user jvanthienen [2013/03/07 12:27:12.082302, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is jvanthienen [2013/03/07 12:27:12.082414, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is JVANTHIENEN
[Samba] Winbind failing after SIGHUP
Hello, We are using Samba (3.5.6~dfsg-3squeeze8) with Winbind to join a Debian server to our domain for the purpose of AD authentication in Freeradius (using NTLM_AUTH). We actually have two of them for two distinct domains. One of them is behaving well. The other one stops authenticating every time logrotate runs on Sunday mornings. In the logs I see: [2013/02/24 06:25:04.238009, 1] winbindd/winbindd.c:256(winbindd_sig_hup_handler) Reloading services after SIGHUP And I can reproduce it with: kill -SIGHUP `cat /var/run/samba/winbindd.pid` Every week, at 6:25 AM on Sunday, authentication stops working, though the daemon is still running. What would cause Winbind to fail from a HUP? Thanks in advance, Jordan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind against samba4 AD DC
Hello, Could you please give me some precision about the current state of the winbind support on a member server. I have tried to list what I understand about it. (I suppose that the libnss_winbind symlink are correct in /lib and/or lib64) * samba4 join as member join: samba-tool domain join dnsdomain MEMBER smb.conf should contain: idmap_ldb:use rfc2307 = yes the AD DC doesn't need to be provisioned with the option --use-rfc2307 then the member should be able to read uidNumber gidNumber from the directory. * smbd + winbindd samba4: compile with --with-shared-modules=...,idmap_ad samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads join: net ads join smb.conf should contain (from the wiki): idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 But the AD have to be provisioned with --use-rfc2307 You then should add the objectclass: posixAccount in the AD samdb for each user and posixGroup for the group Is it mandatory to have provioned the AD with --use-rfc2307 ? mac OSX client seems to be OK without, they can read uid/gid Number, but not linux client using smbd/winbindd. If yes what is the best way to add rfc2307 support to an already provisioned AD ? Applying ypServ30.ldif will it be good enough ? Thanks Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind against samba4 AD DC
On Thursday, February 21, 2013 04:03:53 PM Ali Bendriss wrote: Hello, Could you please give me some precision about the current state of the winbind support on a member server. I have tried to list what I understand about it. (I suppose that the libnss_winbind symlink are correct in /lib and/or lib64) * samba4 join as member join: samba-tool domain join dnsdomain MEMBER smb.conf should contain: idmap_ldb:use rfc2307 = yes the AD DC doesn't need to be provisioned with the option --use-rfc2307 then the member should be able to read uidNumber gidNumber from the directory. * smbd + winbindd samba4: compile with --with-shared-modules=...,idmap_ad samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads join: net ads join smb.conf should contain (from the wiki): idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 But the AD have to be provisioned with --use-rfc2307 You then should add the objectclass: posixAccount in the AD samdb for each user and posixGroup for the group Is it mandatory to have provioned the AD with --use-rfc2307 ? mac OSX client seems to be OK without, they can read uid/gid Number, but not linux client using smbd/winbindd. If yes what is the best way to add rfc2307 support to an already provisioned AD ? Applying ypServ30.ldif will it be good enough ? I reply to myself after some more testing using winbindd against samba ADDC It looks like that there is no need to provision the AD with --use-rfc2307. the wiki page https://wiki.samba.org/index.php/Samba4/Domain_Member#Make_domain_users.2Fgroups_available_locally_through_winbind is correct but it should emphasize that the primary group of the users must have the gid set. And then every thing work out of the box, without the need to add the objectClass posixAccount and posixGroup as well. Thanks Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind 3.5.6 Periodically Failing
Hello, We are using Samba (3.5.6~dfsg-3squeeze8) with Winbind to join a Debian server to our domain for the purpose of AD authentication in Freeradius (using NTLM_AUTH). It is setup to the point where we joined it to the domain and wbinfo -a NETWORK\\user and ntlm_auth --user --domain are working as expected. We are not using winbind with nsswitch, which I think is called netlogon proxy only mode. Kerberos is also setup and I can kinit / klist / kdestroy properly, though I'm not certain that matters. Ever since it was setup, however, we have had an issue where the authentication just stops working, every week, early on Sunday morning. To 'fix' authentication again, I simply have to restart the Winbind daemon. Once that's done, everything begins 'flowing' again. Here is my smb.conf [global] workgroup = NETWORK server string = %h server dns proxy = no winbind use default domain = yes idmap cache time = 900 log level = 10 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true obey pam restrictions = yes password server = * allow trusted domains = no realm = NETWORK.FQDN.COM I'm having some difficulty tracking down the error. And particularly, I cannot figure out why it happens, seemingly, on a schedule. I've been poking around in logs, 'net cache list' results, etc, and its coming up empty. So far, I am having difficulty pulling the actual error message of the NTLM_AUTH command when its failing, but I do have the output of FreeRadius when it attempts to run the following command: /usr/bin/ntlm_auth --request-nt-key --username=jdoe --domain=NETWORK --challenge=0a0a0a0a0a0a0a0a --nt-response=0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a Success: Debug: Exec-Program output: NT_KEY: [SNIP] Debug: Exec-Program-Wait: plaintext: NT_KEY: [SNIP] Debug: Exec-Program: returned: 0 Info: [mschap_network] adding MS-CHAPv2 MPPE keys Info: ++[mschap_network] returns ok Failure: Debug: Exec-Program output: Reading winbind reply failed! (0xc001) Debug: Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Debug: Exec-Program: returned: 1 Info: [mschap_network] External script failed. Info: [mschap_network] FAILED: MS-CHAP2-Response is incorrect Info: ++[mschap_network] returns reject As I said, it is absolutely something going on with Winbind. Where should I be looking to get this issue figured out? Thanks in advance. Jordan Dohms -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind not returning uid/gid
Really sorry to re-post but it looks like my thread has been buried and had no responses. I am using samba3.6 winbind to connect a RHEL5.8 linux box to a new Windows Server 2012 Active Directory which has Unix Identity Mapping installed. So I have all the uidNumber/gidNumber stuff in the windows schema. I am able to log in but I am not getting the right uid/gid. My AD uids start at around 800. Apparently the ID mapping has changed again in samba 3.6. https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#ID_Mapping_Changes Looks like it's getting the proper shell and gid but not getting the proper uid. Its just getting a number starting at 800 instead of the actual number. [2013/02/01 00:51:38.469672, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) wbint_QueryUser: struct wbint_QueryUser out: struct wbint_QueryUser info : * info: struct wbint_userinfo acct_name: * acct_name: 'test15' full_name: * full_name: 'test15' homedir : * homedir : '/home/test15' shell: * shell: '/bin/csh' primary_gid : 0x032a (810) user_sid : S-1-5-21-1876082661-3791542598-1067495821-2113 group_sid: S-1-5-21-1876082661-3791542598-1067495821-513 result : NT_STATUS_OK [2013/02/01 00:51:38.470144, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send) idmap_cache_find_sid2uid found 800 [2013/02/01 00:51:38.470217, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send) idmap_cache_find_sid2gid found 800 [2013/02/01 00:51:38.470293, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[15762:GETPWUID]: NT_STATUS_OK [2013/02/01 00:51:38.470475, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[15762:GETPWUID]: delivered response to Not even returning the proper gid (810) from the log above: -bash-3.2$ id uid=800(test15) gid=800(ops) groups=800(ops) Does my smb.conf file look correct? I'm not too familiar with configuring it. [global] workgroup = mycompany password server = pekdc01.mycompany.net realm = MYCOMPANY.NET security = domain winbind nss info = rfc2307 #idmap config * : backend = ad #THIS PREVENTS WINBIND FROM CONNECTING idmap config * : range = 800-90 idmap config * : schema_mode = rfc2307 template shell = /bin/bash winbind use default domain = true winbind offline logon = false rpm version: root at test:~ · 04:02 AM Thu Jan 31 · !548 # rpm -qa | grep samba samba3x-common-3.6.6-0.129.el5 samba3x-client-3.6.6-0.129.el5 samba3x-winbind-3.6.6-0.129.el5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hello Clodonil, I just got to this point in my testing. Be sure you link the files to /lib64 if you are running a 64 bit version of CentOS. I was having the same problem and realized the files needed to go in /lib64. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind - samba4
Hello Thomas, That was it. I made a link in / lib64 and resolved. Clodonil 2012/12/13 Thomas Simmons twsn...@gmail.com I just got to this point in my testing. Be sure you link the files to /lib64 if you are running a 64 bit version of CentOS. I was having the same problem and realized the files needed to go in /lib64. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind losing Trust with the AD domain
Peace, To answer my own question/post, I seem to have found the culprit. It looks like it is indeed something very simple, and I could even blame it on the AD ( more or less)... :o) The userAccountControl attribute is a structure that contains flags pertaining to the user account: (See http://www.selfadsi.org /ads-attributes/user-userAccountControl.htm) As the AD guys on request set the attribute to 33554432 it was actually set to 33554432+512 making the account a normal user UF_NORMAL_ACCOUNT with the UF_NO_AUTH_DATA_REQUIRED flags set. And that explains the lost of TRUST. Solution: The join used to set it to: 69632 (4096 (UF_WORKSTATION_TRUST_ACCOUNT) + 65536 (UF_DONT_EXPIRE_PASSWD)) So knowing all this: the value needs to be set to 33624064. The original join value + the 33554432 (UF_NO_AUTH_DATA_REQUIRED). Simple. -- \\\// ( o o ) +-oooO--(_)--Oooo--+ | Pascal Kolijn First Snow, Then Silence. | |This Thousand Dollar Screen Dies | | p.kol...@vu.nlSo Beautifully. | | .oooO -- Error Messages in Haiku | +--( )---Oooo.---+ \ (( ) UC IT - EC(L) \_)) / T:(020)(59)85385 (_/ http://www.vu.nl/e-maildisclaimer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba / winbind user authentication problem
Hello, I just wanted to answer my question in case anybody has the same problem and is looking for an answer... On Sun, 02 Dec 2012 22:46, I wrote: I have a problem with samba / winbind PAM authentication. Domain controller is samba4, machines users log on to via PAM are samba 3.6 (all of them ubuntu 12.04 LTS). The whole user authentication was working already, but after a reboot it somehow broke. Additional reboots don't help. The funny thing is that all logs look quite OK to me (except for the single line saying NT_STATUS_LOGON_FAILURE). Also wbinfo only gives me positive feedback: # wbinfo --user-info john john:*:1001:2000::/home/john:/bin/bash [...] # wbinfo --pam-logon john Enter john's password: plaintext password authentication succeeded The whole problem is coming from an old ubuntu help wiki page suggesting to use: kerberos method = system keytab in smb.conf -- instead you should be using: kerberos method = secrets and keytab I somehow changed this line to match ubuntu documentation when debugging a different problem and did not revert that change. See https://bugzilla.samba.org/show_bug.cgi?id=6833 You should never blindly copy anything from the internet :) -- Best regards, -Johannes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
