Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 14:09 +0200, steve wrote: [SNIP] > > Hum, according to Rowland it uses the gidNumber in the users DN, > > He was correct. I was wrong in assuming that you needed no gidNumber in > the user DN. It is indeed the gidNumber that is used for rfc2307, > exactly as openLDAP. Thank you for the clarification. I do feel that the winbind approach is the better of the two when interacting with an Active Directory controller as opposed to an LDAP server. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 11:59 +0100, Jonathan Buzzard wrote: > On Wed, 2013-07-24 at 00:49 +0200, steve wrote: > > [SNIP] > > > For the record, sssd pulls all it's info from AD. > > I never said otherwise. > > > A user does not need a gidNumber, it is drawn from the > > primaryGroupID.For Linux clients it is vital that whatever the > > primaryGroupID is contains the gidNumber attribute. sssd does the > > rest. > > Hum, according to Rowland it uses the gidNumber in the users DN, He was correct. I was wrong in assuming that you needed no gidNumber in the user DN. It is indeed the gidNumber that is used for rfc2307, exactly as openLDAP. I apologise for misleading the list before I tested it live. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 24 July 2013 11:59, Jonathan Buzzard wrote: > Hum, according to Rowland it uses the gidNumber in the users DN, though > his posted "proof" was flawed and it could have been coming from the > gidNumber of the users primary group just as Winbind does. I have > browsed the source code for sssd but it is not immediately obvious where > it is getting the info from. So which one does it really use? > > > I see that the classicupgrade retains the user gidNumber so > > maybe we should keep it in the DN of not only the primaryGroup but > > also in the DN for new users too. For compatibility? > > Like I said best practice is probably to keep them the same. The thing > with RFC2307 is that it is for storing Unix attributes in LDAP and we > are talking about storing Unix attributes in AD which is not quite the > same thing. Ideally the gidNumber field in the users entry should be a > derived field similar to the memberOf fields. > Look you prat, I agreed with you that it is best practise to keep the users gidNumber & primaryGroupID the same, I also said that it probably does not matter where the gidNumber comes from as long it is the right one. The storage of Unix attributes in AD is what windows does so it must done the way that windows does it. I also said that we were never going to agree on this, this was a hint, PLEASE SHUT UP! Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP] > For the record, sssd pulls all it's info from AD. I never said otherwise. > A user does not need a gidNumber, it is drawn from the > primaryGroupID.For Linux clients it is vital that whatever the > primaryGroupID is contains the gidNumber attribute. sssd does the > rest. Hum, according to Rowland it uses the gidNumber in the users DN, though his posted "proof" was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? > I see that the classicupgrade retains the user gidNumber so > maybe we should keep it in the DN of not only the primaryGroup but > also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
Look, your still not getting the point steve. Yes, you made some good howtos, i've read them. But because there are so many options, so many roads to rome... It hard to decide what to use. Yes, developers needs to be developers, but if the developers dont document. Who can make then the documentation, so yes, the devs need to do some documentation. And what er is, is good, thats not the point. My point is, there are lots of people installing samba4, on different ways. I would be nice if there are some guideline howto setup such a thing. Ans yes, even microsoft of novell have such guidelines. But thats not the point. Im asking here, if the people how "really understand" samba4, and this can be dev of communitie people. can make some simple howtos. As i already sad, im going to make one, like the one before. For example look at my old setup. http://lists.samba.org/archive/samba/2005-December/114817.html Its still usable, ok, the layout is bit messed up, but it still works. ( dont be to hard on it, it was my first howto. ) and, is stated in 2005... quote " I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. " and all these same questions are taking precious time of the dev's. Samba4 can be much much better in use, when there are "beter" howto's. Which dont need compiling to make it more accessable for others, and most important, no compiling software on production servers, its not safe and not needed! Keep things as standard as it can be, you live gets so much easier if you do. For example, my backups, are just /etc /home/MYDATA. and my ldap export. If i have a crash, happend 1 time, i just reinstall my server, put back my configs. and reset rights if needed, im always up and running within 1-2 hours. ( with about 40-60GB data ) Even if my building burns out. ( ok ,tape restore takes 1,5 hours, so, total restore time 3-4 hours ) I can replicate every installation very easy because of no compiling, and keep it as standard as i can. Debian is a star of keeping the install files original, and use include.d dirs for extra settings. This is power in upgradeing and reinstalls. Thats my point. So lets help one and other, im looking for sernet based howtos, please e-mail them to me if you have one. I'll try to make a new big howto for samba. Louis >-Oorspronkelijk bericht- >Van: st...@steve-ss.com [mailto:samba-boun...@lists.samba.org] >Namens steve >Verzonden: woensdag 24 juli 2013 11:08 >Aan: samba@lists.samba.org >Onderwerp: Re: [Samba] RE Samba (winbind) troubles > >On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: >> > From: steve >> > >> > On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: >> > > >> > > I do like samba, but wiki/howtos are lots to improve. >> > >> > To be fair, it's not just Samba. It's most open source stuff. >> > There are >> > too many hobbyists and armchair users. As joe public, what we >> > should be >> > doing is not criticising the devs for their poor documentation. We >> > should be writing it ourselves at our own level. Let the devs enjoy >> > their C and let's thank them for the code. It's not down to them to >> > document it for end users. >> >> It's a little hard to write documentation when all you've >got is a million >> questions and no answers. The only people who actually have >the answers are >> the developers. > >Hi >That's not the case. They are too far removed from being an >end user let >alone a beginner. > >You're just about to solve an issue that you have raised in >this thread. >As soon as you have it solved then document it in your own words: your >own notes in case you get the issue again. It's a small step from there >to tidy it up a bit and blog or wiki it. You have the opportunity of >using the non jargon, non technical language end users hate. Other end >users will hit the blog like it's going out of fashion. >There's a demand >for this level of documentation. > >Salu2 >Steve > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 01:26 -0700, Paul D. DeRocco wrote: > > From: steve > > > > On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: > > > > > > I do like samba, but wiki/howtos are lots to improve. > > > > To be fair, it's not just Samba. It's most open source stuff. > > There are > > too many hobbyists and armchair users. As joe public, what we > > should be > > doing is not criticising the devs for their poor documentation. We > > should be writing it ourselves at our own level. Let the devs enjoy > > their C and let's thank them for the code. It's not down to them to > > document it for end users. > > It's a little hard to write documentation when all you've got is a million > questions and no answers. The only people who actually have the answers are > the developers. Hi That's not the case. They are too far removed from being an end user let alone a beginner. You're just about to solve an issue that you have raised in this thread. As soon as you have it solved then document it in your own words: your own notes in case you get the issue again. It's a small step from there to tidy it up a bit and blog or wiki it. You have the opportunity of using the non jargon, non technical language end users hate. Other end users will hit the blog like it's going out of fashion. There's a demand for this level of documentation. Salu2 Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
> From: steve > > On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: > > > > I do like samba, but wiki/howtos are lots to improve. > > To be fair, it's not just Samba. It's most open source stuff. > There are > too many hobbyists and armchair users. As joe public, what we > should be > doing is not criticising the devs for their poor documentation. We > should be writing it ourselves at our own level. Let the devs enjoy > their C and let's thank them for the code. It's not down to them to > document it for end users. It's a little hard to write documentation when all you've got is a million questions and no answers. The only people who actually have the answers are the developers. I wish developers would routinely budget, oh, 10% of their time to writing docs. I spend at least twice that much on documenting my own software, because I find it helps me write better organized code if I first have to explain what it's going to do, or how to use it. Write the manual first, then implement it, modifying the manual as you discover logical flaws during the process of writing and debugging. > I doubt that Microsoft would allow their > coders anywhere near the end user documentation department. I don't know what they do at Microsoft, but there must be some organized way of getting the software writers to convey the information to the people who actually write the documentation. In my opinion (as someone who's been spending a big chunk of his life reading documentation lately), the MSDN content ranges from marginal to excellent, while Linux-land documentation ranges from practically non-existent (e.g., ALSA) to very good (the kernel man pages). So far, I think Samba's docs get about a C-, but that's because I know next to nothing about networking; they may look much better to someone who already knows all about SMB from the Windows world. -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
On Wed, 2013-07-24 at 09:09 +0200, L.P.H. van Belle wrote: > hijacked the winbind threat.. but.. > Don't feel threatened. There _are_ alternatives. > > I do like samba, but wiki/howtos are lots to improve. To be fair, it's not just Samba. It's most open source stuff. There are too many hobbyists and armchair users. As joe public, what we should be doing is not criticising the devs for their poor documentation. We should be writing it ourselves at our own level. Let the devs enjoy their C and let's thank them for the code. It's not down to them to document it for end users. I doubt that Microsoft would allow their coders anywhere near the end user documentation department. Anyway, hopefully complex DC's and windows domains will soon be a thing of the past. You don't need winbind for Cloud. You won't need sysadmins either. Just someone who can read the quickstart guide. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RE Samba (winbind) troubles
hijacked the winbind threat.. but.. Really,. >> > If you want my opinion and you probably don't, people need to stop >> > thinking NT server if they connect to a samba4 AD server and start >> > thinking AD server, they are totally different. >> > . Novell NDS is much better the MS its (nds kopied) AD but thats not the issue. Als big point is, not thinking in AD, its making better manuals/howtos based on realworld examples. Im working with Novell/Windows/ over 20 years now. Linux about 15. and really, the manuals and howtos arent easy to read, sorry.. that is for me since im dutch. There are to many senarios, and combined with the wiki, its a mess in my head... Some howto's simplified would be nice. like for example. ( choose ) - Single server setup, with samba4 AD, choose internal dns or bind. etc.. - 2 Samba4 DC servers, using bind, etc. etc. - 1 samba4 server, added to windows AD. - 1 windows server, added to samba4 ad. - 2 samba4 DC servers and remote 1 samba DC server. These 5 are are the start of all other senarios. ( some extra's ) - samba4 setup with DRDB or GLUSTER ( sinds its default in most distros ) ( management ) GUI - Windows tools CLI - some needed commands as example. etc .. Put the pro/cons in a matrix what works what not. and i preferred something like this with for example the sernet packages. This way is always the same, no compiling needed, so less questions here, and bugs are faster found. looks a win win for me. and if a setup if make for example with ubuntu, is usable for all debian bases install. same for centos/redhet. Im using this stratigy for al my servers i install and manage. bugs are very fast found and fixed with upstream packages. I dont compile on any production server, as should everyone else. Any suggestions samba team? please do so, lets make the best software even better. My now running setup, is done by howto ( make my own at the time ), and is running sinds 2004, with 0 errors, ok, some failing hardware, but samba never let me down. I still use the manual to install new servers in my environment now. I've been testing samba4 since alpha 8, and for now, im still not running it. Why, setting up samba4 is to complex in my situation, yes, documentation is good, but for me its to much. but if its for me, how about other people,... what would you like to see to simpilfy the samba4 install. A simple thing as installing samba4 and adding it as DC to a windows domain. really try it with only the wiki info. Such a simple thing like this, is very complex explaind in the wiki. but ok this is my point of view. I do like samba, but wiki/howtos are lots to improve. I promise to the samba communitie, when i start my install, ill document it and make a nice howto of it. A howto everyone can read and understand. ( will be debian/ubuntu base, with sernet packages ) Still samba team/sernet team, thanks for providing this software, lets make it better with all of us. there al lots of very good people here on the mailing which have the knowlidge to make such howtos. ow... and sorry for my bad english.. ;-) i dont write much in english these days. Best regards, Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote: > On 23/07/13 17:10, Rowland Penny wrote: > > [SNIP] > > > > > But if the group identified by primaryGroupID 513 has gidNumber 20513 > > (which would be in my opinion best practice) without looking in the > > source code of sssd you don't know whether sssd took the gidNumber of > > the user or took the primaryGroupID, and then looked up gidNumber of > > that group. As your example has not shown what the gidNumber of the > > group identified by primaryGroupID 513 it has not demonstrated what you > > claim it has demonstrated. > > > > > > Does it matter, as long as the right answer is returned? > > > > Only in that you gave an example that claimed to show that sssd used the > gidNumber from the users entry. The point I was making is that it did > not actually show that. What it showed was sssd returning a GID that > matched the gidNumber from the users entry which while close is not what > you claimed. > > > But for your information, sssd pulls ALL the information from the users > > RFC2307 information, in fact it pulls more information than winbind. > > > > Well then that sucks and I prefer the winbind method, because as far as > I am aware changing the Windows primary group (at least under 2003R2 and > 2008R2, not tested 2012 or Samba4) of a user has no effect on the users > gidNumber. As such it is inevitable that mistakes will be made, things > will get out of sync and stuff will break in odd not apparent ways. > > Reasons why winbind is better than sssd if you ask me :-) Well, I don't think we're here to decide what is better and I don't think we're helping the OP at all, rather serving to confuse:( For the record, sssd pulls all it's info from AD. A user does not need a gidNumber, it is drawn from the primaryGroupID. For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 16:44, Jonathan Buzzard wrote: > You don't seem to have taken on board that primaryGroupID is a numerical > identifier for an actual group. Now why Microsoft didn't use the group's > SID I have not the faintest idea. > > I suppose that you have noticed that the primaryGroupID is the RID from the group's SID and yes I had taken it on board. > The number returned by primaryGroupID is only used by winbind to > identify the primary group of the user. It then looks up the gidNumber > for that group and returns that. > > Would it be a good idea for the user to have a different primary group > in Windows land from Unix land? I tend to think that keeping them the > same is a good idea and hence the way winbind does it has considerable > merit. In particular you can use the Windows tools to change the primary > group of the user and get expected results on both Windows and Unix. > > I would agree with you here, the users primary group needs to be the same in windows & linux > Basically adding a gidNumber to each user is a redundant feature of > RFC2307. > Redundant it may be, but it is the way that windows wants it to be done. > > > > > > > As such your example does not show what you think it does show > > because > > you have not shown the gidNumber of the group identified by > > primaryGroupID 513. I would say even if sssd uses the > > gidNumber of the > > user it would in my opinion be good practice to keep the > > gidNumber of > > the user the same as the gidNumber of the Windows primary > > group. > > > > So sorry, this is the gidNumber attribute from > > dn: CN=Domain Users,CN=Users,DC=example,DC=com > > gidNumber: 20513 > > > > > > As you can see, it is the same gidNumber that the user has. > > > > But if the group identified by primaryGroupID 513 has gidNumber 20513 > (which would be in my opinion best practice) without looking in the > source code of sssd you don't know whether sssd took the gidNumber of > the user or took the primaryGroupID, and then looked up gidNumber of > that group. As your example has not shown what the gidNumber of the > group identified by primaryGroupID 513 it has not demonstrated what you > claim it has demonstrated. > > Does it matter, as long as the right answer is returned? But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 16:44 +0100, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: > > > > > > > > If you want my opinion and you probably don't, people need to stop > > thinking NT server if they connect to a samba4 AD server and start > > thinking AD server, they are totally different. > > > > Absolutely. I think much of the Samba4 related stuff on this mailing > list would not be here if the users bothered to read a dummies guide to > AD at a minimum. If you don't have a good understanding of how AD works > then trying to setup a Samba4 AD domain controller is probably a bad > idea. To me AD is LDAP. If I'd never setup openLDAP in a Linux only environment a few years back, I'd be totally and utterly knackered with S4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: > > Could this be yet another reason to use sssd instead of winbind? > > > > sssd does use the account gidNumber > > > > testuser > > > > primaryGroupID: 513 > > uidNumber: 3001106 > > gidNumber: 20513 > > > > getent passwd testuser > > testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash > > > > > > Not what I said. The primaryGroupID is an identifier for a group in AD, > bit like a SID is (I don't get that either). So primaryGroupID 513 might > refer to a group called sambausers, which has a it's own set of > RFC2307bis attributes which include a gidNumber. Winbind uses the > gidNumber of the primaryGroupID, not the primaryGroupID itself which is > something entirely different. I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. > > As such your example does not show what you think it does show because > you have not shown the gidNumber of the group identified by > primaryGroupID 513. I would say even if sssd uses the gidNumber of the > user it would in my opinion be good practice to keep the gidNumber of > the user the same as the gidNumber of the Windows primary group. > > Sometimes my mind boggles at just how much people don't understand AD > and Samba in the Linux/Unix world. > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: > > On 23 July 2013 15:04, Jonathan Buzzard > wrote: > Not what I said. The primaryGroupID is an identifier for a > group in AD, > bit like a SID is (I don't get that either). So primaryGroupID > 513 might > refer to a group called sambausers, which has a it's own set > of > RFC2307bis attributes which include a gidNumber. Winbind uses > the > gidNumber of the primaryGroupID, not the primaryGroupID itself > which is > something entirely different. > > > > As I said sssd uses the users gidNumber not the primaryGroupID, I may > be wrong but I believe that the primaryGroupID is a windows thing and > as such should be ignored by winbind if it is instructed to use > rfc2307 attributes, but that is just my opinion. You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. Basically adding a gidNumber to each user is a redundant feature of RFC2307. > > > As such your example does not show what you think it does show > because > you have not shown the gidNumber of the group identified by > primaryGroupID 513. I would say even if sssd uses the > gidNumber of the > user it would in my opinion be good practice to keep the > gidNumber of > the user the same as the gidNumber of the Windows primary > group. > > So sorry, this is the gidNumber attribute from > dn: CN=Domain Users,CN=Users,DC=example,DC=com > gidNumber: 20513 > > > As you can see, it is the same gidNumber that the user has. > But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. It might well be what you claim is true, it is just your example does not demonstrate it to be conclusively the case. > > If you want my opinion and you probably don't, people need to stop > thinking NT server if they connect to a samba4 AD server and start > thinking AD server, they are totally different. > Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:53 +0100, Jonathan Buzzard wrote: > > What gets me is people claiming that half a dozen lines of configuration > in smb.conf is more complicated than 30+ lines of configuration in an > entirely separate configuration file in addition to several lines in > smb.conf. It might be more performant, it might have fewer bugs etc. but > it is absolutely not simpler to configure. The main difference is that even though sssd may involve copying and pasting a configuration file to /etc somewhere and changing the domain name therein, once you've done it, you just start it and forget it. Unfortunately most mortles here cannot do that with winbind. That's why we always try and help users with winbind. Don't let's forget the OP in all this: the winbind documentations seems to be written for devs for devs. There is nothing written in simple terms to help us nor the OP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hallo, Jonathan, Du meintest am 23.07.13: >> Why use a word like orthogonal? > Orthogonal is a single word, is precise and describes what is > required exactly. Sorry - "that depends". I know this word as a synonym of "rectangular", and I mostly know it in a geometrical environment. 90 degrees = pi/2 = 100 gon. These degrees not to be mistaken with degrees Fahrenheit or degrees Celsius. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 15:04, Jonathan Buzzard wrote: > Not what I said. The primaryGroupID is an identifier for a group in AD, > bit like a SID is (I don't get that either). So primaryGroupID 513 might > refer to a group called sambausers, which has a it's own set of > RFC2307bis attributes which include a gidNumber. Winbind uses the > gidNumber of the primaryGroupID, not the primaryGroupID itself which is > something entirely different. > As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion > > As such your example does not show what you think it does show because > you have not shown the gidNumber of the group identified by > primaryGroupID 513. I would say even if sssd uses the gidNumber of the > user it would in my opinion be good practice to keep the gidNumber of > the user the same as the gidNumber of the Windows primary group. > So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 14:53, Jonathan Buzzard wrote: > Orthogonal is a single word, is precise and describes what is required > exactly. It has been in my vocabulary for approaching 30 years. None > overlapping range is three words and more characters as well. I was not > aware that Newspeak was now a requirement for posting on this list. > OK, so it is in your vocabulary, but it it is not in mine, nor I believe the vast number of the English speaking world. You think that you know what it means, but have a look here: http://www.merriam-webster.com/dictionary/orthogonal Your definition is not mentioned. > > > > From what I can see the BUILTIN uids come from windows (and are called > > SID's) and there they are set in stone. > > > > The SID's are set in stone, they have no UID's set in stone. Winbind to > work allocates a UID to them in it's allocatable (usually local) > database. There must be no conflicts between these allocated UID's and > the UID's in the domain, hence the requirement that the ranges given to > winbind be orthogonal. > Well perhaps they should be now, the problem that I see is that RHEL etc uses 0-500 for local users and Debian uses 0-999, so perhaps reserve 1100 - 1200 for the BUILTIN users > > > from the sssd-1.9.0 announcement > > > > - Add a new PAC responder for dealing with cross-realm Kerberos > > trusts > > Well that's relatively new (aka less than a year old). I guess not that > many enterprise distributions will carry it (though RHEL 6.4 does). > ER, isn't RHEL THE enterprise distro? > > What gets me is people claiming that half a dozen lines of configuration > in smb.conf is more complicated than 30+ lines of configuration in an > entirely separate configuration file in addition to several lines in > smb.conf. It might be more performant, it might have fewer bugs etc. but > it is absolutely not simpler to configure. > For me it is a lot easier to configure, I don't have to worry about orthogonal numbers for instance (drat, now you have got me at it ) ;-0 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: > Could this be yet another reason to use sssd instead of winbind? > > sssd does use the account gidNumber > > testuser > > primaryGroupID: 513 > uidNumber: 3001106 > gidNumber: 20513 > > getent passwd testuser > testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash > > Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:20 +0100, Rowland Penny wrote: > OK, the documentation is better but people still get it wrong probably > because it is more complex than it needs to be, I personally find it > easier to set sssd up, but that is just me. > > Why use a word like orthogonal?, just who knows what orthogonal means, > I have only being speaking english for 56 years and have never used > that word in a sentence, just say what you mean and do not hide behind > gobbledy-gook. Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. > > From what I can see the BUILTIN uids come from windows (and are called > SID's) and there they are set in stone. > The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. > from the sssd-1.9.0 announcement > > - Add a new PAC responder for dealing with cross-realm Kerberos > trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Rowland On 23 July 2013 13:54, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 11:25 +0200, steve wrote: > > On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: > > > > > > > > It's probably still not working for him because he needs to clear the > > > now poluted cache/database that winbind has created from previous > > > attempts. Using net cache flush might work. Personally I would stop > > > samba delete the tdb files and start it again, redo the domain join and > > > try it. > > > > Just thought about nscd too. On some distros it's default. . . > > Another thought. The primary windows group of the account has to have > unix attributes. For reasons I cannot fathom the gidNumber attribute of > the account is not used by winbind and instead the primaryGroupID is > used. If this group does not have a GID set then the lookup fails! > > I guess best practice is to keep the GID of the primaryGroupID and the > gidNumber of the user the same but I don't understand why it is the way > it is. > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. >From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Your turn ;-) Rowland On 23 July 2013 13:48, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: > > [SNIP] > > > > > I thought that testparm did exactly that, it tested all the parameters > > in smb.conf, so if the ranges overlap, it should report the error. > > > > You thought wrong then. It tests to see if they are valid so 1000-akjf > is invalid and will throw an error, 1000-2000 is valid and will not > throw an error even if it overlaps with some other range. > > > > > Darned right it is confusing. > > > > It was confusing because the documentation at the time was not complete. > That is no longer the case. > > > > > Yet people still get it wrong. > > > > There is no accounting for what some people do. I have just checked and > a Google search for "winbind ad rfc2307 setup" give a top hit that > explains the ranges must be orthogonal. > > > > > Why are the BUILTIN uid's & gid's not set in stone? and noted > > somewhere and users told 'do not use this range' > > > > Because your set in stone range might already be allocated in the AD. > Not all Samba servers are green field deployments. Some/many have to > integrate into already existing environments and hence admins need the > flexibility to adapt to the environment they find themselves in. > > > > > Also winbind can handle multiple domains so it needs to know > > which > > domain to use to lookup a given UID or GID in. > > > > > > sssd can do this very easily, so your point is? > > > > That is the one thing that sssd cannot do. At least according to the > documents I have read multiple domains with cross domain trusts equals > use winbind. > > Either way there is no way for either sssd or winbind to known which of > the potential multiple domains it should look that up in. You could I > guess take a sledgehammer approach and look it up in all the domains, > but I can think of lots of reasons why that would not be a good idea. > > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: > On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: > > > > > It's probably still not working for him because he needs to clear the > > now poluted cache/database that winbind has created from previous > > attempts. Using net cache flush might work. Personally I would stop > > samba delete the tdb files and start it again, redo the domain join and > > try it. > > Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] > > I thought that testparm did exactly that, it tested all the parameters > in smb.conf, so if the ranges overlap, it should report the error. > You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. > > Darned right it is confusing. > It was confusing because the documentation at the time was not complete. That is no longer the case. > > Yet people still get it wrong. > There is no accounting for what some people do. I have just checked and a Google search for "winbind ad rfc2307 setup" give a top hit that explains the ranges must be orthogonal. > > Why are the BUILTIN uid's & gid's not set in stone? and noted > somewhere and users told 'do not use this range' > Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. > > Also winbind can handle multiple domains so it needs to know > which > domain to use to lookup a given UID or GID in. > > > sssd can do this very easily, so your point is? > That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 11:40, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: > > [SNIP] > > > > > OK, I see where you are coming from, but until testparm starts saying > > 'this will not work because' people will keep on having problems with > > winbind, also why do you need to set up the ranges anyway. > > testparm does not guarantee a working configuration, it guarantee's that > you don't have any invalid configuration lines from a syntactic point of > view. > > I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. > I fully appreciate that it can seem confusing. I know three years ago > when I first set it up I ended up reading large chunks of this mailing > lists archive to find a single posts that told me what I was doing > wrong. At the time the idmap_ad manual page did not hold the necessary > information. > > Darned right it is confusing. > However today in mid 2013, the manual page is accurate and there are a > *lot* more posts in the mailing list on how to set it up. > > Yet people still get it wrong. > > The user and group ranges are already set by the admin in uidNumber & > > gidNumber, so again why do they need setting in smb.conf, IMHO the > > setting should be 'idmap config:backend = ad' and that should make > > winbind pull all the rfc2307 items for a user or group > > The issues is that winbind needs somewhere to allocate UID's and GID's > for the BUILTIN backend. As such it does not know in advance what a > suitable block for this is. Only you the administrator can say this > range here is not allocated in the AD. > > Why are the BUILTIN uid's & gid's not set in stone? and noted somewhere and users told 'do not use this range' > Also winbind can handle multiple domains so it needs to know which > domain to use to lookup a given UID or GID in. > > > sssd can do this very easily, so your point is? Rowland > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] > > OK, I see where you are coming from, but until testparm starts saying > 'this will not work because' people will keep on having problems with > winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. > The user and group ranges are already set by the admin in uidNumber & > gidNumber, so again why do they need setting in smb.conf, IMHO the > setting should be 'idmap config:backend = ad' and that should make > winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 10:05, Jonathan Buzzard wrote: > This is where Matthew went wrong, it's right there in the man page > (unlike three years ago). There are also a large smattering of posts > from myself on this list over the last two years on how important it is > not to have overlapping ranges for the local allocatable range. If you > do it simply does not work. > OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. The user and group ranges are already set by the admin in uidNumber & gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: > On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: > > > > > It's probably still not working for him because he needs to clear the > > now poluted cache/database that winbind has created from previous > > attempts. Using net cache flush might work. Personally I would stop > > samba delete the tdb files and start it again, redo the domain join and > > try it. > > Just thought about nscd too. On some distros it's default. . . Good point, never run winbind and nscd at the same time on the same box. It's a recipe for trouble. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: > > It's probably still not working for him because he needs to clear the > now poluted cache/database that winbind has created from previous > attempts. Using net cache flush might work. Personally I would stop > samba delete the tdb files and start it again, redo the domain join and > try it. Just thought about nscd too. On some distros it's default. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:15 +0200, steve wrote: [SNIP] > > +1 > sssd just works: there is plain English documentation available and you > get rfc2307 out of the box. The same day;) > > otoh, if you must stick with winbind there are reports of success here. > Just one more thought to bugzilla it. > Winbind just works if you configure it properly. There is also plain English documentation available for winbind as well. The problem is that Matthew either did not read it or did not follow it. From "man idmap_ad" The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad. This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 09:40 +0200, L.P.H. van Belle wrote: > Hai, > > > I'm having exactly the same problem with winbind as Matthew Daubenspeck. > also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) > > I remove the complete config atm but am at the point reinstalling now. > I'll wait with that until you put you howto on. > i cant loose the rfc2307 :-( > and i cant lose control over uidNumber, gidNumber, home directories and login > shells. > and im adding a second DC later on, but whats the difference between RID and > AD exactly. > or just these 4 things? With AD you get exactly what _you_ put into the directory. There are no algorithms or separate databases used to confuse an already complicated issue. You put rfc2307 in AD and you get it back out when you need it, e.g. when a user logs in. > > I'll go try the sssd as suggested below on ubuntu 12.04. +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. ¡Suerte! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? I'll go try the sssd as suggested below on ubuntu 12.04. Best regards, Louis >-Oorspronkelijk bericht- >Van: rowlandpe...@googlemail.com >[mailto:samba-boun...@lists.samba.org] Namens Rowland Penny >Verzonden: maandag 22 juli 2013 23:45 >Aan: steve >CC: samba@lists.samba.org >Onderwerp: Re: [Samba] Winbind troubles > >If you want my opinion, this is just another example of why not to use >winbind, if you can wait until tomorrow , I will send you an >howto on sssd >on Ubuntu 12.04 > >Rowland >On Jul 22, 2013 10:36 PM, "steve" wrote: > >> On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: >> > On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: >> > >OK, that seems like it should work, I had the winbind >ad backend >> > >working, but found it difficult to setup so jumped >ship to sssd >> > >The idmap setup I used was: >> > >idmap config *:backend = tdb >> > >idmap config *:range = 1100-2000 >> > >idmap config DOMAIN:backend = ad >> > >idmap config DOMAIN:schema_mode = rfc2307 >> > >idmap config DOMAIN:range = 1-310 >> > >As you can see the number ranges are the opposite way >round to what >> you >> > >have i.e. config*:range is lower than DOMAIN:range >> > >You could also try (as a test) changing backend = ad >to backend = >> rid, >> > >this will ignore the rfc2307 bit but will test the >connect to the AD >> > >server. >> > >Rowland >> > >> > Changing the above ranges made no difference. However, >changing backend >> > = rid gets me: >> > >> > root@srv2:~# getent passwd administrator >> > >administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh >> >> Amazing;) >> > >> > That seems to be working perfectly. What would I be losing without >> > rfc2307 (please excuse the ignorance)? >> >> You'd lose control over uidNumber, gidNumber and you >wouldn't be able to >> specify your own home directories and login shells. It's also a >> nightmare if you add a second DC. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:45:28PM +0100, Rowland Penny wrote: > If you want my opinion, this is just another example of why not to use > winbind, if you can wait until tomorrow , I will send you an howto on sssd > on Ubuntu 12.04 Something like this? http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html That's about the most verbose thing Google seems to come up with. I'll wait as long as it takes, this is all just initial testing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:36:26PM +0200, steve wrote: > Amazing;) Amazing all right. I have a headache :) > You'd lose control over uidNumber, gidNumber and you wouldn't be able to > specify your own home directories and login shells. It's also a > nightmare if you add a second DC. So if I plan on using this for Windows clients ONLY, uidNumber, gidNumber, homedirs and shells shouldn't really be a problem to me. Key word being shouldn't? Not being able to add a backup DC WOULD be a problem, however. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, "steve" wrote: > On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: > > On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: > > >OK, that seems like it should work, I had the winbind ad backend > > >working, but found it difficult to setup so jumped ship to sssd > > >The idmap setup I used was: > > >idmap config *:backend = tdb > > >idmap config *:range = 1100-2000 > > >idmap config DOMAIN:backend = ad > > >idmap config DOMAIN:schema_mode = rfc2307 > > >idmap config DOMAIN:range = 1-310 > > >As you can see the number ranges are the opposite way round to what > you > > >have i.e. config*:range is lower than DOMAIN:range > > >You could also try (as a test) changing backend = ad to backend = > rid, > > >this will ignore the rfc2307 bit but will test the connect to the AD > > >server. > > >Rowland > > > > Changing the above ranges made no difference. However, changing backend > > = rid gets me: > > > > root@srv2:~# getent passwd administrator > > administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh > > Amazing;) > > > > That seems to be working perfectly. What would I be losing without > > rfc2307 (please excuse the ignorance)? > > You'd lose control over uidNumber, gidNumber and you wouldn't be able to > specify your own home directories and login shells. It's also a > nightmare if you add a second DC. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:19:26PM +0200, steve wrote: > Similar to what I had when I used winbind, except the * range was lower > than the range we wanted. Try something like 3000-3500 and 3501-4 > perhaps? Like this? idmap config *:backend = tdb idmap config *:range = 3000-3500 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 3501-4 That makes no difference. Still no results. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: > >OK, that seems like it should work, I had the winbind ad backend > >working, but found it difficult to setup so jumped ship to sssd > >The idmap setup I used was: > >idmap config *:backend = tdb > >idmap config *:range = 1100-2000 > >idmap config DOMAIN:backend = ad > >idmap config DOMAIN:schema_mode = rfc2307 > >idmap config DOMAIN:range = 1-310 > >As you can see the number ranges are the opposite way round to what you > >have i.e. config*:range is lower than DOMAIN:range > >You could also try (as a test) changing backend = ad to backend = rid, > >this will ignore the rfc2307 bit but will test the connect to the AD > >server. > >Rowland > > Changing the above ranges made no difference. However, changing backend > = rid gets me: > > root@srv2:~# getent passwd administrator > administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) > > That seems to be working perfectly. What would I be losing without > rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: >OK, that seems like it should work, I had the winbind ad backend >working, but found it difficult to setup so jumped ship to sssd >The idmap setup I used was: >idmap config *:backend = tdb >idmap config *:range = 1100-2000 >idmap config DOMAIN:backend = ad >idmap config DOMAIN:schema_mode = rfc2307 >idmap config DOMAIN:range = 1-310 >As you can see the number ranges are the opposite way round to what you >have i.e. config*:range is lower than DOMAIN:range >You could also try (as a test) changing backend = ad to backend = rid, >this will ignore the rfc2307 bit but will test the connect to the AD >server. >Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh root@srv2:~# id user1 uid=1(user1) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) root@srv2:~# id user2 uid=10001(user2) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 16:46 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: > > Can you post smb.conf on SRV2? > > Steve > > Certainly: > > [global] > >workgroup = NWLTECH >security = ADS >realm = NWLTECH.ORG >encrypt passwords = yes > >idmap config *:backend = tdb >idmap config *:range = 70001-8 >idmap config NWLTECH:backend = ad >idmap config NWLTECH:schema_mode = rfc2307 >idmap config NWLTECH:range = 500-4 > >winbind nss info = rfc2307 >winbind trusted domains only = no >winbind use default domain = yes >winbind enum users = yes >winbind enum groups = yes > Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland On 22 July 2013 21:46, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: > > Can you post smb.conf on SRV2? > > Steve > > Certainly: > > [global] > >workgroup = NWLTECH >security = ADS >realm = NWLTECH.ORG >encrypt passwords = yes > >idmap config *:backend = tdb >idmap config *:range = 70001-8 >idmap config NWLTECH:backend = ad >idmap config NWLTECH:schema_mode = rfc2307 >idmap config NWLTECH:range = 500-4 > >winbind nss info = rfc2307 >winbind trusted domains only = no >winbind use default domain = yes >winbind enum users = yes >winbind enum groups = yes > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:59:47PM +0100, Rowland Penny wrote: >/etc/nsswitch.conf setup correctly? passwd: compat winbind group: compat winbind shadow: compat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: > Can you post smb.conf on SRV2? > Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 15:52 -0400, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: > >Have you tried 'getent passwd username' > >Rowland > > root@srv2:~# getent passwd Administrator > root@srv2:~# getent passwd user1 > root@srv2:~# getent passwd user2 > root@srv2:~# getent passwd user3 > Can you post smb.conf on SRV2? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
/etc/nsswitch.conf setup correctly? On 22 July 2013 20:52, Matthew Daubenspeck wrote: > On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: > >Have you tried 'getent passwd username' > >Rowland > > root@srv2:~# getent passwd Administrator > root@srv2:~# getent passwd user1 > root@srv2:~# getent passwd user2 > root@srv2:~# getent passwd user3 > > No results. They are all there though: > > root@srv2:~# wbinfo -u > administrator > krbtgt > guest > user1 > user2 > user3 > > Verified the uidNumber was set as well on the DC: > > # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber > uidNumber: 1 > # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid > gidNumber: 1 > > > # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber > uidNumber: 10001 > # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid > gidNumber: 1 > > etc. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: >Have you tried 'getent passwd username' >Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Have you tried 'getent passwd username' Rowland On 22 July 2013 19:56, Matthew Daubenspeck wrote: > I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have > installed the SerNet packages. SRV1 has the AD setup and SRV2 is a > member server. I've followed the wiki for both servers to the letter, > and winbind still refuses to grab info on the member server. > > I rolled the provision with --use-rfc2307, added a bunch of users with > samba-tool. I then manually created a group and made sure it had valid > gid. I then did the same with the 3 users, made sure their primary group > was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, > and 10002. The single group has a GID of 1 and all 3 users are a > member. > > I joined the domain fine, everything appears correct in DNS, and the > SRV2 member server shows up in ADUC under Computers. Both smb.conf files > match exactly (except for the domain names) the config file > examples in the wiki articles. > > wbinfo -u and wbinfo -g both work and pull the proper users/groups. > However, when I run getent passwd all I get is local users. > > I checked and re-checked libnss_winbind.so with ldconfig -v, and that is > there as well. What the heck could I be missing? I've followed > everything to the letter. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind troubles
I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind Troubles... string_to_sid: Sid S-0-0 is not in a valid format.
Hello! I posted before, figured I'd try again and provide more information in the original post. I'm running samba-3.0.22-1.fc5, joined to a W2K3 domain. All features appear to work - I've been running it this way for a month. This message appears not to actually affect anything, and it occurs every 30 seconds or so. I'll be happy to post my configs, if necessary. This set of messages appears in my logs repeatedly... every 60 seconds or so. Jul 6 15:43:01 mgprisvr winbindd[6361]: [2006/07/06 15:43:01, 0] lib/util_sid.c:string_to_sid(285) Jul 6 15:43:01 mgprisvr winbindd[6361]: string_to_sid: Sid S-0-0 is not in a valid format. Jul 6 15:43:01 mgprisvr winbindd[6361]: [2006/07/06 15:43:01, 0] lib/util_sid.c:string_to_sid(285) Jul 6 15:43:01 mgprisvr winbindd[6361]: string_to_sid: Sid S-0-0 is not in a valid format. Jul 6 15:43:01 mgprisvr winbindd[6361]: [2006/07/06 15:43:01, 0] lib/util_sid.c:string_to_sid(285) Jul 6 15:43:01 mgprisvr winbindd[6361]: string_to_sid: Sid S-0-0 is not in a valid format. Jul 6 15:43:01 mgprisvr winbindd[6361]: [2006/07/06 15:43:01, 0] lib/util_sid.c:string_to_sid(285) Jul 6 15:43:01 mgprisvr winbindd[6361]: string_to_sid: Sid S-0-0 is not in a valid format. Jul 6 15:44:01 mgprisvr winbindd[6361]: [2006/07/06 15:44:01, 0] lib/util_sid.c:string_to_sid(285) Any ideas on what this means and how to fix it? I'd be willing to turn of Winbind logging, if possible... Thanks! Nolan Garrett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind troubles...
I'm having trouble getting winbind to work. I have a w2k network and Redhat 9 with samba 2.2.7a. I'm trying to get the users to authenticate on the w2k server to connect to the samba share. The problem I'm having is with winbind. When I do a "wbinfo -u or wbinfo -g " I get this returned: 0xc022. I've followed everything I could find about " unified logons between windows and Unix using winbind. I just cant get it to work. I joined the domain successfully. Does anyone have suggestions on what to do? Bob Carlucci Telaurus Communications LLC [EMAIL PROTECTED] (973) 889-8990 ext. 203 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba