Re: [Samba] issue with mapping BUILTIN on ADS member server
On 2/11/2010 2:53 PM, Mark Casey wrote: Hello list, Quick summary of the issue (repeated below after the details): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. Background and details: (original message truncated) Thank you, Mark Casey Anyone have any ideas? Here is the progress I've made on the aforementioned test box's config. BUILTIN items are mapping, but they still seem to be going to tdb instead of ldap. [global] server string = Dallas File Server workgroup = UNIFIEDGROUP realm = UNIFIEDGROUP.COM security = ADS # password server = * password server = dal-dc1.unifiedgroup.com #password server = dal-dc1.unifiedgroup.com, den-dc1.unifiedgroup.com # client schannel = Yes # server schannel = Yes username map = /etc/samba/smbusers obey pam restrictions = Yes enable privileges = Yes map to guest = Bad User # restrict anonymous = 2 allow trusted domains = No # lanman auth = No # ntlm auth = No # client NTLMv2 auth = Yes log level = 2 syslog = 0 # min protocol = NT1 # client signing = Yes # server signing = Yes load printers = No preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no host msdfs = No idmap domains = BUILTIN UNIFIEDGROUP idmap alloc backend = ldap template shell = /bin/false winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind refresh tickets = Yes idmap alloc config:range = 10 - 50 idmap alloc config:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config BUILTIN:range = 10 - 50 idmap config BUILTIN:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap config BUILTIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap config BUILTIN:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config BUILTIN:backend = ldap idmap config UNIFIEDGROUP:range = 10 - 50 idmap config UNIFIEDGROUP:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap config UNIFIEDGROUP:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap config UNIFIEDGROUP:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config UNIFIEDGROUP:backend = ldap idmap config UNIFIEDGROUP:default = yes hosts allow = (redacted) map acl inherit = No hide special files = Yes map archive = No map readonly = No map system = No map hidden = No force create mode = 707 force directory mode = 707 ea support = No store dos attributes = No wide links = No follow symlinks = No dos filemode = No add share command=/etc/samba/command_cust.pl delete share command=/etc/samba/command_cust.pl change share command=/etc/samba/command_cust.pl Thanks in advance for any insight you may have, Mark Casey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issue with mapping BUILTIN on ADS member server
Hello list, Quick summary of the issue (repeated below after the details): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. Background and details: I have a production environment with 2 ADS member servers that I'm planning to re-work, and I've found an oversight with how my setup maps items from BUILTIN. I hadn't been using anything from there so it isn't a big deal at the moment, but I'm trying to fix it and/or decide how to simplify my whole idmap setup. Here is some background info, let me know if you need something else: -Native-mode AD, all DCs on 2003R2 SP2 x64. -Two Ubuntu Server x64 8.04.03 LTS AD member servers running Samba 3.0.28a. (samba_3.0.28a-1ubuntu4.10_i386.deb). -I have a few directives that may be considered odd (map to guest, force create/dir) for my type of setup. This is because I'm still getting rid of some XP Home workstations that need guest shares. This was the only way I could get them to play nice (IIRC this was due to ADS mode rejecting the credentials before it realized it was a request for a guest share). Here is my current config: [global] server string = Dallas File Server workgroup = DOMAINNAME realm = DOMAINNAME.COM security = ADS password server = * #password server = dal-dc1.domainname.com #password server = dal-dc1.domainname.com, den-dc1.domainname.com # client schannel = Yes # server schannel = Yes username map = /etc/samba/smbusers obey pam restrictions = Yes enable privileges = Yes map to guest = Bad User # restrict anonymous = 2 allow trusted domains = No # lanman auth = No # ntlm auth = No # client NTLMv2 auth = Yes log level = 4 syslog = 0 # min protocol = NT1 # client signing = Yes # server signing = Yes load printers = No preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no host msdfs = No idmap domains = DOMAINNAME idmap alloc backend = ldap template shell = /bin/false winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap alloc config:range = 10 - 50 idmap alloc config:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:range = 10 - 50 idmap config DOMAINNAME:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap config DOMAINNAME:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=domainname,dc=com idmap config DOMAINNAME:backend = ldap idmap config DOMAINNAME:default = yes hosts allow = (redacted) map acl inherit = No hide special files = Yes map archive = No map readonly = No map system = No map hidden = No force create mode = 707 force directory mode = 707 ea support = No store dos attributes = No wide links = No follow symlinks = No dos filemode = No add share command=/etc/samba/command_cust.pl delete share command=/etc/samba/command_cust.pl change share command=/etc/samba/command_cust.pl The actual issue/question (as stated above): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. I guess it is falling back to tdb since I can grep for relevant info and the tdb for group mapping matches. I've labbed my setup by setting up a third smb server in the same config, and a blank ad partition for mapping...so I can change things for testing there (and I have been). My browser has no fewer than 20 tabs up with various man pages, pdfs, and list posts on idmap but it isn't quite coming together for me on this one aspect that deals with BUILTIN. tia for any assistance you can provide. Thank you, Mark Casey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
