Discussion:
Samba4 winbind: use rfc2307 not working with winbind
(too old to reply)
steve
2012-08-06 10:31:40 UTC
Permalink
Hi
Here is my smb.conf:
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes

and /etc/nsswitch.conf
passwd: files winbind
group: files winbind

In the directory, I have:
Users
posixAccoint, uidNumber and gidNumber
Groups
posixGroup, gidNumber

I run winbindd then samba.

testparm adds
idmap idmap config * : backend = tdb
to smb.conf

I tried overwruling this with:
idmap idmap config * : backend = ad
and specifying a range
and
idmap idmap config * : backend =

All uid:gid values come from idmap. If I delete an entry from idmap, it
is recreated when I run getent with a different gid/uid. Nothing is
brought from the directory.

This works with nss-ldapd with ldap replacing winbind in nsswitch.conf).
Maybe I should not be running winbind with this setup?

Does idmap_ldb : use rfc2307 = Yes work with (or without) winbindd
running on the DC

Thanks,
Steve
Gémes Géza
2012-08-06 11:42:06 UTC
Permalink
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
and /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Users
posixAccoint, uidNumber and gidNumber
Groups
posixGroup, gidNumber
I run winbindd then samba.
testparm adds
idmap idmap config * : backend = tdb
to smb.conf
idmap idmap config * : backend = ad
and specifying a range
and
idmap idmap config * : backend =
All uid:gid values come from idmap. If I delete an entry from idmap,
it is recreated when I run getent with a different gid/uid. Nothing is
brought from the directory.
This works with nss-ldapd with ldap replacing winbind in
nsswitch.conf). Maybe I should not be running winbind with this setup?
Does idmap_ldb : use rfc2307 = Yes work with (or without) winbindd
running on the DC
Thanks,
Steve
Hi Steve,

You seem to have mixed samba4 and samba3 setups again, or you didn't
mention in your e-mail which setting was on which installation.

I recommend to have:

1. Computer/Installation/Virtual Machine/Whatever: Samba4 AD Controller,
only winbind related option: idmap_ldb : use rfc2307 = Yes
2. Computer/Installation/Virtual Machine/Whatever: Samba3 Member Server,
winbind related options:
idmap backend = tdb
idmap uid = some uninteresting uid range (e.g. 1000001-2000000)
idmap gid = some uninteresting gid range (e.g. 1000001-2000000)

idmap config YOURWORKGROUPNAME : backend = ad
idmap config YOURWORKGROUPNAME : range = The union of the uid/gid range
you have set up in AD (e.g. 1000-1000000)

Samba3 winbind from computer 2 has no knowledge if Samba4 winbind is
using uids/gids from AD or from idmap.ldb as it is configured by
idmap_ldb : use rfc2307 = Yes or No

Regards

Geza Gemes
steve
2012-08-06 15:34:08 UTC
Permalink
Post by Gémes Géza
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
and /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Users
posixAccoint, uidNumber and gidNumber
Groups
posixGroup, gidNumber
I run winbindd then samba.
testparm adds
idmap idmap config * : backend = tdb
to smb.conf
idmap idmap config * : backend = ad
and specifying a range
and
idmap idmap config * : backend =
All uid:gid values come from idmap. If I delete an entry from idmap,
it is recreated when I run getent with a different gid/uid. Nothing
is brought from the directory.
This works with nss-ldapd with ldap replacing winbind in
nsswitch.conf). Maybe I should not be running winbind with this setup?
Does idmap_ldb : use rfc2307 = Yes work with (or without) winbindd
running on the DC
Thanks,
Steve
Hi Steve,
You seem to have mixed samba4 and samba3 setups again, or you didn't
mention in your e-mail which setting was on which installation.
1. Computer/Installation/Virtual Machine/Whatever: Samba4 AD
Controller, only winbind related option: idmap_ldb : use rfc2307 = Yes
Am only talking about the Samba4 DC at the moment to keep it simple
for me.
Am only talking about the Samba4 DC at the moment to keep it simple for me.
OK. I've got _just_ this winbind related line in smb.conf on the Samba4 DC:
idmap_ldb : use rfc2307 = Yes

I run winbindd then samba
_Nothing_ comes AD. If there is no entry in idmap.ldb (i.e. I deleted
it) then getent creates one with no regard to what I have set in AD.

That's the on the DC. I have a feeling that it would be a lot easier to
go with nss-pam-ldapd and nslcd than this.

I noticed that source4/winbind/idmap.c has had some changes recently.
There was a problem there last time when it only mapped uidNumber and
ignored gidNumber (which was fixed) but now it's worse doesn't map either.

Cheers
Steve

I'd like to try and get winbind working on the DC before I join a S3 box.
Michael Wood
2012-08-06 16:57:27 UTC
Permalink
On 6 August 2012 17:34, steve <steve at steve-ss.com> [...]
I noticed that source4/winbind/idmap.c has had some changes recently. There
was a problem there last time when it only mapped uidNumber and ignored
gidNumber (which was fixed) but now it's worse doesn't map either.
Perhaps you could try a "git bisect" (git bisect --help, or ask
Google) to find the patch that broke it?
--
Michael Wood <esiotrot at gmail.com>
steve
2012-08-06 18:29:28 UTC
Permalink
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
It was the syntax.
The syntax needs to be very tight:
Compare:
idmap_ldb : use rfc2307 = Yes
with:
idmap_ldb:use rfc2307=Yes

The latter works. I thought that white space was ignored in smb.conf. . .
--- --- ---
OK so that's the DC. Now onto a S3 client.

Whilst I'm here, when I've joined the client, can I then fire up smbd an
use it as a file-server too?

Cheers and thanks to all for their patience
Steve
Jeremy Allison
2012-08-06 18:55:01 UTC
Permalink
Post by steve
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
It was the syntax.
idmap_ldb : use rfc2307 = Yes
idmap_ldb:use rfc2307=Yes
The latter works. I thought that white space was ignored in smb.conf. . .
Ah - yes, white space is ignored, but maybe not in
parameterized options.

So you need:

"idmap_ldb:use rfc2307" to be exact, but we shouldn't care
about the spacing around the "= yes" I don't think.

Jeremy.
steve
2012-08-06 23:08:44 UTC
Permalink
Post by Jeremy Allison
Post by steve
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
It was the syntax.
idmap_ldb : use rfc2307 = Yes
idmap_ldb:use rfc2307=Yes
The latter works. I thought that white space was ignored in smb.conf. . .
Ah - yes, white space is ignored, but maybe not in
parameterized options.
"idmap_ldb:use rfc2307" to be exact, but we shouldn't care
about the spacing around the "= yes" I don't think.
Jeremy.
Hi
Thanks. But anyway it only works for groups, not users.
If posixGroup and gidNumber are present for a group it maps from AD. For
posixAccount and uidNumber, an entry is created in idmap.ldb and that is
used instead of the uidNumber in AD

Is there anything we can do to fix this?
Cheers,
Steve?
Andrew Bartlett
2012-08-07 05:37:58 UTC
Permalink
This post might be inappropriate. Click to display it.
steve
2012-08-07 11:47:14 UTC
Permalink
Post by Gémes Géza
Post by steve
Post by Jeremy Allison
Post by steve
Post by steve
Hi
[global]
workgroup = ALTEA
realm = hh3.site
netbios name = HH30
server role = active directory domain controller
passdb backend = samba4
idmap_ldb : use rfc2307 = Yes
It was the syntax.
idmap_ldb : use rfc2307 = Yes
idmap_ldb:use rfc2307=Yes
The latter works. I thought that white space was ignored in smb.conf. . .
Ah - yes, white space is ignored, but maybe not in
parameterized options.
"idmap_ldb:use rfc2307" to be exact, but we shouldn't care
about the spacing around the "= yes" I don't think.
Jeremy.
Hi
Thanks. But anyway it only works for groups, not users.
If posixGroup and gidNumber are present for a group it maps from AD. For
posixAccount and uidNumber, an entry is created in idmap.ldb and that is
used instead of the uidNumber in AD
Is there anything we can do to fix this?
Steve,
Indeed, there is something you can do. As I suggested when you last had
I would suggest debugging the source.
I found it. samba (and winbindd?) have to be restarted if any changes
are made to smb.conf
Cheers,
Steve
Helmut Hullen
2012-08-07 13:14:00 UTC
Permalink
Hallo, steve,

Du meintest am 07.08.12:

[...]
Post by steve
Post by steve
Thanks. But anyway it only works for groups, not users.
[...]
Post by steve
I found it. samba (and winbindd?) have to be restarted if any changes
are made to smb.conf
Perhaps only changes in the "[global]" section need more help, and
"restart" is more help than necessary.

For Samba 2.x and Samba 3.x

killall -HUP smbd
killall -HUP nmbd

always was enough for re-reading the changed configuration, and these
two lines only were necessary for changes in the "[global]" section.

Viele Gruesse!
Helmut

Continue reading on narkive:
Loading...