FreeBSD 7.2 domain member problem - partially SOLVED
in [Samba]
|
From: Ivo Karabojkov on 22 Nov 2009 13:10 So I kept "hitting my head in the wall" and here is my partial but satisfying solution: I was totally unable to get idmap_rid working! So I am using the default IDMAP backend - tdb. The problem with not working pw user / group show -a or getent passwd / group was that nss_winbind.so was not where it supposed to. To correct this I used: ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/ ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 Now all my users and groups are visible with pw or getent! rid backend would give predictable sid <-> uid/gid mapping, with this solution mapping changes every time server is joined to AD domain. But I failed setting it up - it seems idmap_rid does not map anything... If someone may help with better solution I will be grateful. -- View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26466399.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Diego Zuccato on 23 Nov 2009 02:50 Ivo Karabojkov wrote: > I was totally unable to get idmap_rid working! So I am using the default > IDMAP backend - tdb. Not good if you need that the same user receives the same UID on different machines. > The problem with not working pw user / group show -a or getent passwd / > group was that nss_winbind.so was not where it supposed to. To correct this > I used: > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/ > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 That's really ugly and shouldn't be needed on ANY distro. And it seems you're looking for troubles (.1 and .2 IIRC have different ABI). > Now all my users and groups are visible with pw or getent! > rid backend would give predictable sid <-> uid/gid mapping, with this > solution mapping changes every time server is joined to AD domain. But I > failed setting it up - it seems idmap_rid does not map anything... > > If someone may help with better solution I will be grateful. In my config I map users in two domains to different UID/GID values with the following config: winbind uid = 100000-100000000 winbind gid = 100000-100000000 idmap config DOM1:backend = rid idmap config DOM1:base_rid = 500 idmap config DOM1:range = 100000 - 49999999 idmap config DOM2:backend = rid idmap config DOM2:base_rid = 500 idmap config DOM2:range = 50000000 - 99999999 Maybe you need just: winbind uid = 100000-100000000 winbind gid = 100000-100000000 idmap config backend = rid And be sure to "testparm -v" any changes to smb.conf -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zuccato(a)unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Daniel O'Connor on 23 Nov 2009 04:30 On Mon, 23 Nov 2009, Diego Zuccato wrote: > > The problem with not working pw user / group show -a or getent > > passwd / group was that nss_winbind.so was not where it supposed > > to. To correct this I used: > > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/ > > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 > > That's really ugly and shouldn't be needed on ANY distro. And it > seems you're looking for troubles (.1 and .2 IIRC have different > ABI). Indeed, that certainly shouldn't be necessary.. I use nss/pam_ldap (on FreeBSD) and it works just fine living in /usr/local/lib as you'd expect. I don't know why you'd need nss_winbind.so.2 either. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
From: Ivo Karabojkov on 23 Nov 2009 06:30 Without links (maybe just 1 is enough, I'll test) no resolution to the OS occurred at all - users and groups were visible via wbinfo, but not with getent or pw. With RID I tried a lot of combinations (including shown by you or just idmap backend = rid:DOMAIN:10000-20000) with totally no success. I should try this again with linked .so.1 library and I'll write back Diego Zuccato-2 wrote: > > Ivo Karabojkov wrote: > >> I was totally unable to get idmap_rid working! So I am using the default >> IDMAP backend - tdb. > Not good if you need that the same user receives the same UID on > different machines. > >> The problem with not working pw user / group show -a or getent passwd / >> group was that nss_winbind.so was not where it supposed to. To correct >> this >> I used: >> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/ >> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2 > That's really ugly and shouldn't be needed on ANY distro. And it seems > you're looking for troubles (.1 and .2 IIRC have different ABI). > >> Now all my users and groups are visible with pw or getent! >> rid backend would give predictable sid <-> uid/gid mapping, with this >> solution mapping changes every time server is joined to AD domain. But I >> failed setting it up - it seems idmap_rid does not map anything... >> >> If someone may help with better solution I will be grateful. > In my config I map users in two domains to different UID/GID values with > the following config: > winbind uid = 100000-100000000 > winbind gid = 100000-100000000 > > idmap config DOM1:backend = rid > idmap config DOM1:base_rid = 500 > idmap config DOM1:range = 100000 - 49999999 > idmap config DOM2:backend = rid > idmap config DOM2:base_rid = 500 > idmap config DOM2:range = 50000000 - 99999999 > > Maybe you need just: > winbind uid = 100000-100000000 > winbind gid = 100000-100000000 > idmap config backend = rid > > And be sure to "testparm -v" any changes to smb.conf > > -- > Diego Zuccato > Servizi Informatici > Dip. di Astronomia - Università di Bologna > Via Ranzani, 1 - 40126 Bologna - Italy > tel.: +39 051 20 95786 > mail: diego.zuccato(a)unibo.it > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26476164.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Daniel O'Connor on 23 Nov 2009 07:20 On Mon, 23 Nov 2009, Ivo Karabojkov wrote: > I am sure it should work without these strange links I've made. > I don't know what is the problem. I use ports, just to keep my > installations more standard. > > May you point me a good manual how to set up nss/ldap with Samba? I used the samba how to guide and googled, the net/smbldap-tools is pretty helpful. That said it wasn't especially simple to setup :( However I don't use winbind on my FreeBSD machine, I use nss/pam_ldap and Samba talks to the LDAP server as well. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
|
Pages: 1 Prev: [Samba] Samba 3.3.9 IDMAP problem Next: probleme samba login domain |