getent acting unreliable with idmap_ad
in [Samba]
|
Prev: [Samba] smbpasswd doesn't accept -'s in username?
Next: [Samba] SAMBA4 DDNS update samba_dnsupdate issues
From: Robert Grasso on 30 Jul 2010 12:20 Hello, I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : - I stated clearly my "password server =" in smb.conf - I stated clearly my /etc/krb5.conf I am running on CentOS 5.5, samba 3.0.33. Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd <username> yields a result for the accounts which have an Unix account declared in AD through the "Unix attributes", and only for these ones (?). Regards --- Robert GRASSO System engineer CEDRAT S.A. 15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30 mailto:robert.grasso(a)cedrat.com - http://www.cedrat.com > -----Message d'origine----- > De : samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org] De la part de Nico De Ranter > Envoyé : 30 juillet 2010 13:44 > À : samba(a)lists.samba.org > Objet : [Samba] getent acting unreliable with idmap_ad > > > I'm trying to get my linux boxes to authenticate to AD using > winbind. I > need to get my uid's from AD so I'm using idmap_ad. > > I got to the point where 'getent passwd' shows me the list of > unix users > from AD with all correct details, however when I do 'getent passwd > <username>' for any username from the list returned by > 'getent passwd' I > get an empty reply (getent returns error code 2) and I can't > login using > those users. > > As a matter of fact on one of my testmachines it works sometimes. > 'getent passwd nico' will return my user details and I can logon > properly but when the system has been quiet for some time it seems to > forget about the account again. > > Anybody seen this before? Any suggestions on how to debug this? > > I'm trying this on Ubuntu 9.10 and 10.04. > > Thanks in advance, > > Nico > > > > -- > With kind regards > > Nico De Ranter > Senior System Administrator > Techsoft Centre > > Technology and Software Centre Europe > The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium > > Phone: +32 (0)2 700 8641 > Fax: +32 (0)2 700 8622 > E-mail: nico.deranter(a)eu.sony.com > > A division of Sony Europe (Belgium) N.V. > VAT BE 0413.825.160 - RPR Brussels > Fortis - BIC GEBABEBB - IBAN BE41293037680010 > > > > ************************************************************** > ********** > The information contained in this message or any of its > attachments may be confidential and is intended for the > exclusive use of the addressee(s). Any disclosure, > reproduction, distribution or other dissemination or use of > this communication is strictly prohibited without the express > permission of the sender. The views expressed in this email > are those of the individual and not necessarily those of Sony > or Sony affiliated companies. Sony email is for business use only. > > This email and any response may be monitored by Sony to be in > compliance with Sony's global policies and standards > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Nico De Ranter on 2 Aug 2010 03:00 Hi Robert, thanks for your reply. On Fri, 2010-07-30 at 17:45 +0200, Robert Grasso wrote: > Hello, > > I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : > > - I stated clearly my "password server =" in smb.conf I already list my servers in "password server =", altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. > - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable "use kerberos keytab = yes" however this doesn't seem to be accepted for Samba 3.4.7 > I am running on CentOS 5.5, samba 3.0.33. > > Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd <username> yields a result > for the accounts which have an Unix account declared in AD through the "Unix attributes", and only for these ones (?). I think that's expected behaviour. idmap_ad looks upo uid/gid from AD but doesn't create its own mapping if it doesn't find one. So any user that doesn't have a proper unix uid/gid field won't show up. I also noticed idmap_ad looks at the Windows Primary Group as gid in stead of the group field on the unix tab. Therefor the Windows Primary Group also needs to have a valid unix id assigned. Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: nico.deranter(a)eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Nico De Ranter on 2 Aug 2010 07:20 Hi Robert, On Mon, 2010-08-02 at 11:32 +0200, Robert Grasso wrote: > Hello Nico, > > I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... Thanks for trying anyway. Very much appreciated :-) > > > I already list my servers in "password server =", altough I > > do have the > > impression that Samba may have problems with my 2008R2 > > servers. I'll try > > playing with the settings. > > I cannot tell for 2008R2, we don't have this version yet ... > > > > > > - I stated clearly my /etc/krb5.conf > > > > Do you mean fill in /etc/krb5.conf properly or should I refer to it > > somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I > > was using it in my old setup using kerberos+ldap authentication. I > > found some reference on the Internet to an smb.conf variable "use > > kerberos keytab = yes" however this doesn't seem to be accepted for > > Samba 3.4.7 > > I just filled it up properly, but did not mention Kerberos in any way in smb.conf Doh, that's what I have too. Any chance you could send me a copy of your smb.conf? Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: nico.deranter(a)eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Robert Grasso on 3 Aug 2010 05:20 > > I just filled it up properly, but did not mention Kerberos > in any way in smb.conf > > Doh, that's what I have too. > > Any chance you could send me a copy of your smb.conf? > well, no problem, I am sure it is not a great piece of smb.conf, actually : here it is : it is the one for my desktop : I removed the comments and our private names and IPs : [global] netbios name = short workgroup = WG realm = WG.LAN server string = Samba Server - long_name hosts allow = 10.0. 127. smb ports = 445 #printcap name = /etc/printcap printcap name = cups load printers = yes printing = cups cups options = raw log level = 1 log file = /var/log/samba/%m.log max log size = 10000 security = ADS password server = s1,s2 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no name resolve order = wins bcast wins server = IP1 IP2 dns proxy = yes idmap domains = ALLDOMAINS idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:schema_mode = sfu idmap config ALLDOMAINS:range = 500 - 20000 template homedir = /home/%U winbind use default domain = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind nss info = template sfu winbind offline logon = true winbind refresh tickets = true Some comments : - I used "netbios name", as my desktop Unix name is longer than 15 characters - Windows or Samba did not like it ... - we have two names for our AD domain - our winadmin did not solve this issue so far, thus I put one name as the "workgroup" and the other name as the kerberos "realm" ... - I let "template homedir" in smb.conf by sheer lazyness, with SFU I don't use it - I used to set "winbind offline logon" and "winbind refresh tickets" when my Samba was unstable, they were tests - then, once I found the true solution, lazyness again ... Hope this helps --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:Robert.Grasso(a)cedrat.com --- Support service : mailto:support(a)cedrat.com Commercial service : mailto:cedrat(a)cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Robert Grasso on 7 Aug 2010 13:10
Hello Nico, I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... > I already list my servers in "password server =", altough I > do have the > impression that Samba may have problems with my 2008R2 > servers. I'll try > playing with the settings. I cannot tell for 2008R2, we don't have this version yet ... > > > - I stated clearly my /etc/krb5.conf > > Do you mean fill in /etc/krb5.conf properly or should I refer to it > somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I > was using it in my old setup using kerberos+ldap authentication. I > found some reference on the Internet to an smb.conf variable "use > kerberos keytab = yes" however this doesn't seem to be accepted for > Samba 3.4.7 I just filled it up properly, but did not mention Kerberos in any way in smb.conf Best regards --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:Robert.Grasso(a)cedrat.com --- Support service : mailto:support(a)cedrat.com Commercial service : mailto:cedrat(a)cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |