Discussion:
[Samba] IDMAP Issue
Shaun Glass
2016-07-14 08:34:10 UTC
Permalink
Good Day All,

We have an issue where the following in smb.conf :

idmap uid = 10000-20000

... it is resulting in assigned id's clashing with id's in passwd. What are
the repercussions should we change to say the following :

idmap uid = 20000-30000

Many thanks.

Regards

Shaun
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Shaun Glass
2016-07-14 10:01:52 UTC
Permalink
... as follows :

rpm -qa | grep samba
samba-3.6.23-35.el6_8.x86_64
samba-common-3.6.23-35.el6_8.x86_64
samba-winbind-clients-3.6.23-35.el6_8.x86_64
samba-winbind-3.6.23-35.el6_8.x86_64

[global]
workgroup = ABC
realm = ABC.COM
security = ADS
restrict anonymous = 1
log file = /var/log/samba/log.%m
max log size = 50
client signing = required
server signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
dns proxy = No
wins server = x.x.x.x
socket address = x.x.x.x
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
Post by Shaun Glass
Good Day All,
idmap uid = 10000-20000
... it is resulting in assigned id's clashing with id's in passwd. What are
idmap uid = 20000-30000
Many thanks.
Regards
Shaun
What version of Samba ?
idmap uid (and gid) are depreciated in later versions of Samba, it may
help if you post the entire [global] section of your smb.conf.
What ever the version of Samba, raising the lower level wouldn't really be
a good idea, any saved files belonging to an ID in the range 10000-20000
would lose their owners.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Shaun Glass
2016-07-14 12:33:09 UTC
Permalink
... no, no sssd.

Basically we had :

id -a "localuser"
uid=17057

id -a "ABC+aduser"
uid=17057

... file ownership started getting wrecked so we are looking for a way to
correct.
Post by Shaun Glass
rpm -qa | grep samba
samba-3.6.23-35.el6_8.x86_64
samba-common-3.6.23-35.el6_8.x86_64
samba-winbind-clients-3.6.23-35.el6_8.x86_64
samba-winbind-3.6.23-35.el6_8.x86_64
[global]
workgroup = ABC
realm = ABC.COM
security = ADS
restrict anonymous = 1
log file = /var/log/samba/log.%m
max log size = 50
client signing = required
server signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
dns proxy = No
wins server = x.x.x.x
socket address = x.x.x.x
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
Post by Shaun Glass
Good Day All,
idmap uid = 10000-20000
... it is resulting in assigned id's clashing with id's in passwd. What are
idmap uid = 20000-30000
Many thanks.
Regards
Shaun
What version of Samba ?
idmap uid (and gid) are depreciated in later versions of Samba, it may
help if you post the entire [global] section of your smb.conf.
What ever the version of Samba, raising the lower level wouldn't really
be a good idea, any saved files belonging to an ID in the range 10000-20000
would lose their owners.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
You initially asked about 'idmap uid', but I don't see it in your
idmap config * : range = 10000-20000
idmap config * : backend = tdb
The '*' is for the BUILTIN users & groups etc
I don't see anything for the Domain users & groups, are you also running
sssd ?
If so, you don't need winbind.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Shaun Glass
2016-07-14 12:57:05 UTC
Permalink
Thanks very much ...
Post by Shaun Glass
... no, no sssd.
id -a "localuser"
uid=17057
id -a "ABC+aduser"
uid=17057
... file ownership started getting wrecked so we are looking for a way to
correct.
Post by Shaun Glass
rpm -qa | grep samba
samba-3.6.23-35.el6_8.x86_64
samba-common-3.6.23-35.el6_8.x86_64
samba-winbind-clients-3.6.23-35.el6_8.x86_64
samba-winbind-3.6.23-35.el6_8.x86_64
[global]
workgroup = ABC
realm = ABC.COM
security = ADS
restrict anonymous = 1
log file = /var/log/samba/log.%m
max log size = 50
client signing = required
server signing = Yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
dns proxy = No
wins server = x.x.x.x
socket address = x.x.x.x
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
idmap config * : range = 10000-20000
idmap config * : backend = tdb
Post by Shaun Glass
Good Day All,
idmap uid = 10000-20000
... it is resulting in assigned id's clashing with id's in passwd. What are
idmap uid = 20000-30000
Many thanks.
Regards
Shaun
What version of Samba ?
idmap uid (and gid) are depreciated in later versions of Samba, it may
help if you post the entire [global] section of your smb.conf.
What ever the version of Samba, raising the lower level wouldn't really
be a good idea, any saved files belonging to an ID in the range 10000-20000
would lose their owners.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
You initially asked about 'idmap uid', but I don't see it in your
idmap config * : range = 10000-20000
idmap config * : backend = tdb
The '*' is for the BUILTIN users & groups etc
I don't see anything for the Domain users & groups, are you also running
sssd ?
If so, you don't need winbind.
Rowland
With AD, you do not need local Unix users and in fact, you cannot have a
user in AD and /etc/passwd (same goes for groups)
It would seem that you have a large number of local Unix users in
/etc/passwd and your computer is joined to AD and as you have discovered,
giving a user an ID based around a range that is also in use by the local
computer is bound to cause problems.
Can I suggest you move to the 'idmap config' setup using the 'rid'
https://wiki.samba.org/index.php/Idmap_config_rid
Just change the 'SAMDOM' range to suit your computer i.e. find out the
highest UID & GID, and then make sure sure the range starts well above this.
If you have any users in /etc/passwd that are also in AD i.e if you have
user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in AD, then
sorry, but one of them will have to go, they would be treated as the same
user.
If there are any files etc owned by a local Unix user and they should be
owned by an AD user (and visa-versa), you will need to sort them out after
you sort the user problem out.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Xen
2016-07-16 13:08:15 UTC
Permalink
Post by Shaun Glass
If you have any users in /etc/passwd that are also in AD i.e if you
have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in
AD, then sorry, but one of them will have to go, they would be treated
as the same user.
Are you entirely sure this is true? I don't yet know how ID mapping
works in Samba.

But. Is the whole idea of IDmapping not importing from a remote server?
(or service?).

Then, should the two groups not always be treated as separate? Why can't
you perform ID mapping only for the remote users? (AD).

That seems to be the whole point of it, right?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Xen
2016-07-16 19:59:40 UTC
Permalink
Post by Xen
Post by Shaun Glass
If you have any users in /etc/passwd that are also in AD i.e if you
have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in
AD, then sorry, but one of them will have to go, they would be treated
as the same user.
Are you entirely sure this is true? I don't yet know how ID mapping
works in Samba.
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Of course. But there are issues. getent passwd -s ldap rowland, will
answer the same question from a differnt service. Normally there is an
order in nsswitch.conf, but if you have a NSCD deamon installed, it
might mess that up.

Maybe you mean that the ID mapping would work, but not accessing them at
the same time for normal operation?

There is no way in nscd to disable forwarding from getUID lookups to
getName lookups. (So to speak). The moment you read a filesystem part
that has the UID for the "imported" user, NSCD will replace its entry
for "fred" with that of the LDAP / AD system.

If you turn NSCD off, these issues are not there and you can only get
the /first/ named user of that name, depending on the order in
nsswitch.conf.

Regardless I would assume IDmapping would directly request information
from a specific source (service, -s) instead of the first one it
encounters (general lookup).

After all, the only valid users in the system are those that result
/after/ or /from/ the IDmap.

So the /source/ of the IDmapping (the remote system) can never be
anything that is requested through getent.

Only the result of it should make it to the getent database, right.

Therefore you may have issues duplicate users, but not with mapping them
in the first place, because that first thing has nothing to do with
getent yet.
No, as far as I can tell, IDmapping is all about mapping a user (or
group) from somewhere else (i.e. AD) to a local Unix user (or group).
Thinking about it, mapping is probably the wrong word, but I cannot
think of a better word now that you cannot have a local user with the
same name as one in AD.
Yeah I meant that with importing. Sorry!.

It's just a shame I think that NSCD does not honour the nsswitch order
for my personal use case.

It just keeps one version of each name, and overwrites it with the
latest request (if requested by ID).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-16 20:38:26 UTC
Permalink
Post by Xen
Post by Xen
Post by Shaun Glass
If you have any users in /etc/passwd that are also in AD i.e if you
have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in
AD, then sorry, but one of them will have to go, they would be treated
as the same user.
Are you entirely sure this is true? I don't yet know how ID mapping
works in Samba.
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Of course. But there are issues. getent passwd -s ldap rowland, will
answer the same question from a differnt service. Normally there is an
order in nsswitch.conf, but if you have a NSCD deamon installed, it
might mess that up.
Maybe you mean that the ID mapping would work, but not accessing them
at the same time for normal operation?
There is no way in nscd to disable forwarding from getUID lookups to
getName lookups. (So to speak). The moment you read a filesystem part
that has the UID for the "imported" user, NSCD will replace its entry
for "fred" with that of the LDAP / AD system.
If you turn NSCD off, these issues are not there and you can only get
the /first/ named user of that name, depending on the order in
nsswitch.conf.
Regardless I would assume IDmapping would directly request information
from a specific source (service, -s) instead of the first one it
encounters (general lookup).
After all, the only valid users in the system are those that result
/after/ or /from/ the IDmap.
So the /source/ of the IDmapping (the remote system) can never be
anything that is requested through getent.
Only the result of it should make it to the getent database, right.
Therefore you may have issues duplicate users, but not with mapping
them in the first place, because that first thing has nothing to do
with getent yet.
No, as far as I can tell, IDmapping is all about mapping a user (or
group) from somewhere else (i.e. AD) to a local Unix user (or group).
Thinking about it, mapping is probably the wrong word, but I cannot
think of a better word now that you cannot have a local user with the
same name as one in AD.
Yeah I meant that with importing. Sorry!.
It's just a shame I think that NSCD does not honour the nsswitch order
for my personal use case.
It just keeps one version of each name, and overwrites it with the
latest request (if requested by ID).
Try unscd insted of nscd it works better in conjunction with samba.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Xen
2016-07-17 02:36:28 UTC
Permalink
Post by Achim Gottinger
Try unscd insted of nscd it works better in conjunction with samba.
The (man) page on unscd I read mentioned that it had exactly the same
options and interface. That means it will probably do the same thing as
well? Haven't tried it yet myself.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-17 02:47:28 UTC
Permalink
Post by Xen
Post by Achim Gottinger
Try unscd insted of nscd it works better in conjunction with samba.
The (man) page on unscd I read mentioned that it had exactly the same
options and interface. That means it will probably do the same thing
as well? Haven't tried it yet myself.
On my servers the uid is assigned to root in /etc/passwd and to
Administrator in samba.
With nscd getent passwd 0 resolves to Administrator and causes strage
behavior for for example ssh logins. With unscd it resolves to root like
it does without caching.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Xen
2016-07-17 15:04:50 UTC
Permalink
Post by Achim Gottinger
On my servers the uid is assigned to root in /etc/passwd and to
Administrator in samba.
With nscd getent passwd 0 resolves to Administrator and causes strage
behavior for for example ssh logins. With unscd it resolves to root
like it does without caching.
Amazing. I will do so. Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-17 18:01:53 UTC
Permalink
Post by Xen
Post by Achim Gottinger
On my servers the uid is assigned to root in /etc/passwd and to
Administrator in samba.
With nscd getent passwd 0 resolves to Administrator and causes strage
behavior for for example ssh logins. With unscd it resolves to root
like it does without caching.
Amazing. I will do so. Thanks.
As far as I can see, unscd works like nscd and as you shouldn't use
nscd with winbindd, then you probably shouldn't use unscd either. They
are both caches and winbindd is a cache as well. When I install
winbindd, if nscd is installed, I purge it.
Rowland
unscd did not cause any trouble here in production last two years.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Xen
2016-07-18 12:29:16 UTC
Permalink
Post by Xen
Post by Achim Gottinger
On my servers the uid is assigned to root in /etc/passwd and to
Administrator in samba.
With nscd getent passwd 0 resolves to Administrator and causes strage
behavior for for example ssh logins. With unscd it resolves to root
like it does without caching.
Amazing. I will do so. Thanks.
As far as I can see, unscd works like nscd and as you shouldn't use
nscd with winbindd, then you probably shouldn't use unscd either. They
are both caches and winbindd is a cache as well. When I install
winbindd, if nscd is installed, I purge it.
Rowland
I still don't know how Samba could act as that "Windows NT" server that
the documentation references with regards to using winbindd. I mean, my
NAS has users, but how would Samba export them? I am currently using
LDAP for it. And LDAP (nss_ldap.so) doesn't really cache I think.

If I could export the local users Samba knows about directly, then maybe
that would work better. But then, I would need IDmapping for that.

LDAP is a bit of an alien thing for me. It also doesn't integrate that
amazingly on the NAS, but that aside.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...