From: Ivo Karabojkov on

So I kept "hitting my head in the wall" and here is my partial but satisfying
solution:

I was totally unable to get idmap_rid working! So I am using the default
IDMAP backend - tdb.
The problem with not working pw user / group show -a or getent passwd /
group was that nss_winbind.so was not where it supposed to. To correct this
I used:

ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2

Now all my users and groups are visible with pw or getent!
rid backend would give predictable sid <-> uid/gid mapping, with this
solution mapping changes every time server is joined to AD domain. But I
failed setting it up - it seems idmap_rid does not map anything...

If someone may help with better solution I will be grateful.

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26466399.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Diego Zuccato on
Ivo Karabojkov wrote:

> I was totally unable to get idmap_rid working! So I am using the default
> IDMAP backend - tdb.
Not good if you need that the same user receives the same UID on
different machines.

> The problem with not working pw user / group show -a or getent passwd /
> group was that nss_winbind.so was not where it supposed to. To correct this
> I used:
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
That's really ugly and shouldn't be needed on ANY distro. And it seems
you're looking for troubles (.1 and .2 IIRC have different ABI).

> Now all my users and groups are visible with pw or getent!
> rid backend would give predictable sid <-> uid/gid mapping, with this
> solution mapping changes every time server is joined to AD domain. But I
> failed setting it up - it seems idmap_rid does not map anything...
>
> If someone may help with better solution I will be grateful.
In my config I map users in two domains to different UID/GID values with
the following config:
winbind uid = 100000-100000000
winbind gid = 100000-100000000

idmap config DOM1:backend = rid
idmap config DOM1:base_rid = 500
idmap config DOM1:range = 100000 - 49999999
idmap config DOM2:backend = rid
idmap config DOM2:base_rid = 500
idmap config DOM2:range = 50000000 - 99999999

Maybe you need just:
winbind uid = 100000-100000000
winbind gid = 100000-100000000
idmap config backend = rid

And be sure to "testparm -v" any changes to smb.conf

--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato(a)unibo.it
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Daniel O'Connor on
On Mon, 23 Nov 2009, Diego Zuccato wrote:
> > The problem with not working pw user / group show -a or getent
> > passwd / group was that nss_winbind.so was not where it supposed
> > to. To correct this I used:
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
>
> That's really ugly and shouldn't be needed on ANY distro. And it
> seems you're looking for troubles (.1 and .2 IIRC have different
> ABI).

Indeed, that certainly shouldn't be necessary..

I use nss/pam_ldap (on FreeBSD) and it works just fine living
in /usr/local/lib as you'd expect.

I don't know why you'd need nss_winbind.so.2 either.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
From: Ivo Karabojkov on

Without links (maybe just 1 is enough, I'll test) no resolution to the OS
occurred at all - users and groups were visible via wbinfo, but not with
getent or pw.

With RID I tried a lot of combinations (including shown by you or just
idmap backend = rid:DOMAIN:10000-20000) with totally no success.

I should try this again with linked .so.1 library and I'll write back



Diego Zuccato-2 wrote:
>
> Ivo Karabojkov wrote:
>
>> I was totally unable to get idmap_rid working! So I am using the default
>> IDMAP backend - tdb.
> Not good if you need that the same user receives the same UID on
> different machines.
>
>> The problem with not working pw user / group show -a or getent passwd /
>> group was that nss_winbind.so was not where it supposed to. To correct
>> this
>> I used:
>> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
>> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
> That's really ugly and shouldn't be needed on ANY distro. And it seems
> you're looking for troubles (.1 and .2 IIRC have different ABI).
>
>> Now all my users and groups are visible with pw or getent!
>> rid backend would give predictable sid <-> uid/gid mapping, with this
>> solution mapping changes every time server is joined to AD domain. But I
>> failed setting it up - it seems idmap_rid does not map anything...
>>
>> If someone may help with better solution I will be grateful.
> In my config I map users in two domains to different UID/GID values with
> the following config:
> winbind uid = 100000-100000000
> winbind gid = 100000-100000000
>
> idmap config DOM1:backend = rid
> idmap config DOM1:base_rid = 500
> idmap config DOM1:range = 100000 - 49999999
> idmap config DOM2:backend = rid
> idmap config DOM2:base_rid = 500
> idmap config DOM2:range = 50000000 - 99999999
>
> Maybe you need just:
> winbind uid = 100000-100000000
> winbind gid = 100000-100000000
> idmap config backend = rid
>
> And be sure to "testparm -v" any changes to smb.conf
>
> --
> Diego Zuccato
> Servizi Informatici
> Dip. di Astronomia - Università di Bologna
> Via Ranzani, 1 - 40126 Bologna - Italy
> tel.: +39 051 20 95786
> mail: diego.zuccato(a)unibo.it
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>

--
View this message in context: http://old.nabble.com/FreeBSD-7.2-domain-member-problem-tp26204285p26476164.html
Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Daniel O'Connor on
On Mon, 23 Nov 2009, Ivo Karabojkov wrote:
> I am sure it should work without these strange links I've made.
> I don't know what is the problem. I use ports, just to keep my
> installations more standard.
>
> May you point me a good manual how to set up nss/ldap with Samba?

I used the samba how to guide and googled, the net/smbldap-tools is
pretty helpful.

That said it wasn't especially simple to setup :(

However I don't use winbind on my FreeBSD machine, I use nss/pam_ldap
and Samba talks to the LDAP server as well.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
-- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C