Prev: Fixed! [netlogon] section being ignored
Next: WinVista consider soft limit as hard limit
From: Mark Casey on 11 Feb 2010 16:10
Hello list,

Quick summary of the issue (repeated below after the details): Running
'wbinfo --user-info=markc' on either smb ads member server will return
identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns
different information on each server. I'd like to make mappings for
BUILTIN consistent in case I ever use them.

Background and details:
I have a production environment with 2 ADS member servers that I'm
planning to re-work, and I've found an oversight with how my setup maps
items from BUILTIN. I hadn't been using anything from there so it isn't
a big deal at the moment, but I'm trying to fix it and/or decide how to
simplify my whole idmap setup.

Here is some background info, let me know if you need something else:
-Native-mode AD, all DCs on 2003R2 SP2 x64.
-Two Ubuntu Server x64 8.04.03 LTS AD member servers running Samba
3.0.28a. (samba_3.0.28a-1ubuntu4.10_i386.deb).
-I have a few directives that may be considered odd (map to guest, force
create/dir) for my type of setup. This is because I'm still getting rid
of some XP Home workstations that need guest shares. This was the only
way I could get them to play nice (IIRC this was due to ADS mode
rejecting the credentials before it realized it was a request for a
guest share).

Here is my current config:
[global]
server string = Dallas File Server
workgroup = DOMAINNAME
realm = DOMAINNAME.COM
security = ADS
password server = *
#password server = dal-dc1.domainname.com
#password server = dal-dc1.domainname.com, den-dc1.domainname.com
# client schannel = Yes
# server schannel = Yes
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
# restrict anonymous = 2
allow trusted domains = No
# lanman auth = No
# ntlm auth = No
# client NTLMv2 auth = Yes
log level = 4
syslog = 0
# min protocol = NT1
# client signing = Yes
# server signing = Yes
load printers = No
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
host msdfs = No
idmap domains = DOMAINNAME
idmap alloc backend = ldap
template shell = /bin/false
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap alloc config:range = 100000 - 500000
idmap alloc config:ldap_url = ldap://dal-dc1.domainname.com
ldap://den-dc1.domainname.com
idmap alloc config:ldap_user_dn =
cn=idmapmgr,cn=users,dc=domainname,dc=com
idmap config DOMAINNAME:range = 100000 - 500000
idmap config DOMAINNAME:ldap_url =
ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com
idmap config DOMAINNAME:ldap_user_dn =
cn=idmapmgr,cn=users,dc=domainname,dc=com
idmap config DOMAINNAME:ldap_base_dn =
ou=idmap,dc=sambaidmap,dc=domainname,dc=com
idmap config DOMAINNAME:backend = ldap
idmap config DOMAINNAME:default = yes
hosts allow = (redacted)
map acl inherit = No
hide special files = Yes
map archive = No
map readonly = No
map system = No
map hidden = No
force create mode = 707
force directory mode = 707
ea support = No
store dos attributes = No
wide links = No
follow symlinks = No
dos filemode = No
add share command=/etc/samba/command_cust.pl
delete share command=/etc/samba/command_cust.pl
change share command=/etc/samba/command_cust.pl

The actual issue/question (as stated above): Running 'wbinfo
--user-info=markc' on either smb ads member server will return identical
info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different
information on each server. I'd like to make mappings for BUILTIN
consistent in case I ever use them. I guess it is falling back to tdb
since I can grep for relevant info and the tdb for group mapping matches.

I've labbed my setup by setting up a third smb server in the same
config, and a blank ad partition for mapping...so I can change things
for testing there (and I have been). My browser has no fewer than 20
tabs up with various man pages, pdfs, and list posts on idmap but it
isn't quite coming together for me on this one aspect that deals with
BUILTIN. tia for any assistance you can provide.

Thank you,
Mark Casey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: Fixed! [netlogon] section being ignored
Next: WinVista consider soft limit as hard limit