[Samba] winbind problems
This is a discussion on [Samba] winbind problems within the Samba forums, part of the Networking and Network Related category; Folks, I do have a couple of problems I hope you could help to solve. I have searched the net, ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-17-2008
|
|||
|
|||
[Samba] winbind problems
Folks,
I do have a couple of problems I hope you could help to solve. I have searched the net, but had little success of finding documentation about samba 3.2 and AD. I do have Win server 2003 domain and AD in native mode. The new samba server should be a member server in the domain. The idea is to have same UIDs as the RIDs in the AD. The enviroment is as follows. Sernet packaged samba 3.2.3-37 MIT kerberos 1.6.1-25.el5 CentOS 5.2 Here's the smb.conf ---snip--- [global] workgroup = NNNN printing = cups printcap name = cups load printers = no realm = NNNN.LOCAL security = ads winbind use default domain = yes winbind enum users = yes winbind enum groups = yes allow trusted domains = no idmap domains = NNNN idmap config NNNN:default = yes idmap config NNNN:backend = rid idmap config NNNN:range = 100-200000 ifmap config NNNN:base_rid = 0 ---snip--- Kerberos information is resolved via DNS, and to my knowledge this works OK. So, I have not made any changes in the /etc/krb5.conf as was instructed in Samba documentation. Kinit tests do return what they should return. Ntp is configured and running OK. Now the questions. What is the low limit of idmap range? When it is set to 0, information is not anymore returned from the AD. I do ask this because it would be convinient to have the uid to be _exactly_ same as the RID. The difference could cause human mistakes one day. By using LDAP and idmap backend=ADS, of course, would make the problem go away, but I'll stick to RID. KISS. Is there something I have missed? Does using "winbind enum ..." affect functionality somehow, like performance-wise? Only difference I've noticed is that "getent xxx" does not return AD users or groups, but eg. "getent group ad-group" does. Still, setting permissions works for AD users. Are there any other implications if it is left out? Then the logs are filled with these, or similar lines log.winbindd [2008/09/16 14:03:42, 1] libsmb/clientgen.c:cli_rpc_pipe_close(559) cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0xa to machine dc1.nnnn.local. Error was SUCCESS - 0 and... [2008/09/16 14:03:31, 0] lib/util_sid.c:string_to_sid(247) string_to_sid: Sid S-1-0 is not in a valid format. I do understand from various sources in the net that this latter one is not something to worry about, but for cosmetical reasons I like to have it disappear. Maybe solving these log entries are both FAQ-material? -- Harri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
09-17-2008
|
|||
|
|||
|
Re: [Samba] winbind problems
On Wed, 17 Sep 2008, Waltari Harri wrote:
> Does using "winbind enum ..." affect functionality somehow, like > performance-wise? Only difference I've noticed is that "getent xxx" does > not return AD users or groups, but eg. "getent group ad-group" does. > Still, setting permissions works for AD users. Are there any other > implications if it is left out? It does exactly what you've observed. It's not a behaviour that applications appear to rely on. With a large AD you have no alternative but to not enumerate groups (especially if you're flattening nested groups). I've had no problems with enum off, and lots of performance problems with enum on. Be a member of 100 groups (some of which contain >75000 users) and issue "id". With enum logic on (whether in winbind or nss_ldap) it's not pretty. jh -- "Four boxes to be used in defense of liberty: soap, ballot, jury, ammo - use in that order." -- Ed Howdershelt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
