Go Back   AnandTech Forums > Software > *nix Software

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 01-17-2013, 09:58 AM   #1
_Rick_
Diamond Member
 
_Rick_'s Avatar
 
Join Date: Apr 2012
Posts: 3,193
Default Samba 3.6 AD integration - local accounts/idmap

Hello,

I'm not really expecting an answer to my question, but I might as well try. Samba's IRC channel proved unhelpful, and I found a work-around before I got desperate enought to try the (from the archives not very promising) mailing list.

I am using an MS Server2k8R2 ADS, and Samba 3.6.9 with an idmap_ad configuration, which was working the way I expected until recently.

I had to reboot my ADS then, and what happened next was ugly. For some reason Samba/winbind/idmap messed up, and assigned the uid of my domain user to a local guest account (SID ending on 501 - just like the co-existing domain guest account). This made nss go crazy. Authentication still worked, as did getent passwd, but uid-to-name was broken. User rights were transferred to the local guest account.

My real question is - how did this local account crop up? Where is idmap/wbinfo getting uid to sid translation from? Why is it not respecting smb.conf idmap range settings?

..I ended up assigning a different uid to the domain account, and did some chowns, but I'd still like to know what exactly has happened there, and why.
_Rick_ is online now   Reply With Quote
Old 02-18-2013, 05:20 PM   #2
MrColin
Platinum Member
 
MrColin's Avatar
 
Join Date: May 2003
Posts: 2,182
Default

Thread title got my interest because I have been thinking about trying some samba + AD stuff. Have you found any answers?
__________________
"Your heart is in the right place. But still, you are a very disturbed individual."

-Xionide
MrColin is offline   Reply With Quote
Old 02-19-2013, 07:17 AM   #3
_Rick_
Diamond Member
 
_Rick_'s Avatar
 
Join Date: Apr 2012
Posts: 3,193
Default

I think after a while...the mapping disappeared.
The problem was that for some reason samba created that local logon domain from the smbpasswd information, and the lacking idmap configuration made it probably default to the same space, that idmap was assigning to the defined domain (I'd call that a bug....).

After declaring the local logon domain explicitely for idmap, and then waiting until winbind/idmap flushed the information, I think it worked again - but, before that happened I just changed the uid on the ADS and chowned everything on the file server.
Messy, but fast, and as the previously described fix was not taking immediately (no idea what one has to do to really-really flush the idmap cache), I had given up hope. Only later, when checking again, did I see that the local guest account was now mapped to a different uid.

Anyway, Samba/AD/idmap is a dark art, as the way of configuring it is silently changed every point release, the online documentation is a jumble, and mostly out of date, offline documentation (man etc) is incomplete....

I would consider what little knowledge I could gain from my experience already as a reason for someone to employ me, just for administering that. And I don't feel like I know anything. Even on the mailing lists there is very little traffic regarding this.
Going by the fact, that the configuration specs change every two years, I would not recommend it for production systems that are exposed to a network that is not known to be benign, because keeping up to date to avoid security scares is a major nightmare, and the number of interacting components (idmap alone is done on three levels: winbind, pam and the idmap module) makes it quite complex to debug.

But to me it appeared to be easier than using NIS.
Now that Samba 3.6 supports running as ADS, it may be easier though to get things running. Depending on how they resolved account mapping....
_Rick_ is online now   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:24 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.