samba + idmap_rid

[BloodyIron]

I've been trying to see if FreeNAS will work for my business. One thing that I have enjoyed is how well it handles my samba needs so far. I do have one concern though. According to SAMBA documentation IDMAP_RID does not work with trusted domains, yet my FreeNAS environment seems to work with trusted domains set to yes. Can a developer comment as to whether this is advisable? Also, why IDMAP_RID was used in favor of IDMAP_HASH?

I have had good success so far with IDMAP_RID but it seems IDMAP_HASH might be the better method to generate users.

Also, it's a bit frustrating that I can't set the UID/GID range before the users/groups are populated, which can complicate things if my environment uses a range different from what FreeNAS uses.

 

[BloodyIron]

Anyone?

 

[paleoN]

It's only been slightly more than 24 hours.

Also, it's a bit frustrating that I can't set the UID/GID range before the users/groups are populated, which can complicate things if my environment uses a range different from what FreeNAS uses.

I can't speak to the IDMAP_HASH part, but you can hack the /conf/base/etc/pw.conf & /etc/pw.conf files beforehand. Keep in mind the jail also has /etc/pw.conf with another range you would want to account for.

 

[James]

What link indicated that trusted domains do not work? They do work with idmap_rid. As for using idmap_rid over idmap_hash, idmap_rid relies on windows sid's for unique uid's and gid's, whereas idmap_hash does not. Idmap_rid is the better choice, but it relies on windows to do the dirty work. As for offering a range configuration option, that is on the to do list and will come in time.

 

[BloodyIron]

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606596

My understanding is that IDMAP_RID uses only the last few characters of the SID (7 characters maybe?) but IDMAP_HASH uses the whole SID string for unique generation and does have support for trusted domains. Also IDMAP_RID can only deal with one domain, but IDMAP_HASH can deal with multiple domains at once : http://www.novell.com/support/kb/doc.php?id=7007006

What link indicated that trusted domains do not work? They do work with idmap_rid. As for using idmap_rid over idmap_hash, idmap_rid relies on windows sid's for unique uid's and gid's, whereas idmap_hash does not. Idmap_rid is the better choice, but it relies on windows to do the dirty work. As for offering a range configuration option, that is on the to do list and will come in time.

- - - Updated - - -

Thanks, I'll take a look at those.

It's only been slightly more than 24 hours.

I can't speak to the IDMAP_HASH part, but you can hack the /conf/base/etc/pw.conf & /etc/pw.conf files beforehand. Keep in mind the jail also has /etc/pw.conf with another range you would want to account for.

 

[BloodyIron]

Oh for this technique, do I need to edit/define these files before I connect it to the domain? I tried to manually write a samba.conf/nsswitch.conf/krb5.conf before, but each reboot would wipe out my settings. How can I be sure it won't do that to pw.conf?

I also don't know anything about jails in FreeNAS, can you elaborate on that please? Or just stick my nose in a document page, I'm fine with that too.

It's only been slightly more than 24 hours.

I can't speak to the IDMAP_HASH part, but you can hack the /conf/base/etc/pw.conf & /etc/pw.conf files beforehand. Keep in mind the jail also has /etc/pw.conf with another range you would want to account for.

 

[paleoN]

I tried to manually write a samba.conf/nsswitch.conf/krb5.conf before, but each reboot would wipe out my settings. How can I be sure it won't do that to pw.conf?

Of course it will. That's why I referenced both files. Further more, reboot.

I also don't know anything about jails in FreeNAS, can you elaborate on that please? Or just stick my nose in a document page, I'm fine with that too.

8.10 Plugins. As I believe the documentation doesn't reference it and I happen to know the jail range:

Code:

minuid 40000
maxuid 49999
mingid 40000
maxgid 49999

 

[BloodyIron]

What do you mean further more, reboot? I have rebooted this system a few times now (I'm testing other things), what are you getting at? Thanks again for the heads up on this btw.

Of course it will. That's why I referenced both files. Further more, reboot.

8.10 Plugins. As I believe the documentation doesn't reference it and I happen to know the jail range:

Code:

minuid 40000
maxuid 49999
mingid 40000
maxgid 49999

 

[BloodyIron]

Okay so I'm a little confused here:

a) the ranges in /conf/base/etc/pw.conf don't really translate to anything in /usr/local/etc/smb.conf so far as I can tell.

b) idmap config DOMAIN: range is what I'm looking to set, it's currently 20000-20000000 but I want to know how to change this before hand without it being reset by a reboot

c) the idmap uid and gid don't seem to equally translate to the idmap config DOMAIN: range, for example:

Code:

    idmap uid = 10000-19999
    idmap gid = 10000-19999

Thoughts?

Of course it will. That's why I referenced both files. Further more, reboot.

8.10 Plugins. As I believe the documentation doesn't reference it and I happen to know the jail range:

Code:

minuid 40000
maxuid 49999
mingid 40000
maxgid 49999

 

[paleoN]

Okay so I'm a little confused here:

Perhaps, you can mention what you intend to change it to? Then I might not be as confused as well and offer a better answer.

a) the ranges in /conf/base/etc/pw.conf don't really translate to anything in /usr/local/etc/smb.conf so far as I can tell.

They are specifically non-overlapping. I was assuming, wrongly, you wanted part of this range. The file /usr/local/etc/smb.conf is generated each time the service is started.

b) idmap config DOMAIN: range is what I'm looking to set, it's currently 20000-20000000 but I want to know how to change this before hand without it being reset by a reboot

I thought it avoided the jail range. I guess I'm remembering that wrong. It might be better if the jail range was moved much lower or higher and not in the middle.

You need to hack /conf/base/etc/rc.d/ix-samba & /etc/rc.d/ix-samba around line #317 and change the range.

 

[BloodyIron]

I think the ix-samba part is what I'm looking for, thanks. I'll have to see if it gets the results I want.

Now a thought occurs, wont an update undo this change?

Perhaps, you can mention what you intend to change it to? Then I might not be as confused as well and offer a better answer.

They are specifically non-overlapping. I was assuming, wrongly, you wanted part of this range. The file /usr/local/etc/smb.conf is generated each time the service is started.

I thought it avoided the jail range. I guess I'm remembering that wrong. It might be better if the jail range was moved much lower or higher and not in the middle.

You need to hack /conf/base/etc/rc.d/ix-samba & /etc/rc.d/ix-samba around line #317 and change the range.

 

[paleoN]

Now a thought occurs, wont an update undo this change?

Correct. Which is why admin mentioned it is on the to do list.

 

[suben]

Multiple shareing problem using different user

Hi

I am unable access multiple share in same time using different different user name and password. Please help me this

Also help me how to open new Issue treat