Questions[mapping](server)

I'm trying to get a samba share working with correct IDs on Windows (SID) and Linux (uid/gid) clients. The problem is that the uids and gids are not properly mapped back to SIDs and SIDs are not resolved to names. What could lead to this problem and how can it be fixed?

What works

• mapping from Active Directory UNIX attributes to uid/gid on Linux
• access to the share
  • Windows: UNC-Path in Explorer, Kerberos ticket is accepted (no question for credentials)
  • Linux: sudo mount -t cifs //ribonas2/test /mnt/ribonas2/smb/ -o domain=DOMAIN,username=paul.jaehne
• working with files on the share

What doesn't work

• files created on Windows have Unix User\ and Unix Group\ (the UNIX uid and gid is also visible for a very short time when opening the security tab) instead of DOMAIN\ as prefix for users and groups
• adding permissions is flawed: I can add principals from the domain and shortly afterwards the DOMAIN\whatever is displayed correctly. When I wait for some time or look at the share from another computer then only the SID is displayed (the SID is correct, but not resolved to the name):

Environement/Configuration

• I used the following guides (can't add real links because of reputation requirements):
  • Ubuntu 16.04 SAMBA fileserver guide
  • Ubuntu 16.04 SSSD AD guide
  • SAMBA wiki domain member
  • SAMBA wiki ACL
• multiple domain controllers (Windows Server 2003 and Windows Server 2012 R2)
• Active Directory schema from Windows Server 2003
• Ubuntu Server 16.04
  • SSSD 1.13.4-1ubuntu1.1
  • SMB 2:4.3.8+dfsg-0ubuntu1
  • joined with both realm join and net ads join

sssd.conf:

[sssd]
domains = domain.company.com
config_file_version = 2
services = nss, pam

[domain/domain.company.com]
realmd_tags = manages-system joined-with-adcli
ad_domain = domain.company.com
krb5_realm = DOMAIN.COMPANY.COM

id_provider = ad
cache_credentials = True
krb5_store_password_if_offline = True
enumerate = True
use_fully_qualified_names = False

fallback_homedir = /home/%d/%u
default_shell = /bin/bash

# use uid and gid from active directory
ldap_id_mapping = False

# needed to use correct active directory properties (Windows Server 2003)
ldap_schema = ad
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber

smb.conf (settings from standard config file are indented):

[global]
server role = member server
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
security = ads
password server = dc1.domain.company.com # shouldn't be necessary and same problem without this line
idmap config * : backend = tdb
idmap config * : range = 100000-999999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-20000 # the UNIX attributes are manually assigned in this range
kerberos method = secrets and keytab

    server string = %h server (Samba, Ubuntu)

    dns proxy = no

    log file = /var/log/samba/log.%m
log level = 10
    max log size = 1000
    syslog = 0

    panic action = /usr/share/samba/panic-action %d

    passdb backend = tdbsam
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes

    map to guest = bad user

    usershare allow guests = yes

# needed for Windows ACL/ACE
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[test]
    path = /srv/samba/test
    writable = yes

TL;DR: Why aren't the UNIX attributes resolved to SIDs and why aren't the SIDs resolved to names?

I don't know if this question is allowed or not. If not, forgive me :)
Anyway, I have a mapping rule for nginx redirection

/hotel/xyz/abc  /hotel/xyz/abc-nana;
/hotel/xyz/abc/  /hotel/xyz/abc-nana;
~^/hotel/xyz/abc\?(.*) /hotel/xyz/abc-nana?$1;

My question is, can they be combined into 1 rule? I don't know regex well

I'm a relative late comer to the virtualistion party, so you'll have to forgive me if this seems like an obvious question.

If I have a server with 12 cores available, does each KVM guest have access to all 12 cores? I understand KVM makes use of the Linux scheduler, but that's where my understanding of "what happens next" ends.

My reason for asking is, the 10 or so distinct tasks we are intending to run in KVM guests (for purposes of isolation to facilitate upgrades) won't utilise a single core 100% of the time, so on that basis it seems wasteful to have to allocate 1 virtual CPU to each guest - we'll be out of cores from the get-go with a "full", idle server to show for it.

Put another way, assuming my description above, does 1 virtual CPU actually equate to 12 physical cores in terms of processing power? Or is that not how it works?

Many thanks

Steve

Issue: I'm having issues getting WebDav to work in the command line on Windows XP, both Service Pack 2 and Service Pack 3.

C:\>net use z: https://mywebsite.com/software/
System error 67 has occurred.

The network name cannot be found.

I have tested this with two webdav server. Both Ubuntu Apache and I Windows Server 2003 IIS. Both get the same result.

Things That Haven't Worked:

1. I've installed the following Microsoft KB on my XP machines with no avail.

2. I've also found the following reg key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters UseBasicAuth REG_DWORD 1

3. I try the following when trying to use a few work around I've dug up on the web, all producing the same result.

   net use z: https://mywebsite.com/software
   net use z: https://mywebsite.com/software#
   net use z: https://mywebsite.com/software/
   net use z: https://mywebsite.com/software/#
   

4. I've also tried all the above combinations adding a user into it /user:user and /user:user@domain.

5. I've also tried using http:// rather than https://.

6. I've tried "\\server.com@ssl:443\folder"

7. I've gone over networking related issues as @WesleyDavid had pointed out.

Things that do work:

• I can connect to the webdav folder via the URL and with mapping in Network Place, with XP. But the command line doesn't work (I need a drive letter).
• Windows 7 works perfectly with the same command.

My Delemma:

I need this to work with a drive letter. What else can I try to get this working?

The situation is an nfs4 server and client using rpc.idmapd to map ids. The id mapping is working on the client for existing files served up from the server.

On the server:

[root@server ~]# id user1
uid=500(user1) gid=502(user1) groups=502(user1)
[root@server ~]# ls -l /mnt/san/temp
total 0
-rw-r--r-- 1 user1 user1 0 Aug 27 11:46 test1
[root@server ~]# ls -ln /mnt/san/temp
total 0
-rw-r--r-- 1 500 502 0 Aug 27 11:46 test1

On the client:

[user1@client ~]$ id user1
uid=504(user1) gid=506(user1) groups=506(user1)
[user1@client ~]$ ls -l /mnt/san/temp
total 0
-rw-r--r-- 1 user1 user1 0 Aug 27 11:46 test1
[user1@client ~]$ ls -ln /mnt/san/temp
total 0
-rw-r--r-- 1 504 506 0 Aug 27 11:46 test1

So that's fine.

However creating a file from the client:

[user1@client ~]$ touch /mnt/san/temp/test2
[user1@client ~]$ ls -l /mnt/san/temp
total 0
-rw-r--r-- 1 user1 user1 0 Aug 27 11:46 test1
-rw-rw-r-- 1 user2 user2 0 Aug 27 11:49 test2
[user1@client ~]$ ls -ln /mnt/san/temp
total 0
-rw-r--r-- 1 504 506 0 Aug 27 11:46 test1
-rw-rw-r-- 1 505 507 0 Aug 27 11:49 test2

It doesn't appear to do the id->name mapping on the client-side at this point.

Both systems are CentOS 5.x. Incidentally the files /proc/net/rpc/nfs4.nametoid/content and /proc/net/rpc/nfs4.idtoname/content are empty on the client, but have entries on the server.

I turned up logging on rpc.idmapd on the client and /var/log/messages shows it is being used for name to id mappings, eg: Aug 27 11:49:27 fw01 rpc.idmapd[11773]: Client 23: (user) name "user2@localdomain" -> id "505" I was expecting corresponding id->name lookups to happen at the point a file is created client-side.

The simple solution of synchronising ids and using nfsv3 isn't really an option (as in not simple!).

EDIT:

sorry for the confusion:

[user1@client ~]$ getent passwd 504 505
user1:x:504:506::...
user2:x:505:507::...
[user1@client ~]$ getent group 506 507
user1:x:506:
user2:x:507:

[root@server ~]# getent passwd 504 505
user2:x:504:506::...
[root@server ~]# getent group 506 507
user2:x:506:

ie what appears to happening is creating files on client as user1 (uid 504/gid 506) does not get translated before creation on the server. It is created as 504/506 on the server. This on the server is user2/user2, so it's returned to client wrong after that point.