That fixed it thanks, >> Er, btw, can it be that "KPAK" should actually read "DOMAIN" in >> the first section? ;-)
Yep typo on my part I was trying different configs and made that error. 3.5 > wbinfo -n DOMAIN+gregorcy > S-1-5-21-3579845861-693198353-1953747050-2433 SID_USER (1) 3.0.37 > wbinfo -n CHEMENG+gregorcy > S-1-5-21-3579845861-693198353-1953747050-2433 User (1) Works :) Thanks for the help, --Brian On 11/10/10 14:38, Michael Adam wrote: > Hi Brian, > > the id mapping configuration hat changed (again) between 3.2 and > 3.3. The "idmap domains" setting has vanished. > > Could you try and use the id mapping config from your 3.0 setup, > i.e. simply this > >>> idmap backend = rid:KPAK=500-100000000 >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 > > instead of this: > >>> idmap domains = default, domain.utah.edu >>> idmap config default: default = yes >>> idmap config domain.utah.edu: range = 500-100000000 >>> idmap config domain.utah.edu: backend = ad >>> idmap alloc backend = tdb >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 > > Er, btw, can it be that "KPAK" should actually read "DOMAIN" in > the first section? ;-) > > Then, for debugging, please paste the output of > "wbinfo -n DOMAIN+gregorcy" > I should list the sid of gegorcy. I expect the rid to be 2433. > > What I think happened is that your 3.5 config fell back to > tdb id mapping because the domain "DOMAIN" did not match the > domain name "domain.utah.edu" that you gave in the idmap config... > > The recommended setting would be to have a tdb backend default > idmap range and explicit and disjoint ranges with rid backend vor various > domains like this: > > idmap backend = tdb > idmap uid = 100000-199999 > idmap gid = 100000-199999 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 200000-299999 > > (see man idmap_rid) > > But you should not change your config in that way > if you are updating a production server, since it > would change the uids/gids that users are accessing the > disk with, and so, permissions and ownerships would be broken. > > Hope this helps, > > Michael > > gregorcy wrote: >> Hi, >> >> I am hoping someone can point out what I am doing wrong, I am upgrading >> samba from 3.0.37 to 3.5.6 and running into >> trouble with idmapping using ADS security. I have multiple linux boxes >> running 3.0.37 and when I execute getent passwd >> I get: >> >> # getent passwd DOMAIN+gregorcy >> gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash >> >> on all the boxes running 3.0.37. >> >> On my new box running 3.5.6 I get: >> >> # getent passwd DOMAIN+gregorcy >> gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash >> >> >> Which is not what I had hoped for. Both machines are joined to my domain >> and allow me to ssh into them using my AD >> cred, just the uid & gid are not lining up. >> >> My 3.0.37 smb.conf >> >>> [global] >>> workgroup = DOMAIN >>> netbios name = harley >>> realm = DOMAIN.UTAH.EDU >>> server string = harley >>> security = ADS >>> preferred master = no >>> client use spnego = yes >>> server signing = auto >>> encrypt passwords = yes >>> nt acl support = yes >>> acl map full control = yes >>> socket options = TCP_NODELAY SO_RCVBUF=8192 >>> SO_SNDBUF=8192 >>> template shell = /bin/false >>> password server = * >>> log level = 3 >>> log file = /var/log/samba/%m >>> max log size = 100 >>> preferred master = No >>> dns proxy = No >>> wins server = 192.168.1.100 192.168.1.101 >>> winbind cache time = 0 >>> winbind nested groups = yes >>> allow trusted domains = No >>> idmap backend = rid:KPAK=500-100000000 >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 >>> template shell = /bin/bash >>> winbind use default domain = Yes >>> winbind separator = + >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> obey pam restrictions = yes >> >> >> >> My 3.5.6 smb.conf >> >> >>> [global] >>> workgroup = DOMAIN >>> netbios name = vwww3 >>> realm = DOMAIN.UTAH.EDU >>> server string = web3 >>> security = ADS >>> preferred master = no >>> client use spnego = yes >>> server signing = auto >>> encrypt passwords = yes >>> nt acl support = yes >>> acl map full control = yes >>> wide links = no >>> password server = * >>> log level = 3 >>> log file = /var/log/samba/%m >>> max log size = 100 >>> wins server = 192.168.1.100 192.168.1.101 >>> winbind offline logon = yes >>> idmap domains = default, domain.utah.edu >>> idmap config default: default = yes >>> idmap config domain.utah.edu: range = 500-100000000 >>> idmap config domain.utah.edu: backend = ad >>> idmap alloc backend = tdb >>> idmap uid = 500-100000000 >>> idmap gid = 500-100000000 >>> winbind separator = + >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = yes >>> winbind nested groups = yes >>> client ntlmv2 auth = yes >>> encrypt passwords = yes >>> template shell = /bin/bash >>> allow trusted domains = yes >> >> >> >> >> Thanks for any help, >> >> Brian Gregorcy >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
