What I want to do:
I have a lot of Samba AD member server which all should have the same
mapping of Domain Users (SIDs) to local UID/GID, so files with ACLs can
be moved from one machine to another and still grant the access rights
to the same users as on the other machine.
What I have:
idmap uid=1000-60000
idmap gid=1000-60000
winbind use default domain=no
winbind enum users=Yes
winbind enum groups=Yes
winbind nested groups=Yes
winbind nss info=template
winbind offline logon=True
security=Ads
passdb backend=tdbsam
This is working fine, but (of course) leads to indeterministic UID/GID
mappings.
So I want to change to RID - this is all I changed:
#idmap uid=1000-60000
#idmap gid=1000-60000
idmap domains=MYDOMAIN
idmap config MYDOMAIN:backend=rid
idmap config MYDOMAIN:base_rid=1000
idmap config MYDOMAIN:range=998 - 60000
(I have two manually mapped groups, thus starting the allowed range at 998)
I clear all TDB files and join the server from scratch to the domain.
This still works.
Then I look at
wbinfo -u
which shows all Domain users correctly.
Trouble already starts with
wbinfo -i MYDOMAIN\\dagobert
> Could not get info for user MYDOMAIN\\dagobert
The Domain Administrator can actually connect to the Samba server, but
no other user can.
From the log, I retrieve a lot like this:
Could not query gid for user MYDOMAIN\dagobert
[2008/04/08 11:12:34, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is MYDOMAIN\dagobert
[2008/04/08 11:12:34, 10] nsswitch/winbindd.c:process_request(314)
process_request: request fn GETPWNAM
[2008/04/08 11:12:34, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
[20573]: getpwnam MYDOMAIN\dagobert
[2008/04/08 11:12:34, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
Retrieving response for pid 15771
[2008/04/08 11:12:34, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
Retrieving response for pid 15771
[2008/04/08 11:12:34, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
Retrieving response for pid 15786
[2008/04/08 11:12:34, 7]
nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving
S-1-5-21-1214440339-113007714-839522115-513 to a gid
[2008/04/08 11:12:34, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
Retrieving response for pid 15786
[2008/04/08 11:12:34, 5]
nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
It looks as though conversion of SIDs to IDs is not correctly working.
# wbinfo -G 1000
S-1-5-21-1214440339-113007714-839522115-1002
# wbinfo -S S-1-5-21-1214440339-113007714-839522115-1002
Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to uid
# wbinfo -Y S-1-5-21-1214440339-113007714-839522115-1002
Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to gid
# wbinfo -R 1000
Domain: MYDOMAIN
1000: TsInternetUser (User)
Manually added SIDs are actually working, so winbind is operational:
# wbinfo -Y S-1-5-13
998
So my questions are:
(1) Is idmap_rid suitable for what I want?
(2) Is idmap_rid working 3.0.26a , is there someone who got this working?
(3) Is there anything else I need to change in smb.conf when migrating
as above?
(4) Is there some trick with compilation/configuration necessary? I have
an Intel ARM Big Endian architecture and have the RID module statically
linked (dynamic loading does not work on this architecture).
Kind regards and thanks for any advice or help,
Jens
P.S testparm of smb.conf
[global]
dos charset = ISO-8859-1
unix charset = ISO-8859-1
display charset = ISO-8859-1
workgroup = MYDOMAIN
realm = MYDOMAIN.TEST
server string = myserver
interfaces = ixp0
security = ADS
allow trusted domains = No
password server = sbs2000.mydomain.test
private dir = /var/lib/adsamba/private
passdb backend = tdbsam
guest account = samba
username map = /etc/cfg_user/usermap.ads
log level = 6 winbind:10
log file = /export/log/smblog.ad
max log size = 0
name resolve order = wins bcast host
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
show add printer wizard = No
preferred master = No
local master = No
domain master = No
wins server = 192.168.1.4
lock directory = /var/lib/adsamba
idmap domains = MYDOMAIN
winbind enum users = Yes
winbind enum groups = Yes
winbind offline logon = Yes
ldapsam:trusted = No
idmap config MYDOMAIN:range = 998 - 60000
idmap config MYDOMAIN:base_rid = 1000
idmap config MYDOMAIN:backend = rid
ea support = Yes
[shared]
comment = ACL shared folder
path = /export/shared
read only = No
create mask = 0777
directory mask = 0777
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
map acl inherit = Yes
map archive = No
map readonly = no
store dos attributes = Yes
dos filemode = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
