simo wrote:
On Tue, 2008-09-09 at 15:52 +0100, Hari Sekhon wrote:
Hi,
I've noticed a discrepancy between Samba Version 3.0.28a and Version
3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.
I have an environment with 2 domains linked via a trust, an Active
Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to
work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of
the primary domain's domain admins in uid/name mapping on files.
Below is a relevant snippet of the identical samba configuration on both
machines:
allow trusted domains = no
idmap backend = rid
idmap config PRIMARYDOMAIN:range = 10000-19999
idmap config OTHERDOMAIN:range = 20000-29999
idmap gid = 10000-30000
idmap uid = 10000-30000
Hari, this is not, as is, a valid configuration for either versions, is
this the full configuration used ?
Testparm confirms that allow trusted domains is set to No, so it seems
that 3.0.28a does not respect the fact that trusted domains are not
supposed to be allowed at all? This seems to break the way the rid
backend works of course as there is a rid clash with the other domain.
Allow trusted domains = no controls only authentication/access to the
service not id resolution.
This output from wbinfo --group-info shows the name clash:
domain admins:x:10512
OTHERDOMAIN\domain admins:x:10512
Can anyone offer any advice on what to do about this?
I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which
those are the latest stable versions packaged for the systems. I have
tried 3.0.32 and the problem seems to occur there too. Is this a bug
that has crept in after 3.0.24?
If that is the configuration you use, it seem more like a configuration
error.
Simo.
It's not the entire configuration obviously I have left out lots of
implicit options like security = ads etc, but I have been playing with
using the rid idmap backend for unified id mapping across systems as
mentioned in the samba official documentation (as it means I don't have
to change my pre-R2 2003 Active Directory)
Testparm does not show any config error, the options are valid and
appear in the global section of the dump of service configurations as
accepted.
This works absolutely as expected on 3.0.24 so far but on 3.0.28a and
3.0.32 it seems a touch broken because of the cross domain collision id
collision.
-h
--
Hari Sekhon
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
