[Samba] IDMAP RID problems and documentation
John
jknappers-argentia at hotmail.com
Wed Dec 19 12:48:54 GMT 2007
Hello List,
After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use of the
new syntax for IDMAP. But I failed, Also there is a lack on documentation
how to us it. (Yes there is a man, but it contains limited explanation and
examples).
What do I want? What (I think a lot of people wants)
I have two samba domain members and a Windows 2003 DC without R2 / SFU shema
extension. So I want make use of the RID facility.
Same GID/ UID mappings on all samba servers in the domain, with support of
BUILTIN groups, and without installing schema extensions on the DC.
I assume that RID was designed for this scenario
Can anyone assist me and everyone on list struggling with the same problems,
how to proper configure SAMBA for this scenario?
Old syntax works, but lack support for BUILT-IN groups, and gives following
complaints in syslog
Module '/usr/lib/samba/idmap/rid.so' initialization failed:
NT_STATUS_OBJECT_NAME_COLLISION
and:
lib/util_str.c:safe_strcpy_fn(659)
Dec 19 13:12:47 s-0009 winbindd[5454]: ERROR: string overflow by 1 (256 -
255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255) in safe_strcpy
[Added timed event "async_request_timeout": 8843878
The new syntax I tried:
idmap domains = DOMAIN-NL
idmap config DOMAIN:default = yes
idmap configDOMAIN:backend = rid
idmap config DOMAIN:base_rid = 1000
idmap config DOMAIN:range = 1000-1000000
# For BUILTIN GROUPS
idmap alloc backend = tdb
idmap alloc config:range = 800-999
After restarting samba/ winbind, it fails after 2-3 minutus
wbinfo -u and wbinfo -g works ok
getent group works also ok, but getent passwd does not shown domain users
anymore.
Leave ADS cleaning up all tdb's and rejoining ADS did not provide the
solution.
I also tried several other options but all failed the same way.
idmap domains = BUILTIN, DOMAIN
idmap config DOMAIN:default = yes
idmap configDOMAIN:backend = rid
idmap config DOMAIN:base_rid = 1000
idmap config DOMAIN:range = 1000-1000000
idmap config BUILTIN:backend = tdb
idmap config BUILTIN:base_rid = 800
idmap config BUILTIN:range = 800-999
OS: CentOS 4.6
Samba version: CentOS/ RH 3.0.25b (with backported fixes from 3.0.28) and
samba 3.0.28
No nscd running
Snipped of /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
Full smb.conf
Global parameters
[global]
workgroup = DOMAIN-NL
security = ADS
netbiosname = s-0009-a
realm = CORP.DOMAIN.NL
server string = SAMBA DOOS
Loglevel = 10
interfaces = eth2 lo
bind interfaces only = yes
preferred master = no
domain master = no
allow trusted domains = no
winbind separator = /
# Officially supported old syntax
idmap backend = rid
idmap uid = 1000-1000000
idmap gid = 1000-1000000
# New syntax equivilent to pre3.0.25 tdb
# idmap domains = DOMAIN-NL
# idmap config DOMAIN-NL:default = yes
# idmap config DOMAIN-NL:backend = tdb
# idmap configDOMAIN-NL:range = 1000 - 1000000
# idmap alloc backend = tdb
# idmap alloc config:range = 1000 - 1000000
# New syntax rid
# idmap domains = DOMAIN-NL
# idmap config DOMAIN-NL:default = yes
# idmap config DOMAIN-NL:backend = rid
# idmap config DOMAIN-NL:base_rid = 1000
# idmap config DOMAIN-NL:range = 1000-1000000
# idmap config BUILTIN:backend = tdb
# idmap config BUILTIN:base_rid = 800
# idmap config BUILTIN:range = 800-999
# idmap alloc backend = tdb
# idmap alloc config:range = 800-999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/domain-nl/%U
template shell = /bin/bash
wins server = 192.168.0.51
load printers = no
printing = cups
printcap name = cups
show add printer wizard = yes
use client driver = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = @"Domain Admins"
# Printer shares
[print$]
comment = Printer Driver Download Area
path = /var/lib/samba/drivers
browseable = yes
guest ok = yes
read only = no
write list = @ntadmin, @"Domain Admins", root
admin users = @"Domain Admins", @ntadmin, root, administrator, admin
[Homedirs]
comment = De gebruikers directories
path = /home/domain-nl/
force group = users
read only = No
create mask = 0644
hide dot files = Yes
hide unreadable = Yes
admin users = @"DOMAIN-NL/Domain Admins"
valid users = @"DOMAIN-NL/Domain Admins"
Regards,
John
The Netherlands
More information about the samba
mailing list