[Samba] samba 3.4 and 3.5 bug or misconfig: why is idmap uid and idmap gid needed for an AD only idmap config?

Dietrich Streifert dietrich.streifert at visionet.de
Fri Oct 29 09:21:43 MDT 2010 

Hello list,

I'm currently struggling in creating a running config for  samba 3.4.9 
and 3.5.6 on solaris 9

(active directory on windows 2003 R2 SP2 with rfc2307 schema extension, 
openssl
0.9.8o, libiconv 1.13.1, heimdal 1.4, cyrus-sasl 2.1.23, openldap 2.4.23)

The relevant part in smb.conf is in

[global]
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind expand groups = 3
         winbind nss info = rfc2307

         idmap backend = tdb

         idmap config DOMAIN:readonly = yes
         idmap config DOMAIN:backend = ad
         idmap config DOMAIN:default = yes
         idmap config DOMAIN:schema_mode = rfc2307
         idmap config DOMAIN:range = 1-65535

         idmap uid = 65536 - 65537
         idmap gid = 65536 - 65537

The setup basicly works, but some group ids are spotted into the group 
list which do not belong to gid numbers in AD. This seems to happen for 
users being members in nested groups while some of the groups have gid 
numbers assigned in AD and some group don't.

A given user (testuser) is in 3 groups and additionally in the group 
domain-users. domain-users is member of four other groups without a gid 
number assigned.

After su to testuser it depends on how id is called:

srv{testuser}[/home/testuser]: id -a
uid=10309(testuser) gid=11007(testgroup) 
groups=11007(testgroup),65536,65537,10010(domain-users),11009(testgroup3),11008(testgroup2)
srv{testuser}[/home/testuser]: id -a testuser
uid=10309(testuser) gid=11007(testgroup) 
groups=10010(domain-users),11008(testgroup2),11008(testgroup2),11009(testgroup3),11009(testgroup3)

The additional ids show up as group id 65536 and 65537 in "id -a" but 
not in "id -a testuser".

Retreiving the groups of the user testuser via wbinfo -r gives:

./wbinfo -r testuser
11007
65536
65537
10010
11009
11008

also showing the non existing ad group ids (65536,65537) which 
correspond to the settings in "idmap uid" and "idmap gid".

I think the idmap default tdb backend is trying to map somehow ids to 
the groups which do not have gid numbers assigned in AD.

So how can I get rid of this unwanted mappings? Why do they occus

Any help would be great!.

Regards...

-- 
Mit freundlichen Grüßen
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister Fürth, HRB 6573
Geschäftsführer: Stefan Lindner

More information about the samba mailing list