[Samba] idmap allocation does not work Samba 3.4.7 on FC11
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Mar 16 20:08:23 MDT 2011
I have setup a Samba 3.4.7 on Fedora Core 11 Linux (this is the samba
version installed with "yum update.") This is a domain member server. The
PDC is a Samba 3.4.9 on Solaris 10.
Winbind is running
I am trying to get idmap allocation working. The unix accounts for the
samba accounts are in LDAP, so they are actually consistent across all samba
machines. The man pages indicated that if I set
winbind trusted domains only = no
in smb.conf, then samba should just map windows names to the unix names. I
do have trusts set up with other domains but those trusted domains can be
ignored on this server.
However, the man pages also indicate than idmap_nss is the new and
preferred way to handle this. It should map the Windows users to the
existing unix users, and not have to allocate new uid's.
Therefore I added the following lines to my smb.conf
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN: range = 100-999999
(Unix UID's for network users start at 100.)
"wbinfo -u" does show the domain users. However, "getent passwd" does not
show the domain users. "idmap MYDOMAIN\\someuser" also does not return a
uid for the user. /var/lib/samba/winbindd_idmap.tdb does not have any
entries for the domain users.
To try to make this even simpler I tried setting up really basic idmap with
tdb backend
idmap backend = tdb
idmap uid = 1000000-2000000
idmap gid = 1000000-2000000
idmap alloc backend = tdb
idmap config MYDOMAIN: backend = tdb
idmap config MYDOMAIN: range = 1000000-2000000
I realize that if this works with will allocate uid's for the domain users
that do not match the unix uid's- but at least that would indicate that
uid's were being allocated by the idmap functionality. But no luck.
I even tried manually allocating a uid- the tdb file gets updated in the
# wbinfo -n MYDOMAIN\\someuser
S-1-5-21-xxxx-xxxx-xxxx-1121User (1)
# wbinfo --allocate-uid
New uid: 1000001
wbinfo --set-uid-mapping=1000000,S-1-5-21-xxxx-xxxx-xxxx-1121
uid 1000001 now mapped to sid S-1-5-21- xxxx-xxxx-xxxx -1121
# wbinfo -U 1000001
S-1-5-21-xxxx-xxxx-xxxx-1121
# wbinfo -S S-1-5-21-xxxx-xxxx-xxxx-1121
1000001
# id MYDOMAIN\\someuser
id: MYDOMAIN\\someuser: No such user
#tdbdump /var/lib/samba/winbindd_idmap.tdb
.
key(12) = "UID 1000001\00"
data(46) = "S-1-5-21-xxxx-xxxx-xxxx-1121\00"
.
key(46) = "S-1-5-21-xxxx-xxxx-xxxx-1121\00"
data(12) = "UID 1000001\00"
..
So it seems that Samba (winbind?) can NOT allocate unix id's to Windows
users
It also seems that if I manually create then Samba (Winbind?) can't read
them.
Help is appreciated.
Thanks
More information about the samba
mailing list