Text-base idmap backend module for samba 3.0.2a

Jamil Amir-ajamil01 M.A.Jamil at motorola.com
Mon Jul 19 08:53:50 GMT 2004

Thanks Phil

There are too many problems currently I am facing, the following configuration I am using for samba:-

   workgroup = MYDOMAIN
   server string = Samba Server
   security = domain
   encrypt passwords = yes
   allow trusted domains = yes

   add user script = /usr/sbin/useradd -g smbusers %u
   delete user script = /usr/sbin/userdel %u
   add group script = /usr/sbin/groupadd %g 
   delete group script = /usr/sbin/groupdel %g 
   add user to group script = /usr/sbin/usermod -G %g %u 

Question 1)
The above add/delete user/group script is not working. I want to add/delete user which are not in Unix domain automatically after applying permissions from windows, but it is not creating.

   log file = /opt/samba/var/log.%m
   log level = 0 
   max log size = 50
   password server = DC1 DC2
   passdb backend = tdbsam
   socket options = TCP_NODELAY
   interfaces =
   bind interfaces only = yes
   netbios name = ABC
   local master = no
   wins support = no
   wins server =
   dns proxy = no

   username map = /opt/samba/var/smbusers

Question 2)
While winbind is in use (/etc/nsswitch.conf has winbind entry) it seams to be not reading "username map" file .....?

   winbind use default domain = Yes
   idmap uid = 10000-55000
   idmap gid = 10000-55000
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   winbind cache time = 60
        path = /var/test
        comment = Test share
        read only = No
        nt acl support =  Yes
        map hidden = no
        map archive = no
        map system = no
        oplocks = No
        level2 oplocks = No
        create mode = 0644
        directory mode = 0755

>From Unix side if I see how file/directory permissions looks like:-

ABC> getfacl testdir/

# file: testdir/
# owner: myid
# group: mygroup
user:10001:r-x          #effective:r-x
group::r-x              #effective:r-x

In above "user:10001:r-x", I gave the permissions from windows to a valid NIS user and winbind did not able to find this user and gave 10001 UID.

Would you please let me know what is wrong in above configuration file.

Thanks again

-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
Sent: 17 July 2004 14:32
To: samba-technical at lists.samba.org
Cc: Jamil Amir-ajamil01; Simo Sorce
Subject: Re: Text-base idmap backend module for samba 3.0.2a

On Fri, Jul 16, 2004 at 05:13:45PM +0200, Simo Sorce wrote:
> Sorry I haven't understood fully, anyway I think you're addressing the
> problem from the wrong point of view.
> winbind is for use in setups that doesn't use NIS and where allocation
> is dynamic. if you have users on NIS the you do not need winbindd.

I don't believe that's true; winbind serves functions *other* than just
the nss and pam modules. This is a common problem, and more
documentation related. The issue as I explained it to a colleague is:

Winbind thinks the user is "DOMAIN\user", can't find that in the
existing "password" database (be it files, NIS, or LDAP) and allocates a
new uid

I think the poster wants the:

   winbind trusted domains only = yes

...parameter. I'm assuming he's got:


    userA (same user as DOMAIN1\userA)
    userB (same user as DOMAIN2\userB)

The winbind parameter above makes this setup work correctly, and
arguably should be the default since I'm assuming if it *fails* to find
the UID in the password it'll still allocate a UID.

[Checks; Hmm. No, it doesn't]

Incidentally, I would have thought "winbind use default domain = yes"
would also be required *if* the nss and pam modules were being used e.g.
for SSH/FTP etc.

Finally, I found I needed to delete the winbind.*.tdb files to make this
change "work" - is this expected?

Of course, if his NIS users have different names than the windows users
he will *also* need the "username map", as you pointed out.

> Simo.
> On Fri, 2004-07-16 at 16:31, Jamil Amir-ajamil01 wrote:
> > Thanks Simo,
> > 
> > Is it possible I can resolve the following problem without using this patch.
> > 
> > The problem with winbind and NIS accounts( mix accounts same and different from windows domain and also trusted domain users).
> > 
> > Currently if I give permission from windows and check from Unix, it appears to be given a new UID's (10001) from winbind, infect the account is a valid NIS account in Unix. I think it should map windows accounts with the same Unix accounts. If the Unix account is different from windows then it should check static mapping file. Same for the groups mapping too.
> > 
> > Also we are not using LDAP.
> > 
> > Thanks in advance for your help.
> > 
> > Regards
> > Amir
> > 
> > 
> > -----Original Message-----
> > From: Simo Sorce [mailto:idra at samba.org]
> > Sent: 16 July 2004 10:12
> > To: Volker Lendecke
> > Cc: Jamil Amir-ajamil01; samba-technical at lists.samba.org
> > Subject: Re: Text-base idmap backend module for samba 3.0.2a
> > 
> > 
> > Someone posted it on samba-techinical a few months ago, you should be
> > able to find it out in the archives.
> > 
> > I tought about adding it in our official trees, but then avoided that as
> > it is inefficient and idmapping is not meant to be touched by admins
> > anyway, so I find no meaning in using an human readable/writable format
> > (and still you can do that with ldap :-/).
> > 
> > Simo.
> > 
> > On Thu, 2004-07-15 at 12:47, Volker Lendecke wrote:
> > > On Thu, Jul 15, 2004 at 11:21:22AM +0100, Jamil Amir-ajamil01 wrote:
> > > > I am looking for Text-base idmap backend module for samba 3.0.2a, could some
> > > > body please send it to me or let me know if it is posted some ware.
> > > 
> > > I'm not aware of such a thing. This would be horrendously inefficient. Maybe
> > > the commands 'net idmap dump' and 'net idmap restore' help you?
> > > 
> > > Volker
> -- 
> Simo Sorce    -  idra at samba.org
> Samba Team    -  http://www.samba.org
> Italian Site  -  http://samba.xsec.it



| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |

More information about the samba-technical mailing list