Text-base idmap backend module for samba 3.0.2a

Jamil Amir-ajamil01 M.A.Jamil at motorola.com
Mon Jul 19 12:58:06 GMT 2004


Thanks again Phil,

># Find a users SID
>wbinfo -n username
># Can winbind turn the SID back into a name and a UID?
>wbinfo -s S-THE-SID-FROM-ABOVE
>wbinfo -S S-THE-SID-FROM-ABOVE

wbinfo is resolving correct SID to UID or UID to SID, but wbinfo -u is hanging.

There is little improvement that winbind is putting correct UIDs for those users who are in NIS unix domain. But now i want a trusted user and none Unix should automatically get created and assigned permissions on file/directory when we modify ACLs from windows.

Also if the windows UID is different from Unix UID then check mapping file.

ABC> getfacl testdir/

# file: testdir/
# owner: myid
# group: mygroup
user::rwx
user:NISuser1:r-x               #effective:r-x
user:NISuser2:r-x               #effective:r-x
user:10000:r-x          #effective:r-x
group::r-x              #effective:r-x
mask:rwx
other:r-x
default:user::rwx
default:user:NISuser1:r-x
default:user:NISuser2:r-x
default:user:10000:r-x    
default:group::---
default:mask:rwx
default:other:---

Where 10000 is a trusted user and it does not have Unix ID, I want if user is not in Unix, either coming from trusted domain or local windows domain then create corresponding Unix local account OR if the windows UID is different from Unix UID then user mapping file.

Another issue has just started now, The smb process seam to be hanging now and stopped responding when I am trying to add users into permissions from windows. The following error I can see in log.smb file.

 Copyright Andrew Tridgell and the Samba Team 1992-2004
2004/07/19 12:09:24, 0] smbd/server.c:open_sockets_smbd(377)
 open_sockets_smbd: accept: Software caused connection abort
2004/07/19 13:30:27, 0] lib/util_sock.c:set_socket_options(160)
 Failed to set socket option SO_KEEPALIVE (Error Invalid argument)
2004/07/19 13:30:27, 0] lib/util_sock.c:set_socket_options(160)
 Failed to set socket option TCP_NODELAY (Error Invalid argument)
2004/07/19 13:30:27, 0] lib/util_sock.c:get_peer_addr(952)
 getpeername failed. Error was Transport endpoint is not connected



Thanks
Amir



-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
Sent: 19 July 2004 10:26
To: Jamil Amir-ajamil01
Cc: samba-technical at lists.samba.org
Subject: Re: Text-base idmap backend module for samba 3.0.2a


On Mon, Jul 19, 2004 at 09:53:50AM +0100, Jamil Amir-ajamil01 wrote:
> Thanks Phil
> 
> There are too many problems currently I am facing, the following configuration I am using for samba:-
> 
> [global]
>    workgroup = MYDOMAIN
>    server string = Samba Server
>    security = domain
>    encrypt passwords = yes
>    allow trusted domains = yes
> 
>    add user script = /usr/sbin/useradd -g smbusers %u
>    delete user script = /usr/sbin/userdel %u
>    add group script = /usr/sbin/groupadd %g 
>    delete group script = /usr/sbin/groupdel %g 
>    add user to group script = /usr/sbin/usermod -G %g %u 
> 
> Question 1)
> -------------
> The above add/delete user/group script is not working. I want to add/delete user which are not in Unix domain automatically after applying permissions from windows, but it is not creating.
> 

If you're using winbind in /etc/nssswitch.conf, you could have winbind
"create" new accounts automatically by just presenting them in the
password map (that won't *do* anything, like create a homedirectory
though). The relevant option is:

  winbind enable local accounts = yes

...and that's the *default* - i.e. by default, winbind *will* put
unknown users into the password map via the nss plugin - so your
useradd/del scripts are failing because of the username already
existing, at a guess. Set this to "no" and see if that helps.

>    log file = /opt/samba/var/log.%m
>    log level = 0 
>    max log size = 50
>    password server = DC1 DC2
>    passdb backend = tdbsam
>    socket options = TCP_NODELAY
>    interfaces = 192.168.1.100/255.255.255.0
>    bind interfaces only = yes
>    netbios name = ABC
>    local master = no
>    wins support = no
>    wins server = 192.168.1.150
>    dns proxy = no
> 
>    username map = /opt/samba/var/smbusers
> 
> Question 2)
> -------------
> While winbind is in use (/etc/nsswitch.conf has winbind entry) it seams to be not reading "username map" file .....?

I don't use "username map" so I'm not certain. What does this set of
commands do:

# Find a users SID
wbinfo -n username
# Can winbind turn the SID back into a name and a UID?
wbinfo -s S-THE-SID-FROM-ABOVE
wbinfo -S S-THE-SID-FROM-ABOVE

>    
> 
>    winbind use default domain = Yes
>    idmap uid = 10000-55000
>    idmap gid = 10000-55000
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind separator = +
>    winbind cache time = 60
>  
> [VAR-test]
>         path = /var/test
>         comment = Test share
>         read only = No
>         nt acl support =  Yes
>         map hidden = no
>         map archive = no
>         map system = no
>         oplocks = No
>         level2 oplocks = No
>         create mode = 0644
>         directory mode = 0755
> 
> 
> From Unix side if I see how file/directory permissions looks like:-
> 
> ABC> getfacl testdir/
> 
> # file: testdir/
> # owner: myid
> # group: mygroup
> user::rwx
> user:10001:r-x          #effective:r-x
> group::r-x              #effective:r-x
> mask:rwx
> other:r-x
> default:user::rwx
> default:user:10001:r-x
> default:group::---
> default:mask:rwx
> default:other:---
> 
> 
> In above "user:10001:r-x", I gave the permissions from windows to a valid NIS user and winbind did not able to find this user and gave 10001 UID.

Yep, this sounds familiar. Did you delete the /var/cache/winbind.*.tdb
files - I don't know if you *should* have to do that, but I did (and
then restart winbind) for this to work.

The only difference I can see between your config and mine (which
definitely works) is you have:

  winbind use default domain = Yes

...and I have:

  winbind trusted domains only = yes

The two options do different things, but I think you need this latter on
for it it work; and I *think* changing this option is what requires
emptying the winbind cache .tdb files.

If any of the samba team are reading, a table of the options for winbind
etc. and their effects would be a welcome thing. These seem to be very
common questions.

> 
> 
> Would you please let me know what is wrong in above configuration file.
> 
> Thanks again
> Amir
> 
> 
> -----Original Message-----
> From: Phil Mayers [mailto:p.mayers at imperial.ac.uk]
> Sent: 17 July 2004 14:32
> To: samba-technical at lists.samba.org
> Cc: Jamil Amir-ajamil01; Simo Sorce
> Subject: Re: Text-base idmap backend module for samba 3.0.2a
> 
> 
> On Fri, Jul 16, 2004 at 05:13:45PM +0200, Simo Sorce wrote:
> > Sorry I haven't understood fully, anyway I think you're addressing the
> > problem from the wrong point of view.
> > 
> > winbind is for use in setups that doesn't use NIS and where allocation
> > is dynamic. if you have users on NIS the you do not need winbindd.
> 
> I don't believe that's true; winbind serves functions *other* than just
> the nss and pam modules. This is a common problem, and more
> documentation related. The issue as I explained it to a colleague is:
> 
> Winbind thinks the user is "DOMAIN\user", can't find that in the
> existing "password" database (be it files, NIS, or LDAP) and allocates a
> new uid
> 
> I think the poster wants the:
> 
>    winbind trusted domains only = yes
> 
> ...parameter. I'm assuming he's got:
> 
> windows:
>   domain1:
>     userA
>   domain2:
>     userB
> 
> NIS:
>   domainX:
>     userA (same user as DOMAIN1\userA)
>     userB (same user as DOMAIN2\userB)
> 
> The winbind parameter above makes this setup work correctly, and
> arguably should be the default since I'm assuming if it *fails* to find
> the UID in the password it'll still allocate a UID.
> 
> [Checks; Hmm. No, it doesn't]
> 
> Incidentally, I would have thought "winbind use default domain = yes"
> would also be required *if* the nss and pam modules were being used e.g.
> for SSH/FTP etc.
> 
> Finally, I found I needed to delete the winbind.*.tdb files to make this
> change "work" - is this expected?
> 
> Of course, if his NIS users have different names than the windows users
> he will *also* need the "username map", as you pointed out.
> 
> > 
> > Simo.
> > 
> > On Fri, 2004-07-16 at 16:31, Jamil Amir-ajamil01 wrote:
> > > Thanks Simo,
> > > 
> > > Is it possible I can resolve the following problem without using this patch.
> > > 
> > > The problem with winbind and NIS accounts( mix accounts same and different from windows domain and also trusted domain users).
> > > 
> > > Currently if I give permission from windows and check from Unix, it appears to be given a new UID's (10001) from winbind, infect the account is a valid NIS account in Unix. I think it should map windows accounts with the same Unix accounts. If the Unix account is different from windows then it should check static mapping file. Same for the groups mapping too.
> > > 
> > > Also we are not using LDAP.
> > > 
> > > Thanks in advance for your help.
> > > 
> > > Regards
> > > Amir
> > > 
> > > 
> > > -----Original Message-----
> > > From: Simo Sorce [mailto:idra at samba.org]
> > > Sent: 16 July 2004 10:12
> > > To: Volker Lendecke
> > > Cc: Jamil Amir-ajamil01; samba-technical at lists.samba.org
> > > Subject: Re: Text-base idmap backend module for samba 3.0.2a
> > > 
> > > 
> > > Someone posted it on samba-techinical a few months ago, you should be
> > > able to find it out in the archives.
> > > 
> > > I tought about adding it in our official trees, but then avoided that as
> > > it is inefficient and idmapping is not meant to be touched by admins
> > > anyway, so I find no meaning in using an human readable/writable format
> > > (and still you can do that with ldap :-/).
> > > 
> > > Simo.
> > > 
> > > On Thu, 2004-07-15 at 12:47, Volker Lendecke wrote:
> > > > On Thu, Jul 15, 2004 at 11:21:22AM +0100, Jamil Amir-ajamil01 wrote:
> > > > > I am looking for Text-base idmap backend module for samba 3.0.2a, could some
> > > > > body please send it to me or let me know if it is posted some ware.
> > > > 
> > > > I'm not aware of such a thing. This would be horrendously inefficient. Maybe
> > > > the commands 'net idmap dump' and 'net idmap restore' help you?
> > > > 
> > > > Volker
> > -- 
> > Simo Sorce    -  idra at samba.org
> > Samba Team    -  http://www.samba.org
> > Italian Site  -  http://samba.xsec.it
> > 
> 
> -- 
> 
> Regards,
> Phil
> 
> +------------------------------------------+
> | Phil Mayers                              |
> | Network & Infrastructure Group           |
> | Information & Communication Technologies |
> | Imperial College                         |
> +------------------------------------------+

-- 

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+


More information about the samba-technical mailing list