idmap_ad and idmap ranges (idmap uid, idmap gid)

Mark Proehl M.Proehl at
Thu Jul 13 08:12:41 GMT 2006


I have got a question about idmap_ad and the idmap uid and idmap gid
smb.conf parameters.

I use winbind and idmap_ad for UNIX-AD integration. AD users and
groups have MSSFU posix attributes. My environment is AIX-5.1, Linux
and Samba-3.0.22. There are three AD domains. UNIX clients must be
member of all three domains. I'd like to use nss_winbind, because
compared to nss_ldap, nss_winbind handles trusted domains.

I noticed that idmap_ad requires the parameter idmap uid and idmap
gid to be specified in smb.conf.

More precisely: if the ranges are left empty, winbind fails to return the
UID of a given user:

  # wbinfo -n sfutest
  S-1-5-21-2606056928-82551713-1973581322-1110 User (1)
  root at radon lib/security # wbinfo -S S-1-5-21-2606056928-82551713-1973581322-1110
  Could not convert sid S-1-5-21-2606056928-82551713-1973581322-1110 to uid
  root at radon lib/security # 

after specifying the two ranges in smb.conf, it works:

  # wbinfo -S S-1-5-21-2606056928-82551713-1973581322-1110

Furthermore: if the values of the GIDs of the AD groups are outside
the idmap gid range, things behave strangely, e.g. the id command cannot
list secondary groups anymore (happens on AIX-5.1 and Linux).

Example 1 (bad): All AD group id are outside the range, 
  idmap gid = 30000-1000000 
  group names are not displayed:

  # id sfutest
  uid=20000(sfutest) gid=10000 groups=10000,10018,10011,20005,20006,20007,20008,20009,20010,20011,20001,10002,10003,10004,10005,10006,10007,10008,10009,10010,10012,10013,10014,10016,10017,20012,20013,20014,20015,20016

Example 2 (good): All AD group id are inside the range, 
  idmap gid = 1000-1000000
  group names are displayed correctly:

  # id sfutest
  uid=20000(sfutest) gid=10000(t1) groups=10000(t1),10018(Domain Users),10011(t2),20005(t3),20006(t4),20007(t5),20008(t6),20009(t7),20010(t8),20011(t9),20001(t10),10002(t11),10003(t12),10004(t13),10005(t14),10006(t15),10007(t16),10008(t17),10009(t18),10010(t19),10012(t20),10013(t21),10014(t22),10016(t24),10017(t25),20012(t27),20013(t28),20014(t29),20015(t30),20016(t31)

I don't understand why these range parameters are necessary at all with
idmap_ad. One potential problem is that the upper bound of that range
will eventually be exceeded after many users and groups have been
created. The other problem is that the mapping of the POSIX IDs to the
SIDs exists not only on the AD side, but also in the local
winbindd_idmap.tdb. But the reason for using a idmap back end like ldap
or AD is to get rid of that TDB back end.

So my question is: is this a problem in my setup, or an issue with
winbind in 3.0.22. Should I better take a look at 3.0.23?

-- Mark

Additional information:

        workgroup = W2K3
        realm = W2K3.EXAMPLE.COM
        security = ADS
        use kerberos keytab = Yes
        log level = 10
        idmap backend = idmap_ad
        idmap uid = 1000-1000000
        idmap gid = 1000-1000000
        winbind use default domain = Yes
        winbind nss info = sfu


BTW: from the smb.conf man page: 

  "idmap_ad supports "Services for Unix" (SFU) version 2.x and 3.0."

What about 3.5 and the version of W2K3R2?

More information about the samba-technical mailing list