[Samba] samba3: domain member server: user mapping problem (ldap)

Tue Sep 30 14:16:37 GMT 2003

Hi Jelmer,

> > idmap backend  = ldap:ldap://leibniz.rsidus.riege.de, and not
> >                  ^^^^
> > idmap backend  = ldapsam:ldap://leibniz.rsidus.riege.de
> >                  ^^^^^^^ 
> Thanks, I fixed it in the documentation.

You may change it there as well:
- example §5.3
- §20.1: ( at bootom of page): If idmap backend has been specifies as
ldapsam:url ...

The text about using winbind on BDCs and member servers at the end of
paragraph 5.3 would be of great help in paragraph 6.3 as well. ;)

Overall this idmap / winbind thing was merged quite late with the Howto
I suppose, because I did not read it when I set up the PDC / BDC ( about
the time when rc1/rc2 came out ) and the chapter on winbind still seems
to have the winbind 2.2 in mind - overall winbind now seems to be able
to act as a snap in replacement for nss_ldap/pam_ldap, but on the other
hand I tend to stick with the latter in a plain linux server
environment.

> > b) am I supposed to use winbind at all? I am already using pam_ldap and
> > nss_ldap on the server. The winbind settings are:
> > 
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind trusted domains only = yes
> > 
> > The UIDs/GIDs actually used in LDAP are in between 600 and 3000.

> I figure idmap is not working correctly (or it's supposed to work
> differently as the last time I looked at it..)

<sic>

> > c) net groupmap still does not list anything.
> 'net groupmap list' does not give any output _at all_ ?

no, it just maps everything to -1:

[root at hilbert samba]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1454018726-3595976858-1671193852-512) -> -1
Domain Guests (S-1-5-21-1454018726-3595976858-1671193852-514) -> -1
...

while on the PDC/BDC it is more like this:
[root at leibniz schlegel]# net groupmap list
Domain Admins (S-1-5-21-4157288312-2978303034-1700589767-2201) ->
administratoren
Domain Users (S-1-5-21-4157288312-2978303034-1700589767-512) -> smbuser
Domain Guests (S-1-5-21-4157288312-2978303034-1700589767-514) -> nobody
develop (S-1-5-21-4157288312-2978303034-1700589767-3013) -> develop
...

however, wbinfo -g gives output on BDC and member server:

[root at hilbert samba]# wbinfo -g
RIEGE\Domain Admins
RIEGE\Domain Users
RIEGE\Domain Guests
RIEGE\develop
...

Maybe net groupmap is not intended / necessary on member servers using
winbind? The SIDs get mapped in a correct way now except for the
following issue.

> > d) In windows the system still shows the rights as [member
> > server]\username instead of DOMAIN\username. 

No hints on this one?

> > e) do I have to adjust the member servers SID? It created it's own one
> > and it is different from the domains SID. 
> Have you joined the domain correctly? 

definitely. net rpc join, and it succeeded and the PDC added the account
in the ldap tree.

> Each workstation also has it's own
> SID, so that shouldn't be a problem.

This is what I expects, I am just not sure whether the member servers
SID has to partly match the domains SID or something like this.

I think I figured out that my main problem ( d), member server name
instead of domain name in from of the users name ) is gone if I change
the SID of the member server, on the other hand I expect things to get
odd and break if the SID is not unique...

regards, Gunther

-- 
Gunther Schlegel                    Riege Software International GmbH
Manager System Administration                            Mollsfeld 10
                                             40670 Meerbusch, Germany
Email: schlegel at riege.de                      Phone: +49-2159-9148-0
                                              Fax:   +49-2159-9148-11
---------------------------------------------------------------------

Disclaimer:
You may grab my GPG key from http://www.keyserver.net .
A nonproportional font is recommended for reading.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/8ee04624/attachment.bin