[Samba] samba3: domain member server: user mapping problem (ldap)
Gunther Schlegel
schlegel at riege.com
Tue Sep 30 14:16:37 GMT 2003
Hi Jelmer,
> > idmap backend = ldap:ldap://leibniz.rsidus.riege.de, and not
> > ^^^^
> > idmap backend = ldapsam:ldap://leibniz.rsidus.riege.de
> > ^^^^^^^
> Thanks, I fixed it in the documentation.
You may change it there as well:
- example §5.3
- §20.1: ( at bootom of page): If idmap backend has been specifies as
ldapsam:url ...
The text about using winbind on BDCs and member servers at the end of
paragraph 5.3 would be of great help in paragraph 6.3 as well. ;)
Overall this idmap / winbind thing was merged quite late with the Howto
I suppose, because I did not read it when I set up the PDC / BDC ( about
the time when rc1/rc2 came out ) and the chapter on winbind still seems
to have the winbind 2.2 in mind - overall winbind now seems to be able
to act as a snap in replacement for nss_ldap/pam_ldap, but on the other
hand I tend to stick with the latter in a plain linux server
environment.
> > b) am I supposed to use winbind at all? I am already using pam_ldap and
> > nss_ldap on the server. The winbind settings are:
> >
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind trusted domains only = yes
> >
> > The UIDs/GIDs actually used in LDAP are in between 600 and 3000.
> I figure idmap is not working correctly (or it's supposed to work
> differently as the last time I looked at it..)
<sic>
> > c) net groupmap still does not list anything.
> 'net groupmap list' does not give any output _at all_ ?
no, it just maps everything to -1:
[root at hilbert samba]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1454018726-3595976858-1671193852-512) -> -1
Domain Guests (S-1-5-21-1454018726-3595976858-1671193852-514) -> -1
...
while on the PDC/BDC it is more like this:
[root at leibniz schlegel]# net groupmap list
Domain Admins (S-1-5-21-4157288312-2978303034-1700589767-2201) ->
administratoren
Domain Users (S-1-5-21-4157288312-2978303034-1700589767-512) -> smbuser
Domain Guests (S-1-5-21-4157288312-2978303034-1700589767-514) -> nobody
develop (S-1-5-21-4157288312-2978303034-1700589767-3013) -> develop
...
however, wbinfo -g gives output on BDC and member server:
[root at hilbert samba]# wbinfo -g
RIEGE\Domain Admins
RIEGE\Domain Users
RIEGE\Domain Guests
RIEGE\develop
...
Maybe net groupmap is not intended / necessary on member servers using
winbind? The SIDs get mapped in a correct way now except for the
following issue.
> > d) In windows the system still shows the rights as [member
> > server]\username instead of DOMAIN\username.
No hints on this one?
> > e) do I have to adjust the member servers SID? It created it's own one
> > and it is different from the domains SID.
> Have you joined the domain correctly?
definitely. net rpc join, and it succeeded and the PDC added the account
in the ldap tree.
> Each workstation also has it's own
> SID, so that shouldn't be a problem.
This is what I expects, I am just not sure whether the member servers
SID has to partly match the domains SID or something like this.
I think I figured out that my main problem ( d), member server name
instead of domain name in from of the users name ) is gone if I change
the SID of the member server, on the other hand I expect things to get
odd and break if the SID is not unique...
regards, Gunther
--
Gunther Schlegel Riege Software International GmbH
Manager System Administration Mollsfeld 10
40670 Meerbusch, Germany
Email: schlegel at riege.de Phone: +49-2159-9148-0
Fax: +49-2159-9148-11
---------------------------------------------------------------------
Disclaimer:
You may grab my GPG key from http://www.keyserver.net .
A nonproportional font is recommended for reading.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/8ee04624/attachment.bin
More information about the samba
mailing list