[Samba] Samba 3.0.2 - Unix Name Mapping not working properly with Windows 2003 ADS with Trust to NT 4.0 PDC, running on RH AS 3.0

Jim Laverty jim.laverty at gmail.com
Thu Jul 1 18:59:15 GMT 2004


Environment Summary:

Samba    version 3.0.2-6.3E (Red Hat AS 3.0)
Kerberos version 1.3.4 (MIT download - Kerberos 5 release 1.3.4)
openLDAP version 2.0.27-11 (Red Hat version - we may try 2.2.13 or 14)
pam_smb  version 1.1.7-1 (Red Hat version)

Red Hat AS 3.0 (2.4.21-15.0.2.ELsmp kernel on a Dell 1750)
Windows 2003 using Active Directory
One-way trust from Windows 2003 to an NT 4.0 PDC

smb.conf is setup as (important stuuf):
security = ads
workgroup = ACMESPROCKETS
netbios name = SAMBA
realm = ACMESPROCKETS.LOCAL
wins server = 172.16.0.151
password server = keymaster.acmesprockets.local
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/ksh


We have to separate domains:

ACME.COM (NT 4.0 PDC Environment)
ACMESPROCKETS.LOCAL (Windows 2003 ADS and Linux Environment)
ACME.COM trusts ACMESPROCKETS.LOCAL, but not vis-a-versa.

Problem Summary:

We can not get the user and group mappings to actually occur when
creating a file via Samba onto an NFS share.  With 'ls -la' we see
"george:Domain Users somefile.txt" vs. "george:users somefile.txt"

I can chown the files back and forth using either the Windows
names/groups or the Linux names (UIDs/GUIDs).

The winbind separator is set to '+' and all the enumeration options
are enabled at the moment.

Now wbinfo -u shows the following:

ACME+Domain Users
Domain Users

If I check the sids, ACME+Domain Users matches the NT 4.0 domain and
Domain Users matches the Windows 2003 domain.  The same goes for the
user listing (wbinfo -u).

One question is: why do I not see ACMESPROCKETS+Domain Users?  Could
this have an effect on the user/group mappings?

The next item is that 'net groupmap list' shows the correct group
name, SID, RID and GUID.

[root at samba bin]# net groupmap list (security aside for now)
Guests (S-1-5-32-546) -> nfsnobody
Domain Users (S-1-5-21-3508889641-3407867016-1978114707-513) -> users
Power Users (S-1-5-32-547) -> users
Print Operators (S-1-5-32-550) -> lp
Domain Admins (S-1-5-21-3508889641-3407867016-1978114707-512) -> root
Domain Guests (S-1-5-21-3508889641-3407867016-1978114707-514) -> nfsnobody
Users (S-1-5-32-545) -> users

I have also tried the old /etc/samba/smbusers maps with no luck.

[root at samba bin]# wbinfo -t
checking the trust secret via RPC calls succeeded

Is there any way for me to get ACME out of the sequence enitrely?

[root at samba bin]# wbinfo --sequence
ACME : 13376
ACMESPROCKETS : 233894

[root at samba bin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: george at ACMESPROCKETS.LOCAL

Valid starting     Expires            Service principal
07/01/04 10:02:29  07/01/04 20:02:33
krbtgt/ACMESPROCKETS.LOCAL at ACMESPROCKETS.LOCAL
        renew until 07/02/04 10:02:29

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Any suggestions are welcome. I can supply much more detail, just ask.


More information about the samba mailing list