[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain

fx.cormontagne at howen.be fx.cormontagne at howen.be
Sat Jun 12 02:22:29 GMT 2004 

I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba 
3.0.4
 as a member server of a Win2k domain controller. I use heimdal-0.6.1 for 
kerberos.

I would like my XP machines in the domain to use the share with the user 
accounts
defined in Active Directory.

At a first glance it seems to work: the connection to the share succeeds 
without a
prompt for a password. Users may create, read, modify and delete files or 
folders.
But the ACLs do not show domain accounts but local accounts: those accounts have
the SAME NAME as the domain account BUT they bear the name of the SAMBA machine
instead of the name of the domain.

Here are my conf files:

----- smb.conf -----
[global]
 security = ADS
 realm = windom
 netbios name = SAMBA
 workgroup = WINDOM
 encrypt passwords=yes
 password server = *
 obey pam restrictions = yes
 winbind cache time = 120
 template shell = /sbin/nologin
 template homedir = /none
 idmap uid = 10000-19999
 idmap gid = 10000-19999
 winbind nested groups = yes
 winbind separator = +

[theshare]
 path=/smbroot/theshare
 read only=no
-----------------------

------ nsswitch.conf ---
passwd: files winbind
group:  files winbind
------------------------

------ pam.d/samba ----
auth required pam_winbind.so    debug
account required pam_winbind.so
-----------------------

 pam_winbind.so is only present in pam.d/samba

wbinfo -u
wbinfo -g

  work fine

pw user show -a   # this lists all the user account in a passwd format

  shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...)

Then I log into an XP machine as domuser at WINDOM
I open the network location: \\samba\theshare
I create some file, and I edit its properties I find in the ACL and as the owner
of the file:

   domuser(SAMBA\domuser)

Then I log on the console of the Samba server as root, and

$ ls -ln /smbroot/theshare/dummyfile.txt

  gives a UID of 10034 as the owner

pw user show -u 10034

  returns:

domuser:*:10034:65534::0:0:domuser:/none/:/sbin/nologin

again I type: pw user show -a

  all the domain users are present but domuser:*:10034 does not
  appear in the list

When I turn on: winbind trusted domains only = yes

  I get a login screen when I want to connect to the share
  and log.smbd tells:
     smbd/sesssetup.c:reply_spnego_kerberos(248) 
        Username WINDOM+domuser is invalid on this system

  while log.winbind says:
     nsswitch/winbindd_acct.c:winbindd_create_user(884)
        winbindd_create_user: Refusing to create user that already exists 
(domuser)

It is not clear to me if it is a kerberos or a winbind problem.

Has someone a clue?

Thanks

FX

More information about the samba mailing list