[Samba] SID-UID mapping issue on Samba 3.0.4 in an AD Domain
fx.cormontagne at howen.be
fx.cormontagne at howen.be
Sat Jun 12 02:22:29 GMT 2004
I have problems with SID to UID mapping using winbind on a FreeBSD 5.2/Samba
3.0.4
as a member server of a Win2k domain controller. I use heimdal-0.6.1 for
kerberos.
I would like my XP machines in the domain to use the share with the user
accounts
defined in Active Directory.
At a first glance it seems to work: the connection to the share succeeds
without a
prompt for a password. Users may create, read, modify and delete files or
folders.
But the ACLs do not show domain accounts but local accounts: those accounts have
the SAME NAME as the domain account BUT they bear the name of the SAMBA machine
instead of the name of the domain.
Here are my conf files:
----- smb.conf -----
[global]
security = ADS
realm = windom
netbios name = SAMBA
workgroup = WINDOM
encrypt passwords=yes
password server = *
obey pam restrictions = yes
winbind cache time = 120
template shell = /sbin/nologin
template homedir = /none
idmap uid = 10000-19999
idmap gid = 10000-19999
winbind nested groups = yes
winbind separator = +
[theshare]
path=/smbroot/theshare
read only=no
-----------------------
------ nsswitch.conf ---
passwd: files winbind
group: files winbind
------------------------
------ pam.d/samba ----
auth required pam_winbind.so debug
account required pam_winbind.so
-----------------------
pam_winbind.so is only present in pam.d/samba
wbinfo -u
wbinfo -g
work fine
pw user show -a # this lists all the user account in a passwd format
shows all local and domain accounts (WINDOM+domuser:*:10021:10010:...)
Then I log into an XP machine as domuser at WINDOM
I open the network location: \\samba\theshare
I create some file, and I edit its properties I find in the ACL and as the owner
of the file:
domuser(SAMBA\domuser)
Then I log on the console of the Samba server as root, and
$ ls -ln /smbroot/theshare/dummyfile.txt
gives a UID of 10034 as the owner
pw user show -u 10034
returns:
domuser:*:10034:65534::0:0:domuser:/none/:/sbin/nologin
again I type: pw user show -a
all the domain users are present but domuser:*:10034 does not
appear in the list
When I turn on: winbind trusted domains only = yes
I get a login screen when I want to connect to the share
and log.smbd tells:
smbd/sesssetup.c:reply_spnego_kerberos(248)
Username WINDOM+domuser is invalid on this system
while log.winbind says:
nsswitch/winbindd_acct.c:winbindd_create_user(884)
winbindd_create_user: Refusing to create user that already exists
(domuser)
It is not clear to me if it is a kerberos or a winbind problem.
Has someone a clue?
Thanks
FX
More information about the samba
mailing list