[Samba] Re: Using idmap_rid backend,
cannot browse home directory from XP
Scott E. Smith
scottsmith7 at yahoo.com
Fri Apr 15 15:00:06 GMT 2005
John- Thanks for answering! Changing the range had no
effect - the logs still look the same. I know that
it's mapping the group:
tx3linux01 root # getent passwd "DOMAIN1\ssmith"
DOMAIN1\ssmith:x:13830:1513:Smith,
Scott:/export/home/DOMAIN1/ssmith:/bin/bash
tx3linux01 root # getent group 1513
DOMAIN1\Domain Users:x:1513:DOMAIN1\swops
Something I noticed while running idmap_rid module is
that root sees all the groups that the user is a
member of, while the user just shows the primary
group:
tx3linux01 root # id "DOMAIN1\ssmith"
uid=13830(DOMAIN1\ssmith) gid=1513(DOMAIN1\Domain
Users) groups=1513(DOMAIN1\Domain
Users),30820(DOMAIN1\SDVT),13409(DOMAIN1\black),20772(DOMAIN1\TAQ_USERS),27685(DOMAIN1\TX3_USERS),9233(DOMAIN1\Instant
MessengerGG),15530(DOMAIN1\Taq
ENG_Richardson),15539(DOMAIN1\TaqDevelopment),15540(DOMAIN1\TaqAll),20804(DOMAIN1\TaqLegacy)
tx3linux01 root # su - "DOMAIN1\ssmith"
DOMAIN1\ssmith at tx3linux01 ssmith $ id
uid=13830(DOMAIN1\ssmith) gid=1513(DOMAIN1\Domain
Users) groups=1513(DOMAIN1\Domain Users)
However, when not using idmap_rid, the user can see
all the groups he is a member of - although I don't
know what that means.
Any other ideas?
Regards,
Scott
>
> On Thursday 14 April 2005 09:45, Scott E. Smith
> wrote:
> > Samba version is 3.0.10 on Gentoo linux. I am
> trying
> > to use idmap_rid backend in a Windows AD
> environment,
> > the Linux PC acting only as a domain member. I am
> > using idmap_rid because I need UID/GID
> predictability.
> > I can log in to console correctly, and it shows
> the
> > right user and the "Domain Users" as the group.
> >
> > When I use default winbind TDB, I can browse the
> home
> > directory from an XP PC.
> >
> > When using idmap_rid, and I try to browse to a
> home
> > directory from a Windows XP PC, the user/password
> > dialog pops up. When I enter the DOMAIN\user +
> > password, the box merely pops up again, and this
> is
> > what I see in log.winbind on the Samba domain
> member:
>
> You have set the UID and GID range to 100000 to
> 10000000.
> This is the range that all RIDs must fit into. Below
> is a predictable failure
> to allocate a UID of hex 513 because it is out of
> range.
>
> Does that make sense? Change the IDMAP UID and IDMAP
> GID ranges to start at
> 1000 and it should work.
>
> - John T.
> >
> > [2005/04/14 10:11:15, 3]
> >
>
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> > [11340]: request interface version
> > [2005/04/14 10:11:15, 3]
> >
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
> > [11340]: request location of privileged pipe
> > [2005/04/14 10:11:15, 3]
> > nsswitch/winbindd_misc.c:winbindd_ping(238)
> > [11340]: ping
> > [2005/04/14 10:11:15, 3]
> >
> nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(465)
> > [11340]: pam auth crap domain: DOMAIN1 user:
> ssmith
> > [2005/04/14 10:11:15, 3]
> >
>
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> > [11340]: request interface version
> > [2005/04/14 10:11:15, 3]
> >
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
> > [11340]: request location of privileged pipe
> > [2005/04/14 10:11:15, 3]
> > nsswitch/winbindd_user.c:winbindd_getpwnam(126)
> > [11340]: getpwnam domain1\ssmith
> > [2005/04/14 10:11:15, 3]
> > lib/charcnv.c:convert_string_allocate(576)
> > ) convert_string_allocate: Conversion error:
> Illegal
> > multibyte sequence(µ
> > [2005/04/14 10:11:15, 3]
> > nsswitch/winbindd_group.c:winbindd_getgroups(1003)
> > [11340]: getgroups DOMAIN1\ssmith
> > [2005/04/14 10:11:15, 0]
> > sam/idmap_rid.c:rid_idmap_get_id_from_sid(461)
> > rid_idmap_get_id_from_sid: no suitable range
> > available for sid:
> > S-1-5-21-1844237615-1644491937-725345543-513
> >
> >
> > When I execute 'id', the following is logged in
> > log.winbind:
> >
> > [2005/04/14 10:15:46, 3]
> >
>
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
> > [11343]: request interface version
> > [2005/04/14 10:15:46, 3]
> >
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
> > [11343]: request location of privileged pipe
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_user.c:winbindd_getpwuid(225)
> > [11343]: getpwuid 112830
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_ads.c:sequence_number(792)
> > ads: fetch sequence_number for DOMAIN1
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(576)
> > ) convert_string_allocate: Conversion error:
> Illegal
> > multibyte sequence(µ
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_user.c:winbindd_getpwuid(225)
> > [11343]: getpwuid 112830
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
> > sid_to_name [rpc]
> > S-1-5-21-725345543-1677128483-839522115-12830 for
> > domain DOMAIN1
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_group.c:winbindd_getgrgid(348)
> > [11343]: getgrgid 100513
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒`▒`▒{▒─▒`▒γ
> >2;▒) [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒`▒{▒─▒`▒─▒
> >;) [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒{▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒{▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> sequence(▒─▒)
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_ads.c:query_user(391)
> > ads: query_user
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_group.c:winbindd_getgrgid(348)
> > [11343]: getgrgid 100513
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒`▒`▒{▒─▒`▒γ
> >2;▒) [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒`▒{▒─▒`▒─▒
> >;) [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒`▒{▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒{▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> >
>
sequence(▒─▒`▒─▒)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte
> sequence(▒─▒)
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_ads.c:query_user(437)
> > ads query_user gave ssmith
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_group.c:winbindd_getgrgid(348)
> > [11343]: getgrgid 100513
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
> > sid_to_name [rpc]
> > S-1-5-21-725345543-1677128483-839522115-513 for
> domain
> > DOMAIN1
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(╝lXl╝l)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(╝l)
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_ads.c:dn_lookup(339)
> > ads: dn_lookup
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_ads.c:lookup_groupmem(777)
> > ads lookup_groupmem for
> > sid=S-1-5-21-725345543-1677128483-839522115-513
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(Éá)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(á)
> > [2005/04/14 10:15:46, 3]
> > nsswitch/winbindd_group.c:winbindd_getgrgid(348)
> > [11343]: getgrgid 100513
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(╝lXl╝l)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(╝l)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(Éá)
> > [2005/04/14 10:15:46, 3]
> > lib/charcnv.c:convert_string_allocate(567)
> > convert_string_allocate: Conversion error:
> > Incomplete multibyte sequence(á)
> >
> >
> > /etc/samba/smb.conf contains:
> >
> > [global]
> > workgroup = DOMAIN1
> > server string =
> > realm = DOMAIN1.COM
> > log file = /var/log/samba3/log.%m
> > max log size = 50
> > log level = 3
> > map to guest = never
> > security = ADS
> > allow trusted domains = no
> > password server = *
> > encrypt passwords = yes
> > smb passwd file = /etc/samba/private/smbpasswd
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nested groups = yes
> > template homedir = /export/home/%D/%U
> > template shell = /bin/bash
> > socket options = TCP_NODELAY SO_RCVBUF=16384
> > SO_SNDBUF=16384
> > preferred master = no
> > idmap uid = 100000-10000000
> > idmap gid = 100000-10000000
> > idmap backend =
> idmap_rid:DOMAIN1=100000-10000000
> > wins server = 10.1.129.25
> > dns proxy = no
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> >
> >
> > Thanks in advance for any help!
> >
> > /Scott
>
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN:
> 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> --
>
More information about the samba
mailing list