[Samba] Help IDMAP_RID and trusted domains
Michael Gasch
gasch at eva.mpg.de
Tue Dec 6 12:28:07 GMT 2005
[Update]
wbinfo -n now works also for trusted accounts.
but id DOMB\user gives "No suitable range available for sid
<DOMBSID>-... " although winbind says "enabling trusted domain mapping"
and i have
> idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000
> idmap uid = 10000-50000
> idmap gid = 10000-5000
please see attachment for winbind logs (don´t look too much into detail
regarding packets and corresponding ASCII code - i changed domain names
for sec. reasons).
does anyone have a working setup please?
it´s working with tdbsam backend, but that´s not what i want.
thx!!!
@john:
the documentation says about idmap_rid:
"The downside is that it can be used only within a single ADS domain
and is not compatible with trusted domain implementations."
but this seems to be wrong because even samba developers (volker&jerry)
say, that it works?!?!
Michael Gasch wrote:
> hi,
>
> it´s me again :(
>
> i´m still not able to use idmap_rid in a trusted domain environment
> (samba v3.0.20b Sernet).
> well, to be clear: NSS is not working (id, getent passwd <user>, ...) so
> samba does not find the posix information for any user from a foreign
> domain
>
> it´s working in a single domain with
> #####################################
> # WINBIND - Settings
> idmap backend = idmap_rid:DOMA=10000-50000
> idmap uid = 10000-50000
> idmap gid = 10000-50000
>
> allow trusted domains = no
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> winbind trusted domains only = no
> allow trusted domains = no
> winbind cache time = 60
> template shell = /bin/bash
> template homedir = /data/users/%U
> #####################################
>
> but it´s not working with
> #####################################
> # WINBIND - Settings
> idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000
> idmap uid = 10000-50000
> idmap gid = 10000-50000
>
> allow trusted domains = yes
> winbind use default domain = no
> winbind enum users = no
> winbind enum groups = no
> winbind trusted domains only = no
> allow trusted domains = no
> winbind cache time = 60
> template shell = /bin/bash
> template homedir = /data/users/%U
> #####################################
>
> wbinfo -u gives me all users from all domains.
> id DOMA\user gives me the correct information.
> id DOMB\user gives me "No such user" and winbind says:
>
> NT_STATUS_NONE_MAPPED
> Could not lookup name for user DOMB\user
>
> wbinfo -n "DOMB\user" does not work, too. but DOMA\user works.
>
> is there a good manual for idmap_rid and trusts?
> do i have to create two-way-trusts? we just have a one-way with DOMB.
> i always just find idmap_rid in single domains and people telling me "it
> works!"
>
> thx in advance!
>
>
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
More information about the samba
mailing list