[Samba] Help IDMAP_RID and trusted domains

Michael Gasch gasch at eva.mpg.de
Tue Dec 6 12:28:07 GMT 2005 

[Update]

wbinfo -n now works also for trusted accounts.

but id DOMB\user gives "No suitable range available for sid
<DOMBSID>-... " although winbind says "enabling trusted domain mapping"
and i have

  >    idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000
  >    idmap uid = 10000-50000
  >    idmap gid = 10000-5000

please see attachment for winbind logs (don´t look too much into detail
regarding packets and corresponding ASCII code - i changed domain names
for sec. reasons).

does anyone have a working setup please?
it´s working with tdbsam backend, but that´s not what i want.

thx!!!

@john:
the documentation says about idmap_rid:
   "The downside is that it can be used only within a single ADS domain
and is not compatible with trusted domain implementations."

but this seems to be wrong because even samba developers (volker&jerry)
say, that it works?!?!

Michael Gasch wrote:
> hi,
> 
> it´s me again :(
> 
> i´m still not able to use idmap_rid in a trusted domain environment 
> (samba v3.0.20b Sernet).
> well, to be clear: NSS is not working (id, getent passwd <user>, ...) so 
> samba does not find the posix information for any user from a foreign 
> domain
> 
> it´s working in a single domain with
> #####################################
> # WINBIND - Settings
>    idmap backend = idmap_rid:DOMA=10000-50000
>    idmap uid = 10000-50000
>    idmap gid = 10000-50000
> 
>    allow trusted domains = no
>    winbind use default domain = yes
>    winbind enum users = no
>    winbind enum groups = no
>    winbind trusted domains only = no
>    allow trusted domains = no
>    winbind cache time = 60
>    template shell = /bin/bash
>    template homedir = /data/users/%U
> #####################################
> 
> but it´s not working with
> #####################################
> # WINBIND - Settings
>    idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000
>    idmap uid = 10000-50000
>    idmap gid = 10000-50000
> 
>    allow trusted domains = yes
>    winbind use default domain = no
>    winbind enum users = no
>    winbind enum groups = no
>    winbind trusted domains only = no
>    allow trusted domains = no
>    winbind cache time = 60
>    template shell = /bin/bash
>    template homedir = /data/users/%U
> #####################################
> 
> wbinfo -u gives me all users from all domains.
> id DOMA\user gives me the correct information.
> id DOMB\user gives me "No such user" and winbind says:
> 
> NT_STATUS_NONE_MAPPED
> Could not lookup name for user DOMB\user
> 
> wbinfo -n "DOMB\user" does not work, too. but DOMA\user works.
> 
> is there a good manual for idmap_rid and trusts?
> do i have to create two-way-trusts? we just have a one-way with DOMB.
> i always just find idmap_rid in single domains and people telling me "it 
> works!"
> 
> thx in advance!
> 
> 


-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137

More information about the samba mailing list