[Samba] Group mapping giving incorrect GIDs
Eric Roseme
eroseme at emonster.rose.hp.com
Thu Nov 10 23:26:09 GMT 2005
Gerald (Jerry) Carter wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Eric Roseme wrote:
>
>
>>a.nielsen at research.uq.edu.au wrote:
>>
>>
>>
>>>Hi,
>>>
>>>I think I've narrowed down my problem to the fact that the group
>>>mapping is
>>>not giving me the same GID for all 'equivalent' groups, as seen here:
>>>
>>>$ net groupmap list
>>>DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) -> unixgrp1
>>>
>>>$ getent group unixgrp1
>>>unixgrp1:x:203:
>>>
>>>$ getent group DOMAIN\\Group1
>>>DOMAIN\Group1:x:10001:DOMAIN\User1
>>>
>>>This means that the GID of unixgrp1 is 203, however the GID of
>>>DOMAIN\Group1
>>>is completely different! Given the group mapping, I was expecting
>>>that both
>>>groups would be returned with a GID of 203, so that according to the
>>>Linux
>>>box both those groups are the same.
>>>
>>>
>
>group mapping on domain members is mutually exclusive with running
>winbindd. Usually that is.
>
>If you do not define a idmap uid and idmap gid ranges, then winbindd
>should fall back to using the group mapping. and you better have
>mappings for all domain groups. It's an all or none decision.
>
>
>
>
>
Jerry - just to be clear: you mean that winbindd must not be running (as
opposed to just not defining idmap uid/gid ranges). Testing shows that
without winbindd running groupmap behaves just like you say - mapped
UNIX groups work for domain user access on ugo permissions, and for
"valid users". With no idmap uid/gid winbindd will not start.
JHT - this would be useful in chapter 11 of the howto. I read that
chapter about 5 times looking for what I was missing when I could not
make groupmapping work with "security = ads" and winbindd. And I just
bought my Second Edition. Boo Hoo.
My purpose for testing this was to answer an earlier post about group
name length limitations on "valid user". Our UNIX group name would only
work up to 32 chars, but Windows allows 64 chars. Also the Windows
group had special characters that UNIX did not like. I thought I could
work around this by mapping the long Windows group to a short Unix group
(with security=ads). But it did not work, due to winbindd (as you
pointed out).
Adam - can you describe your intended use of group mapping? I re-read
your original post, and am wondering why you can't just add the
winbind-mapped group directly to the folder (directory) ACL (as opposed
to mapping a *ix group to the winbind-mapped group, then adding the *ix
group to the ACL)?
Eric Roseme
Hewlett-Packard
More information about the samba
mailing list