[Samba] Samba 3.0.22 w2k3 ad+sfu working but ls shows only
uidNumber and not uid
Thomas Dorsch
t.dorsch at ewt.de
Tue May 30 07:30:46 GMT 2006
Hi Guys,
i have a problem getting id mapping to work as it should. My setup is as
follows:
Samba 3.0.22 on Debian Sarge 3.1 . I 've got SFU 3.5 installed on a W2K3
DC with SP1. I 'm using winbindd in "idmap proxy only" mode. Here 's my
generic smb.conf:
workgroup = METADS
realm = META.XXX.XX "it 's not the real realm, of course !"
security = ADS
server string = %h server (Samba %v)
wins support = no
wins proxy = no
wins server = nbns
dns proxy = no
name resolve order = wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
loglevel = 3 passdb:5 auth:5 winbind:10 idmap:10
panic action = /usr/share/samba/panic-action %d
unix charset = ISO8859-1
display charset = ISO8859-1
load printers = no
encrypt passwords = true
preferred master = no
enable privileges = yes
idmap uid = 30000-40000
idmap gid = 30000-40000
idmap backend = ad
winbind nss info = template sfu
winbind use default domain = yes
winbind nested groups = yes
template shell = /bin/bash
[profiles]
path = /var/profiles
browseable = no
read only = no
create mask = 0600
directory mode = 0700
profile acls = yes
csc policy = disable
force user = %U
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
# root preexec = /usr/sbin/mkhomedir %U %G
[server]
comment = Test Share
path = /var/server
browseable = yes
read only = no
create mask = 0660
directory mode = 0770
Ok, let 's get to the point. Winbind -u/g returns all the user and group
information out of the AD as expected. Getent passwd/group works fine
also. I have access to the shares and can view the ownership/rights via
the security tab in windoof. Doing a "chown dmg" (this group exists only
in AD !!) is also possible. But if i do a "ls -la" i only get the
gidNumber (6000) of this group !! The same happens to the owner of the
file, for example Administrator with uidNumber (37). I tried to get
around this problem using "idmap uid = 999-1000" and "idmap gid
999-1000" as a workaround described in bug 3289 but this doesn 't fix my
problem.
Here is some debugging output:
test:/var/server# ls -la
total 3
drwxrwx--- 3 6340 6000 1024 May 23 17:01 .
drwxr-xr-x 17 root root 1024 May 16 11:12 ..
drwxrwx--- 3 37 6000 1024 May 24 08:49 test
winbind output:
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgrgid 6000
Doing a "chown administrator.dmg test/" gives:
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgrgid 6000
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgroups root
[ 2113]: lookupname METADS\root
string_to_sid: Sid S-0-0 is not in a valid format.
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getpwnam administrator.dmg
[ 2113]: lookupname METADS\administrator.dmg
rpc: name_to_sid name=METADS\administrator.dmg
name_to_sid [rpc] administrator.dmg for domain METADS
[ 0]: getpwnam administrator
[ 2113]: lookupname METADS\administrator
rpc: name_to_sid name=METADS\administrator
name_to_sid [rpc] administrator for domain METADS
[ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500
ads: query_user
ads query_user gave Administrator
[ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500
[ 2113]: sid to uid S-1-5-21-2857693109-2026923775-3634067142-500
Connected to LDAP server 10.33.8.108
got ldap server name ewt-master at META.EWT.DE, using bind path:
dc=META,dc=XXX,dc=XX
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name =ewt-master$@META.XXX.XX
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006
19:17:30 CEST
ad_idmap_get_id_from_sid mapped SID
[S-1-5-21-2857693109-2026923775-3634067142-500] to POSIX UID 37
[ 0]: getgrnam dmg
rpc: name_to_sid name=METADS\dmg
name_to_sid [rpc] dmg for domain METADS
No nmbd found " Ok, only winbind is running !"
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=111)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=ewt-master$@META.EWT.DE
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Tue, 30 May 2006 19:17:30
CEST
rpc_pipe_bind: Remote machine EWT-MASTER pipe \lsarpc fnum 0xc00a bind
request returned ok.
Got challenge flags:
Got NTLMSSP neg_flags=0x62890235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080235
lsa_io_sec_qos: length c does not match size 8
Connected to LDAP server 10.33.x.xxx
got ldap server name ewt-master at META.XXX.XX, using bind path:
dc=META,dc=XXX,dc=XX
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name =ewt-master$@META.XXX.XX
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006
19:17:30 CEST
ads lookup_groupmem for sid=S-1-5-21-2857693109-2026923775-3634067142-1366
And a wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366 gives:
test:/var/server# wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366
METADS\dmg 2
As you can see, the conversion sid to gid works ! I 've also tried
playing with the idmapping ranges, but no go.
test:/var/server# getent passwd administrator
administrator:x:37:6000:Administrator:/home/Administrator:/bin/bash
This information is also correct (The Unix attributes are set for
Administrator)
Please, could someone shed some light on this strange behaviour.
Regards Tom
More information about the samba
mailing list