[Samba] winbind + consistent uid & gid

Adams Samuel D Contr AFRL/HEDR Samuel.Adams.ctr at brooks.af.mil
Wed May 31 15:06:18 GMT 2006


It looks like this is what we want to do.  We have more than one domain in
our forest, but people should log in from only one domain to our Linux
Boxes.  So it should work still right?

"Winbind/NSS uses RID based IDMAP:

    The IDMAP_RID facility is new to Samba version 3.0.8. It was added to
make life easier for a number of sites that are committed to use of MS ADS,
that do not apply an ADS schema extension, and that do not have an installed
an LDAP directory server just for the purpose of maintaining an IDMAP table.
If you have a single ADS domain (not a forest of domains, and not multiple
domain trees) and you want a simple cookie-cutter solution to the IDMAP
table problem, then IDMAP_RID is an obvious choice.

    This facility requires the allocation of the idmap uid and the idmap gid
ranges, and within the idmap uid it is possible to allocate a subset of this
range for automatic mapping of the relative identifier (RID) portion of the
SID directly to the base of the UID plus the RID value. For example, if the
idmap uid range is 1000-100000000 and the idmap backend =
idmap_rid:DOMAIN_NAME=1000-50000000, and a SID is encountered that has the
value S-1-5-21-34567898-12529001-32973135-1234, the resulting UID will be
1000 + 1234 = 2234."

We are running samba 3.0.10 on our CentOS 4.2 boxes.  I think we have the
smb.conf file correct, but we are getting this message in our logs.

"
May 30 15:01:22 Cent01 winbindd[2861]: [2006/05/30 15:01:22, 0]
sam/idmap.c:idmap_init(142)
May 30 15:01:22 Cent01 winbindd[2861]:   idmap_init: could not load remote
backend 'idmap_rid'
May 30 15:01:22 Cent01 winbind: winbindd startup succeeded
"

According to the documentation on the samba.org website, this feature should
be available since 3.0.8.  My feeling is that Red Hat just didn't compile in
the idmap_rid.  Does the log seems to say that to you as well?  If that is
the case, is it possible to add that library as some kind of RPM without
having to compile samba from source, or is there a RPM that will work on
CentOS 4.2 that has idmap_rid?  We are going to do this on over 100 boxes,
and want the process to be a simple as possible.  

Sam Adams
General Dynamics - Network Systems
Phone: 210.536.5945
-----Original Message-----
From: samba-bounces+samuel.adams.ctr=brooks.af.mil at lists.samba.org
[mailto:samba-bounces+samuel.adams.ctr=brooks.af.mil at lists.samba.org] On
Behalf Of Michael Gasch
Sent: Tuesday, May 30, 2006 1:27 AM
To: Emmanuel Blindauer
Cc: samba at lists.samba.org
Subject: Re: [Samba] winbind + consistent uid & gid

 > Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the
 > smb.conf file seemed promising, but it didn't work for me.

that´s not the only thing you have to do
please refer to the samba guide about how to setup idmap_rid correctly
it´s working for me fine on several servers

greez

Emmanuel Blindauer wrote:
> You'll have to use ldap for storing the mapping
> 
> idmap backend = ldap:ldap://your.ldap.server
> 
> and uses smbpasswd -w to store the pass to access the ldap server
> 
> Emmanuel
> 
> Le Mercredi 24 Mai 2006 17:48, Adams Samuel D Contr AFRL/HEDR a écrit :
>> I am trying to get out Linux boxes to authenticate against our AD
>> domain. We have that part working just fine using Kerberos and winbind. 
>> The problem is when we use NFS on multiple machines.  As you could
>> guess, the UIDs and GIDs are not consistent across all of the machines. 
>> From what I have been reading on the internet, this seems to be common
>> problem, but all the solutions that I have found don't seem to work for
>> me.  Putting "idmap backend = idmap_rid:DOMNAME=1000-1000000" in the
>> smb.conf file seemed promising, but it didn't work for me.  Do you have
>> any recommendations to get this to work?  It is kind of critical to have
>> a distributed file system. It is not an option to modify out AD severs.
>>
>>
>>
>> Sam Adams
>>
>> General Dynamics - Network Systems
>>
>> Phone: 210.536.5945

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list