[Samba] IDMAP RID problems and documentation

John jknappers-argentia at hotmail.com
Wed Dec 19 12:48:54 GMT 2007 

Hello List,

After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use of the 
new syntax for IDMAP. But I failed, Also there is a lack on documentation 
how to us it. (Yes there is a man, but it contains limited explanation and 
examples).

What do I want?  What (I think a lot of people wants)
I have two samba domain members and a Windows 2003 DC without R2 / SFU shema 
extension. So I want make use of the RID facility.
Same GID/ UID mappings on all samba servers in the domain, with support of 
BUILTIN groups, and without installing schema extensions on the DC.
 I assume that RID was designed for this scenario
Can anyone assist me and everyone on list struggling with the same problems, 
how to proper configure SAMBA for this scenario?

Old syntax works, but lack support for BUILT-IN groups, and gives following 
complaints in syslog
Module '/usr/lib/samba/idmap/rid.so' initialization failed: 
NT_STATUS_OBJECT_NAME_COLLISION
and:
lib/util_str.c:safe_strcpy_fn(659)
Dec 19 13:12:47 s-0009 winbindd[5454]:   ERROR: string overflow by 1 (256 - 
255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255) in safe_strcpy 
[Added timed event "async_request_timeout": 8843878



The new syntax I tried:
       idmap domains                                    = DOMAIN-NL
       idmap config DOMAIN:default           = yes
       idmap configDOMAIN:backend         =  rid
       idmap config DOMAIN:base_rid       = 1000
       idmap config DOMAIN:range            = 1000-1000000

# For BUILTIN GROUPS
       idmap alloc backend                         = tdb
       idmap alloc config:range                    = 800-999

After restarting samba/ winbind, it fails after 2-3 minutus
wbinfo -u and wbinfo -g works ok
getent group works also ok, but getent passwd does not shown domain users 
anymore.
Leave ADS cleaning up all tdb's and rejoining ADS did not provide the 
solution.

I also tried several other options but all failed the same way.
     idmap domains                                    =  BUILTIN, DOMAIN
       idmap config DOMAIN:default           = yes
       idmap configDOMAIN:backend         =  rid
       idmap config DOMAIN:base_rid       = 1000
       idmap config DOMAIN:range            = 1000-1000000
       idmap config BUILTIN:backend            = tdb
       idmap config BUILTIN:base_rid           = 800
       idmap config BUILTIN:range              = 800-999


OS: CentOS 4.6
Samba version: CentOS/ RH 3.0.25b (with backported fixes from 3.0.28) and 
samba 3.0.28
No nscd running
Snipped of /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

Full smb.conf
 Global parameters
[global]
        workgroup = DOMAIN-NL
        security = ADS
        netbiosname = s-0009-a
        realm = CORP.DOMAIN.NL
        server string = SAMBA DOOS
         Loglevel = 10
        interfaces = eth2 lo
        bind interfaces only = yes
        preferred master = no
        domain master = no
        allow trusted domains = no
        winbind separator = /
# Officially supported old syntax
        idmap backend = rid
        idmap uid = 1000-1000000
        idmap gid = 1000-1000000

# New syntax equivilent to pre3.0.25 tdb
#         idmap domains = DOMAIN-NL
#         idmap config DOMAIN-NL:default = yes
#         idmap config DOMAIN-NL:backend = tdb
#         idmap configDOMAIN-NL:range   = 1000 - 1000000
#         idmap alloc backend = tdb
#         idmap alloc config:range = 1000 - 1000000

# New syntax rid
#       idmap domains                                      = DOMAIN-NL
#       idmap config DOMAIN-NL:default      = yes
#       idmap config DOMAIN-NL:backend    = rid
#       idmap config DOMAIN-NL:base_rid    = 1000
#       idmap config DOMAIN-NL:range         = 1000-1000000

#       idmap config BUILTIN:backend            = tdb
#       idmap config BUILTIN:base_rid           = 800
#       idmap config BUILTIN:range              = 800-999

#       idmap alloc backend                     = tdb
#       idmap alloc config:range                = 800-999


        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = yes

        template homedir = /home/domain-nl/%U
        template shell = /bin/bash
        wins server = 192.168.0.51
        load printers = no
        printing = cups
        printcap name = cups
        show add printer wizard = yes
        use client driver = yes


[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        public = yes
        guest ok = yes
        writable = no
        printable = yes
        printer admin = @"Domain Admins"
# Printer shares

[print$]
        comment = Printer Driver Download Area
        path = /var/lib/samba/drivers
        browseable = yes
        guest ok = yes
        read only = no
        write list = @ntadmin, @"Domain Admins", root
        admin users = @"Domain Admins", @ntadmin, root, administrator, admin

[Homedirs]
        comment = De gebruikers directories
        path = /home/domain-nl/
        force group = users
        read only = No
        create mask = 0644
        hide dot files = Yes
        hide unreadable = Yes
        admin users = @"DOMAIN-NL/Domain Admins"
        valid users = @"DOMAIN-NL/Domain Admins"

Regards,
John
The Netherlands

More information about the samba mailing list