[Samba] IDMAP RID problems and documentation

Plant, Dean dean.plant at roke.co.uk
Wed Dec 19 17:30:01 GMT 2007

Charles Marcus wrote:
> Plant, Dean, on 12/19/2007 8:58 AM, said the following:
>> John wrote:
>>> Hello List,
>>> After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use
>>> of the new syntax for IDMAP. But I failed, Also there is a lack on
>>> documentation how to us it. (Yes there is a man, but it contains
>>> limited explanation and examples).
>>> What do I want?  What (I think a lot of people wants)
>>> I have two samba domain members and a Windows 2003 DC without R2 /
>>> SFU shema extension. So I want make use of the RID facility.
>>> Same GID/ UID mappings on all samba servers in the domain, with
>>> support of BUILTIN groups, and without installing schema extensions
>>>  on the DC. I assume that RID was designed for this scenario
>>> Can anyone assist me and everyone on list struggling with the same
>>> problems, how to proper configure SAMBA for this scenario?
>>> Old syntax works, but lack support for BUILT-IN groups, and gives
>>> following complaints in syslog
>>> Module '/usr/lib/samba/idmap/rid.so' initialization failed:
>>> and:
>>> lib/util_str.c:safe_strcpy_fn(659)
>>> Dec 19 13:12:47 s-0009 winbindd[5454]:   ERROR: string overflow by 1
>>> (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255)
>>> in safe_strcpy [Added timed event "async_request_timeout": 8843878
>> I have just fixed one of our Samba servers this morning after an the
>> upgrade from CentOS 5 -> 5.1 broke winbind resolution.
>> The below winbind config worked for me.
> I'm curious - what exactly CHANGED (or, what did you have to change)?
We had been running with these idmap settings for an AD integrated file
 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
 idmap backend = rid:"US=16777216-33554431"

After the upgrade to CentOS 5.1 our winbind mappings were lost and group
permissions were no longer working. Reading the Samba release notes and
trawling the net I found the below settings, although as it has been
pointed out the "idmap alloc config" is not required. With these
settings all winbind mappings were restored and everything seems to be
working as normal.

    idmap domains = US
    idmap config US: default = yes
    idmap config US: backend = rid
    idmap config US: range = 16777216-33554431
    idmap alloc config: range = 16777216-33554431


More information about the samba mailing list