[Samba] IDMAP RID problems and documentation
Plant, Dean
dean.plant at roke.co.uk
Wed Dec 19 17:30:01 GMT 2007
Charles Marcus wrote:
> Plant, Dean, on 12/19/2007 8:58 AM, said the following:
>> John wrote:
>>> Hello List,
>>>
>>> After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use
>>> of the new syntax for IDMAP. But I failed, Also there is a lack on
>>> documentation how to us it. (Yes there is a man, but it contains
>>> limited explanation and examples).
>>>
>>> What do I want? What (I think a lot of people wants)
>>> I have two samba domain members and a Windows 2003 DC without R2 /
>>> SFU shema extension. So I want make use of the RID facility.
>>> Same GID/ UID mappings on all samba servers in the domain, with
>>> support of BUILTIN groups, and without installing schema extensions
>>> on the DC. I assume that RID was designed for this scenario
>>> Can anyone assist me and everyone on list struggling with the same
>>> problems, how to proper configure SAMBA for this scenario?
>>>
>>> Old syntax works, but lack support for BUILT-IN groups, and gives
>>> following complaints in syslog
>>> Module '/usr/lib/samba/idmap/rid.so' initialization failed:
>>> NT_STATUS_OBJECT_NAME_COLLISION
>>> and:
>>> lib/util_str.c:safe_strcpy_fn(659)
>>> Dec 19 13:12:47 s-0009 winbindd[5454]: ERROR: string overflow by 1
>>> (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255)
>>> in safe_strcpy [Added timed event "async_request_timeout": 8843878
>>>
>>
>> I have just fixed one of our Samba servers this morning after an the
>> upgrade from CentOS 5 -> 5.1 broke winbind resolution.
>>
>> The below winbind config worked for me.
>
> I'm curious - what exactly CHANGED (or, what did you have to change)?
>
We had been running with these idmap settings for an AD integrated file
server.
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = rid:"US=16777216-33554431"
After the upgrade to CentOS 5.1 our winbind mappings were lost and group
permissions were no longer working. Reading the Samba release notes and
trawling the net I found the below settings, although as it has been
pointed out the "idmap alloc config" is not required. With these
settings all winbind mappings were restored and everything seems to be
working as normal.
idmap domains = US
idmap config US: default = yes
idmap config US: backend = rid
idmap config US: range = 16777216-33554431
idmap alloc config: range = 16777216-33554431
Dean
More information about the samba
mailing list