[Samba] Re: IDMAP RID problems and documentation

John jknappers-argentia at hotmail.com
Fri Dec 21 10:05:46 GMT 2007

"Plant, Dean" <dean.plant at roke.co.uk> schreef in bericht 
news:2181C5F19DD0254692452BFF3EAF1D6803940B3E at rsys005a.comm.ad.roke.co.uk...
Charles Marcus wrote:
> Plant, Dean, on 12/19/2007 8:58 AM, said the following:
>> John wrote:
>>> Hello List,
>>> After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use
>>> of the new syntax for IDMAP. But I failed, Also there is a lack on
>>> documentation how to us it. (Yes there is a man, but it contains
>>> limited explanation and examples).
>>> What do I want?  What (I think a lot of people wants)
>>> I have two samba domain members and a Windows 2003 DC without R2 /
>>> SFU shema extension. So I want make use of the RID facility.
>>> Same GID/ UID mappings on all samba servers in the domain, with
>>> support of BUILTIN groups, and without installing schema extensions
>>>  on the DC. I assume that RID was designed for this scenario
>>> Can anyone assist me and everyone on list struggling with the same
>>> problems, how to proper configure SAMBA for this scenario?
>>> Old syntax works, but lack support for BUILT-IN groups, and gives
>>> following complaints in syslog
>>> Module '/usr/lib/samba/idmap/rid.so' initialization failed:
>>> and:
>>> lib/util_str.c:safe_strcpy_fn(659)
>>> Dec 19 13:12:47 s-0009 winbindd[5454]:   ERROR: string overflow by 1
>>> (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255)
>>> in safe_strcpy [Added timed event "async_request_timeout": 8843878
>> I have just fixed one of our Samba servers this morning after an the
>> upgrade from CentOS 5 -> 5.1 broke winbind resolution.
>> The below winbind config worked for me.
> I'm curious - what exactly CHANGED (or, what did you have to change)?

We had been running with these idmap settings for an AD integrated file

 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
 idmap backend = rid:"US=16777216-33554431"

After the upgrade to CentOS 5.1 our winbind mappings were lost and group
permissions were no longer working. Reading the Samba release notes and
trawling the net I found the below settings, although as it has been
pointed out the "idmap alloc config" is not required. With these
settings all winbind mappings were restored and everything seems to be
working as normal.

    idmap domains = US
    idmap config US: default = yes
    idmap config US: backend = rid
    idmap config US: range = 16777216-33554431
    idmap alloc config: range = 16777216-33554431


Thank you for you're reply, but mentioned configuration breaks "getent 
passwd" in our setup. Getent group works, and wbinfo -u also works. Have 
anybody an idea what else can cause samba winbind on CentOS4.6 to fail?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list