[Samba] Member server - group and user mapping with winbind

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Sep 20 10:50:08 GMT 2007 

I now have one PDC (Samba 3.026a on Solaris 10) and several member servers
(including Samba 3.026a on Solaris 9 and 10, and Samba 3.024 on Fedora core
6.)  Each machine uses NIS for unix accounts.


If I start smbd and nmbd on a member server, I can connect to a share from a
windows 2000 or XP client.  If I look at the permissions on a folder, if
shows "Unix Account/someuser" or "UnixGroup/somegroup" instead of
"Domain/someuser" or "domain/someaccount."  If I want to add users, I can
browser users or groups from the domain but the permissions don't hold.  If,
after I have already connected to a share, and then start winbindd, the file
permissions will show the domain component, and I can set permissions.
However, if I start winbindd before I connect to the share, I just get
prompted for a user name and password-  and I am unable to connect.  

The "Samba by Examble" Book indicates that even if I am using NIS for user
accounts, and not using LDAP for a idmap backend, I still need to use
winbindd to map SID's.   It isn't clear to me if I do need to update
nsswitch.conf to use winbindd.  (It doesn't seem to matter either way.)

So my smb.conf includes the following:


     idmap uid = 10000-20000
     idmap gid = 10000-20000
     template shell = /bin/bash
     winbind use default domain = yes
     winbind trusted domains only = no
     winbind enum users = Yes
     winbind enum groups = Yes
     Workgroup = MYDOMAIN
     security = domain
     Password server = MYPDC

I have tried changing the "winbind use default domain" and "winbind trusted
domains only" settings.  I have tried enabling and disabling winbind in
nsswitch.conf.  It seems smbd will attempt to use winbindd if running
regardless of nsswitch.  Th I also ran the following command 

   wbinfo  --set-auth-user=Administrator
(altho I have no way of verifying if that really does anything.)

"Wbinfo -u" and "wbinfo -g" do show my domain accounts.  

If I ssh into the member server, and winbindd is enabled before nis in
nsswitch.conf, I can login but I get the message "Could not chdir to home
directory /home/MYDOMAIN/myname: No such file or direCtory"

The winbindd.log file shows MYDOMAIN address as trusted domain when
starting.   It just looks like winbindd handles account mappings for file
permissions but not for user authentication.

One of the member servers is running dual IP addresses, with samba bound on
one and PCNetlink (Sun's old functional equivalent of Samba) bound on the
other (separate NETBIOS host names and each service explicity set to one ip
address.)  Running winbindd on this machine also breaks PCNL authentication.
Weird.



I appreciate if any one can share some light on either what the problem is
or at least can clarify how winbindd should be working.

 

-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Tuesday, September 18, 2007 5:50 PM
To: samba
Subject: group mapping on a member server - winbindd and solaris 10


>From what I can tell it does look as if I have to run winbindd on member
servers, even if NIS is used, to get SID's mapping consistently across the
domain.

The PDC is Samba 3.025a on Solaris 10. Two member servers are Samba 3.025a
on solaris 9.

If i start winbindd on a memv, the "wbinfo  -u" and "wbinfo -g"
commands show my users and groups.   However, the winbindd.log shows

[2007/09/18 17:36:39, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine MYPDC  pipe \lsarpc fnum 0x74c1 bind request
returned ok. [2007/09/18 17:36:39, 3]
rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine MYPDC pipe \lsarpc fnum 0x74c2 bind request
returned ok. [2007/09/18 17:36:39, 3]
rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8
[2007/09/18 17:36:39, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine MYPDC pipe \lsarpc fnum 0x74c2! [2007/09/18
17:36:39, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
  lsa_io_sec_qos: length c does not match size 8



I also have a member server running Samba 3.024 on Fedora Core 6. Winbind
does not generate this error.  I also don't get this error if I run winbindd
on the PDC (although I don't  have any need to, since group mapping is
working fine on that machine.)

I have not setup winbind entries in nsswitch.conf on any  server. (Not sure
if I need to and whether it will cause issues with unix level logins.)

Thanks








----------------------------------------------------------------------------
------------
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
To: 	samba <samba at lists.samba.org>
Subject: 	[Samba] group mapping on a member server
Date: 	Mon, 17 Sep 2007 17:18:00 -0400


I have installed a Samba 3.025a PDC and 2 member servers. All on
solaris.   (The Samba PDC replaced a NT4 PDC. Account data was
migrated with the "net vampire" command.)  All solaris machines use NIS.  On
the PDC i created group mappings between the NIS groups and the Windows
groups.

I can access file shares on all machines from Win XP or Win 2000 clients.
On the security properties of a directory on the PDC , I can view and set
user and group permissions.  The users and groups show the correct doman.
For example, assuming the domain is "ACME",

    "johnsmith (ACME\johnsmith)"
    "sales (ACME\sales)"

On the member server shares, I can attempt to add users and groups from the
"ACME" domain, but they don't stick.  Permissions set on the unix level show
up as

    "johnsmith (unix user\johnsmith)"
    "sales (unix group\sales)"


This is the sunfreeware build of samba, with acl support enabled by default.
Solaris supports acl's so I can add multiple groups or users on the solaris
level.  And I do seem to have the proper access.

Logs on the member servers show

[2007/09/17 16:02:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1423)

  create_canon_ace_lists: unable to map SID S-xyzxyz--xyzxyz-xyzxyz to uid
or gid.
)

When I created the group mappings, I explicitly set RID's.  (Domain Admins =
512, sales=10001 etc)


I am not running Winbind on any machine since I am not attempting to do unix
level authentication against the samba accounts.

Advice is appreciated

Thanks

More information about the samba mailing list