[Samba] Issues with migration from default mapping to idmap_rid in 3.0.26a

Jens Nissen jens.nissen at gmx.net
Tue Apr 8 10:03:57 GMT 2008 

What I want to do:
I have a lot of Samba AD member server which all should have the same 
mapping of Domain Users (SIDs) to local UID/GID, so files with ACLs can 
be moved from one machine to another and still grant the access rights 
to the same users as on the other machine.

What I have:

idmap uid=1000-60000
idmap gid=1000-60000
winbind use default domain=no
winbind enum users=Yes
winbind enum groups=Yes
winbind nested groups=Yes
winbind nss info=template
winbind offline logon=True
security=Ads
passdb backend=tdbsam

This is working fine, but (of course) leads to indeterministic UID/GID 
mappings.

So I want to change to RID - this is all I changed:

#idmap uid=1000-60000
#idmap gid=1000-60000
idmap domains=MYDOMAIN
idmap config MYDOMAIN:backend=rid
idmap config MYDOMAIN:base_rid=1000
idmap config MYDOMAIN:range=998 - 60000

(I have two manually mapped groups, thus starting the allowed range at 998)
I clear all TDB files and join the server from scratch to the domain.
This still works.

Then I look at
wbinfo -u
which shows all Domain users correctly.

Trouble already starts with
wbinfo -i MYDOMAIN\\dagobert
 > Could not get info for user MYDOMAIN\\dagobert

The Domain Administrator can actually connect to the Samba server, but 
no other user can.
 From the log, I retrieve a lot like this:

   Could not query gid for user MYDOMAIN\dagobert
[2008/04/08 11:12:34, 5] lib/username.c:Get_Pwnam_internals(83)
   Trying _Get_Pwnam(), username as given is MYDOMAIN\dagobert
[2008/04/08 11:12:34, 10] nsswitch/winbindd.c:process_request(314)
   process_request: request fn GETPWNAM
[2008/04/08 11:12:34, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
   [20573]: getpwnam MYDOMAIN\dagobert
[2008/04/08 11:12:34, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
   Retrieving response for pid 15771
[2008/04/08 11:12:34, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
   Retrieving response for pid 15771
[2008/04/08 11:12:34, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
   Retrieving response for pid 15786
[2008/04/08 11:12:34, 7] 
nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
   winbindd_sid2gid_async: Resolving 
S-1-5-21-1214440339-113007714-839522115-513 to a gid
[2008/04/08 11:12:34, 10] 
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
   Retrieving response for pid 15786
[2008/04/08 11:12:34, 5] 
nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
   sid2gid returned an error

It looks as though conversion of SIDs to IDs is not correctly working.

# wbinfo -G 1000
S-1-5-21-1214440339-113007714-839522115-1002
# wbinfo -S S-1-5-21-1214440339-113007714-839522115-1002
Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to uid
# wbinfo -Y S-1-5-21-1214440339-113007714-839522115-1002
Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to gid
# wbinfo -R 1000
Domain: MYDOMAIN
     1000: TsInternetUser (User)

Manually added SIDs are actually working, so winbind is operational:

# wbinfo -Y S-1-5-13
998

So my questions are:
(1) Is idmap_rid suitable for what I want?
(2) Is idmap_rid working 3.0.26a , is there someone who got this working?
(3) Is there anything else I need to change in smb.conf when migrating 
as above?
(4) Is there some trick with compilation/configuration necessary? I have 
an Intel ARM Big Endian architecture and have the RID module statically 
linked (dynamic loading does not work on this architecture).

Kind regards and thanks for any advice or help,

Jens

P.S testparm of smb.conf

[global]
         dos charset = ISO-8859-1
         unix charset = ISO-8859-1
         display charset = ISO-8859-1
         workgroup = MYDOMAIN
         realm = MYDOMAIN.TEST
         server string = myserver
         interfaces = ixp0
         security = ADS
         allow trusted domains = No
         password server = sbs2000.mydomain.test
         private dir = /var/lib/adsamba/private
         passdb backend = tdbsam
         guest account = samba
         username map = /etc/cfg_user/usermap.ads
         log level = 6 winbind:10
         log file = /export/log/smblog.ad
         max log size = 0
         name resolve order = wins bcast host
         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192
         load printers = No
         show add printer wizard = No
         preferred master = No
         local master = No
         domain master = No
         wins server = 192.168.1.4
         lock directory = /var/lib/adsamba
         idmap domains = MYDOMAIN
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind offline logon = Yes
         ldapsam:trusted = No
         idmap config MYDOMAIN:range = 998 - 60000
         idmap config MYDOMAIN:base_rid = 1000
         idmap config MYDOMAIN:backend = rid
         ea support = Yes

[shared]
         comment = ACL shared folder
         path = /export/shared
         read only = No
         create mask = 0777
         directory mask = 0777
         inherit permissions = Yes
         inherit acls = Yes
         inherit owner = Yes
         map acl inherit = Yes
         map archive = No
         map readonly = no
         store dos attributes = Yes
         dos filemode = Yes

More information about the samba mailing list