[Samba] Samba 3.0.28a onwards "allow trusted domains" has no effect?

simo idra at samba.org
Wed Sep 10 12:44:43 GMT 2008


On Wed, 2008-09-10 at 11:50 +0100, Hari Sekhon wrote:
> simo wrote:
> > On Tue, 2008-09-09 at 15:52 +0100, Hari Sekhon wrote:
> >   
> >> Hi,
> >>
> >>    I've noticed a discrepancy between Samba Version 3.0.28a and Version 
> >> 3.0.24 in relation to Winbind rid idmap and trusted domains behaviour.
> >>
> >> I have an environment with 2 domains linked via a trust, an Active 
> >> Directory domain and an NT4 domain. On 3.0.24 the rid backend seems to 
> >> work fine, but on 3.0.28a it shows OTHERDOMAIN\domain admins instead of 
> >> the primary domain's domain admins in uid/name mapping on files.
> >>
> >> Below is a relevant snippet of the identical samba configuration on both 
> >> machines:
> >>
> >> allow trusted domains = no
> >> idmap backend = rid
> >> idmap config PRIMARYDOMAIN:range = 10000-19999
> >> idmap config OTHERDOMAIN:range = 20000-29999
> >> idmap gid = 10000-30000
> >> idmap uid = 10000-30000
> >>     
> >
> > Hari, this is not, as is, a valid configuration for either versions, is
> > this the full configuration used ?
> >
> >   
> >> Testparm confirms that allow trusted domains is set to No, so it seems 
> >> that 3.0.28a does not respect the fact that trusted domains are not 
> >> supposed to be allowed at all? This seems to break the way the rid 
> >> backend works of course as there is a rid clash with the other domain.
> >>     
> >
> > Allow trusted domains = no controls only authentication/access to the
> > service not id resolution.
> >
> >   
> >> This output from wbinfo --group-info shows the name clash:
> >>
> >> domain admins:x:10512
> >> OTHERDOMAIN\domain admins:x:10512
> >>
> >> Can anyone offer any advice on what to do about this?
> >> I am running 3.0.24 on Debian Etch and 3.0.28a on Gentoo, for which 
> >> those are the latest stable versions packaged for the systems. I have 
> >> tried 3.0.32 and the problem seems to occur there too. Is this a bug 
> >> that has crept in after 3.0.24?
> >>     
> >
> > If that is the configuration you use, it seem more like a configuration
> > error.
> >
> > Simo.
> >   
> It's not the entire configuration obviously I have left out lots of 
> implicit options like security = ads etc, but I have been playing with 
> using the rid idmap backend for unified id mapping across systems as 
> mentioned in the samba official documentation (as it means I don't have 
> to change my pre-R2 2003 Active Directory)
> 
> Testparm does not show any config error, the options are valid and 
> appear in the global section of the dump of service configurations as 
> accepted.
> 
> This works absolutely as expected on 3.0.24 so far but on 3.0.28a and 
> 3.0.32 it seems a touch broken because of the cross domain collision id 
> collision.

I guess a look at the idmap_rid manpage would help then.

To have it working as expected on 3.0.25+ you should add the following
parameter:

idmap domains = PRIMARYDOMAIN OTHERDOMAIN
idmap config PRIMARYDOMAIN:backend = rid
idmap config PRIMARYDOMAIN:default = yes
idmap config OTHERDOMAIN:backend = rid

and remove the:

idmap backend = rid


and optionally (to avoid a 1000 ids hole at the start of each range):
idmap config PRIMARYDOMAIN:base_rid = 1000
idmap config OTHERDOMAIN:base_rid = 1000


see the idmap_rid(8) manpage.


Also note that your configuration will probably be ok when we release
samba 3.3.0, as we modified slightly the code to avoid the 'idmap
domains' parameters and to make back 'idmap backend' the main backend
used. But until then your current configuration is not correct for
3.0.25+ and the 'idmap config' directives are ignored w/o the idmap
domains one

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>



More information about the samba mailing list