[Samba] issue with mapping BUILTIN on ADS member server

Thu Feb 11 13:53:12 MST 2010

Hello list,

Quick summary of the issue (repeated below after the details): Running 
'wbinfo --user-info=markc' on either smb ads member server will return 
identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns 
different information on each server. I'd like to make mappings for 
BUILTIN consistent in case I ever use them.

Background and details:
I have a production environment with 2 ADS member servers that I'm 
planning to re-work, and I've found an oversight with how my setup maps 
items from BUILTIN. I hadn't been using anything from there so it isn't 
a big deal at the moment, but I'm trying to fix it and/or decide how to 
simplify my whole idmap setup.

Here is some background info, let me know if you need something else:
-Native-mode AD, all DCs on 2003R2 SP2 x64.
-Two Ubuntu Server x64 8.04.03 LTS AD member servers running Samba 
3.0.28a. (samba_3.0.28a-1ubuntu4.10_i386.deb).
-I have a few directives that may be considered odd (map to guest, force 
create/dir) for my type of setup. This is because I'm still getting rid 
of some XP Home workstations that need guest shares. This was the only 
way I could get them to play nice (IIRC this was due to ADS mode 
rejecting the credentials before it realized it was a request for a 
guest share).

Here is my current config:
[global]
         server string = Dallas File Server
         workgroup = DOMAINNAME
         realm = DOMAINNAME.COM
         security = ADS
         password server = *
         #password server = dal-dc1.domainname.com
         #password server = dal-dc1.domainname.com, den-dc1.domainname.com
#       client schannel = Yes
#       server schannel = Yes
         username map = /etc/samba/smbusers
         obey pam restrictions = Yes
         enable privileges = Yes
         map to guest = Bad User
#       restrict anonymous = 2
         allow trusted domains = No
#       lanman auth = No
#       ntlm auth = No
#       client NTLMv2 auth = Yes
         log level = 4
         syslog = 0
#       min protocol = NT1
#       client signing = Yes
#       server signing = Yes
         load printers = No
         preferred master = No
         local master = No
         domain master = No
         dns proxy = No
         ldap ssl = no
         host msdfs = No
         idmap domains = DOMAINNAME
         idmap alloc backend = ldap
         template shell = /bin/false
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind refresh tickets = Yes
         idmap alloc config:range = 100000 - 500000
         idmap alloc config:ldap_url = ldap://dal-dc1.domainname.com 
ldap://den-dc1.domainname.com
         idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=domainname,dc=com
         idmap config DOMAINNAME:range = 100000 - 500000
         idmap config DOMAINNAME:ldap_url = 
ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com
         idmap config DOMAINNAME:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=domainname,dc=com
         idmap config DOMAINNAME:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=domainname,dc=com
         idmap config DOMAINNAME:backend = ldap
         idmap config DOMAINNAME:default = yes
         hosts allow = (redacted)
         map acl inherit = No
         hide special files = Yes
         map archive = No
         map readonly = No
         map system = No
         map hidden = No
         force create mode = 707
         force directory mode = 707
         ea support = No
         store dos attributes = No
         wide links = No
         follow symlinks = No
         dos filemode = No
         add share command=/etc/samba/command_cust.pl
         delete share command=/etc/samba/command_cust.pl
         change share command=/etc/samba/command_cust.pl

The actual issue/question (as stated above): Running 'wbinfo 
--user-info=markc' on either smb ads member server will return identical 
info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different 
information on each server. I'd like to make mappings for BUILTIN 
consistent in case I ever use them. I guess it is falling back to tdb 
since I can grep for relevant info and the tdb for group mapping matches.

I've labbed my setup by setting up a third smb server in the same 
config, and a blank ad partition for mapping...so I can change things 
for testing there (and I have been). My browser has no fewer than 20 
tabs up with various man pages, pdfs, and list posts on idmap but it 
isn't quite coming together for me on this one aspect that deals with 
BUILTIN. tia for any assistance you can provide.

Thank you,
Mark Casey