[Samba] idmap trouble
Michael Adam
obnox at samba.org
Wed Nov 10 14:38:25 MST 2010
Hi Brian,
the id mapping configuration hat changed (again) between 3.2 and
3.3. The "idmap domains" setting has vanished.
Could you try and use the id mapping config from your 3.0 setup,
i.e. simply this
> > idmap backend = rid:KPAK=500-100000000
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
instead of this:
> > idmap domains = default, domain.utah.edu
> > idmap config default: default = yes
> > idmap config domain.utah.edu: range = 500-100000000
> > idmap config domain.utah.edu: backend = ad
> > idmap alloc backend = tdb
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
Er, btw, can it be that "KPAK" should actually read "DOMAIN" in
the first section? ;-)
Then, for debugging, please paste the output of
"wbinfo -n DOMAIN+gregorcy"
I should list the sid of gegorcy. I expect the rid to be 2433.
What I think happened is that your 3.5 config fell back to
tdb id mapping because the domain "DOMAIN" did not match the
domain name "domain.utah.edu" that you gave in the idmap config...
The recommended setting would be to have a tdb backend default
idmap range and explicit and disjoint ranges with rid backend vor various
domains like this:
idmap backend = tdb
idmap uid = 100000-199999
idmap gid = 100000-199999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 200000-299999
(see man idmap_rid)
But you should not change your config in that way
if you are updating a production server, since it
would change the uids/gids that users are accessing the
disk with, and so, permissions and ownerships would be broken.
Hope this helps,
Michael
gregorcy wrote:
> Hi,
>
> I am hoping someone can point out what I am doing wrong, I am upgrading samba from 3.0.37 to 3.5.6 and running into
> trouble with idmapping using ADS security. I have multiple linux boxes running 3.0.37 and when I execute getent passwd
> I get:
>
> # getent passwd DOMAIN+gregorcy
> gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash
>
> on all the boxes running 3.0.37.
>
> On my new box running 3.5.6 I get:
>
> # getent passwd DOMAIN+gregorcy
> gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash
>
>
> Which is not what I had hoped for. Both machines are joined to my domain and allow me to ssh into them using my AD
> cred, just the uid & gid are not lining up.
>
> My 3.0.37 smb.conf
>
> > [global]
> > workgroup = DOMAIN
> > netbios name = harley
> > realm = DOMAIN.UTAH.EDU
> > server string = harley
> > security = ADS
> > preferred master = no
> > client use spnego = yes
> > server signing = auto
> > encrypt passwords = yes
> > nt acl support = yes
> > acl map full control = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > template shell = /bin/false
> > password server = *
> > log level = 3
> > log file = /var/log/samba/%m
> > max log size = 100
> > preferred master = No
> > dns proxy = No
> > wins server = 192.168.1.100 192.168.1.101
> > winbind cache time = 0
> > winbind nested groups = yes
> > allow trusted domains = No
> > idmap backend = rid:KPAK=500-100000000
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
> > template shell = /bin/bash
> > winbind use default domain = Yes
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > obey pam restrictions = yes
>
>
>
> My 3.5.6 smb.conf
>
>
> > [global]
> > workgroup = DOMAIN
> > netbios name = vwww3
> > realm = DOMAIN.UTAH.EDU
> > server string = web3
> > security = ADS
> > preferred master = no
> > client use spnego = yes
> > server signing = auto
> > encrypt passwords = yes
> > nt acl support = yes
> > acl map full control = yes
> > wide links = no
> > password server = *
> > log level = 3
> > log file = /var/log/samba/%m
> > max log size = 100
> > wins server = 192.168.1.100 192.168.1.101
> > winbind offline logon = yes
> > idmap domains = default, domain.utah.edu
> > idmap config default: default = yes
> > idmap config domain.utah.edu: range = 500-100000000
> > idmap config domain.utah.edu: backend = ad
> > idmap alloc backend = tdb
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
> > winbind separator = +
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = yes
> > winbind nested groups = yes
> > client ntlmv2 auth = yes
> > encrypt passwords = yes
> > template shell = /bin/bash
> > allow trusted domains = yes
>
>
>
>
> Thanks for any help,
>
> Brian Gregorcy
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20101110/7f4565d7/attachment.pgp>
More information about the samba
mailing list