[Samba] idmap trouble
gregorcy
brian.gregorcy at utah.edu
Wed Nov 10 14:49:53 MST 2010
That fixed it thanks,
>> Er, btw, can it be that "KPAK" should actually read "DOMAIN" in
>> the first section? ;-)
Yep typo on my part I was trying different configs and made that error.
3.5
> wbinfo -n DOMAIN+gregorcy
> S-1-5-21-3579845861-693198353-1953747050-2433 SID_USER (1)
3.0.37
> wbinfo -n CHEMENG+gregorcy
> S-1-5-21-3579845861-693198353-1953747050-2433 User (1)
Works :)
Thanks for the help,
--Brian
On 11/10/10 14:38, Michael Adam wrote:
> Hi Brian,
>
> the id mapping configuration hat changed (again) between 3.2 and
> 3.3. The "idmap domains" setting has vanished.
>
> Could you try and use the id mapping config from your 3.0 setup,
> i.e. simply this
>
>>> idmap backend = rid:KPAK=500-100000000
>>> idmap uid = 500-100000000
>>> idmap gid = 500-100000000
>
> instead of this:
>
>>> idmap domains = default, domain.utah.edu
>>> idmap config default: default = yes
>>> idmap config domain.utah.edu: range = 500-100000000
>>> idmap config domain.utah.edu: backend = ad
>>> idmap alloc backend = tdb
>>> idmap uid = 500-100000000
>>> idmap gid = 500-100000000
>
> Er, btw, can it be that "KPAK" should actually read "DOMAIN" in
> the first section? ;-)
>
> Then, for debugging, please paste the output of
> "wbinfo -n DOMAIN+gregorcy"
> I should list the sid of gegorcy. I expect the rid to be 2433.
>
> What I think happened is that your 3.5 config fell back to
> tdb id mapping because the domain "DOMAIN" did not match the
> domain name "domain.utah.edu" that you gave in the idmap config...
>
> The recommended setting would be to have a tdb backend default
> idmap range and explicit and disjoint ranges with rid backend vor various
> domains like this:
>
> idmap backend = tdb
> idmap uid = 100000-199999
> idmap gid = 100000-199999
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 200000-299999
>
> (see man idmap_rid)
>
> But you should not change your config in that way
> if you are updating a production server, since it
> would change the uids/gids that users are accessing the
> disk with, and so, permissions and ownerships would be broken.
>
> Hope this helps,
>
> Michael
>
> gregorcy wrote:
>> Hi,
>>
>> I am hoping someone can point out what I am doing wrong, I am upgrading samba from 3.0.37 to 3.5.6 and running into
>> trouble with idmapping using ADS security. I have multiple linux boxes running 3.0.37 and when I execute getent passwd
>> I get:
>>
>> # getent passwd DOMAIN+gregorcy
>> gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash
>>
>> on all the boxes running 3.0.37.
>>
>> On my new box running 3.5.6 I get:
>>
>> # getent passwd DOMAIN+gregorcy
>> gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash
>>
>>
>> Which is not what I had hoped for. Both machines are joined to my domain and allow me to ssh into them using my AD
>> cred, just the uid & gid are not lining up.
>>
>> My 3.0.37 smb.conf
>>
>>> [global]
>>> workgroup = DOMAIN
>>> netbios name = harley
>>> realm = DOMAIN.UTAH.EDU
>>> server string = harley
>>> security = ADS
>>> preferred master = no
>>> client use spnego = yes
>>> server signing = auto
>>> encrypt passwords = yes
>>> nt acl support = yes
>>> acl map full control = yes
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> template shell = /bin/false
>>> password server = *
>>> log level = 3
>>> log file = /var/log/samba/%m
>>> max log size = 100
>>> preferred master = No
>>> dns proxy = No
>>> wins server = 192.168.1.100 192.168.1.101
>>> winbind cache time = 0
>>> winbind nested groups = yes
>>> allow trusted domains = No
>>> idmap backend = rid:KPAK=500-100000000
>>> idmap uid = 500-100000000
>>> idmap gid = 500-100000000
>>> template shell = /bin/bash
>>> winbind use default domain = Yes
>>> winbind separator = +
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> obey pam restrictions = yes
>>
>>
>>
>> My 3.5.6 smb.conf
>>
>>
>>> [global]
>>> workgroup = DOMAIN
>>> netbios name = vwww3
>>> realm = DOMAIN.UTAH.EDU
>>> server string = web3
>>> security = ADS
>>> preferred master = no
>>> client use spnego = yes
>>> server signing = auto
>>> encrypt passwords = yes
>>> nt acl support = yes
>>> acl map full control = yes
>>> wide links = no
>>> password server = *
>>> log level = 3
>>> log file = /var/log/samba/%m
>>> max log size = 100
>>> wins server = 192.168.1.100 192.168.1.101
>>> winbind offline logon = yes
>>> idmap domains = default, domain.utah.edu
>>> idmap config default: default = yes
>>> idmap config domain.utah.edu: range = 500-100000000
>>> idmap config domain.utah.edu: backend = ad
>>> idmap alloc backend = tdb
>>> idmap uid = 500-100000000
>>> idmap gid = 500-100000000
>>> winbind separator = +
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = yes
>>> winbind nested groups = yes
>>> client ntlmv2 auth = yes
>>> encrypt passwords = yes
>>> template shell = /bin/bash
>>> allow trusted domains = yes
>>
>>
>>
>>
>> Thanks for any help,
>>
>> Brian Gregorcy
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list