[Samba] Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Oct 26 09:32:55 MDT 2010 

You may need to specify separate idmap sections for each domain, as well 
as general settings.  Samples of my smb.conf (samba 3.4.x ) are below.

When I was on samba 3.0.x, idmap entries would populate for each domain 
in the correct OU.  It would use the general idmap range, not domain 
specific range (which wasn't a problem.)  The problem with samba 3.0.x 
is that one the idmap cache expired it would not renew.    I moved to 
samba 3.4.x which fixed some issue BUT now stuff does not auto 
populate.  For "trustedomain1" there is only a handful of users, and 
that almost never changes so manually adding idmap entries (via an ldap 
editor or wbinfo --allocate-uid  / --allocate-gid) was OK.





idmap backend=ldap:ldap://ldap1.domain.com
# Next two lines restored to 3.4 - but prob don't need
idmap uid = 70000-79999
idmap gid = 70000-79999

#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.domain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:range = 30000 - 79999


idmap config TRUSTEDOMAIN1:backend = ldap
idmap config TRUSTEDOMAIN1:readonly = no
idmap config TRUSTEDOMAIN1:default=no
idmap config TRUSTEDOMAIN1:ldap_base_dn = 
ou=trustedomain1,ou=idmap,o=domain.com
idmap config TRUSTEDOMAIN1:ldap_user_dn = cn=Directory Manager
idmap config TRUSTEDOMAIN1:ldap_url = ldap://domain.ssci.com
idmap config TRUSTEDOMAIN1:range = 40000-45999


idmap config TRUSTEDOMAIN2:backend = ldap
idmap config TRUSTEDOMAIN2:readonly = no
idmap config TRUSTEDOMAIN2:default=no
idmap config TRUSTEDOMAIN2:ldap_base_dn = 
ou=trustedomain2,ou=idmap,o=domain.com
idmap config TRUSTEDOMAIN2:ldap_user_dn = cn=Directory Manager
idmap config TRUSTEDOMAIN2:ldap_url = ldap://ldap1.domain.com
idmap config TRUSTEDOMAIN2:range = 30000-39999


My mapped groups (i.e. with both unix id's and well known samba sids) 
include the following

Everyone (S-1-1-0) -> Everyone
Creator_Owner (S-1-3-0) -> Creator_Owner
Batch Process (S-1-5-3) -> Batch Process
Authenticated Users (S-1-5-11) -> Authenticated Users
System (S-1-5-18) -> System
Network (S-1-5-2) -> Network
Interactive (S-1-5-4) -> Interactive
Local Service (S-1-5) -> Local Service



I don't have everything working 100%.  I need dummy unix accounts for 
users from trustedomain1.    Users from trusted domains are 
authenticating properly with their windows passwords (not the passwords 
in the dummy accounts.)






On 10/26/2010 10:08 AM, Alex Crow wrote:
> Hi,
>
> I have recently upgraded a system with a Samba BDC, PDC and a couple 
> of member servers from 3.2.14 to 3.4.9 (and also tested with 3.5.6).
>
> There appears to be some problem with Winbind (we need to run it on 
> all servers as we have a trust relationship to a domain at another 
> office).
>
> I have an Idmap range set up in our LDAP database.
>
> With 3.2.14, all worked well. The Idmap ou would be populated with, 
> and only with, entries for the accounts on the trusted domain.
>
> However, with 3.4.9 and 3.5.6, as soon as a member server is accessed, 
> spurious entries appear in the Idmap ou from the "own domain". In 
> addition, other entries are added for local groups (these are not 
> showing in the screenshot but they are S-1-1-0,S-1-5-11 and S-1-5-2). 
> On another test domain I get entries like
>
> I have attached a screenshot  from an LDAP client to illustrate the 
> issue. The green box shows the entries I expect (from the trusted 
> domain). The red boxes show entries that have only appeared since the 
> upgrade.
>
> I am concerned about this as all the entries for the local domain (dom 
> sid ends 8426) may be causing access control to stop working correctly 
> - I have not seen any hard evidence of this so far, but there have 
> been times we had to restart winbind on the member servers after the 
> initial startup as no-one could access shares on them.
>
> The trusted domain is the one ending 4828. Please also note the entry 
> highlighted in red at the bottom. That SID is the one for one of the 
> newly upgraded member servers (plus -513 for Domain Users). Again I 
> don't know why that has been added.
>
> Member server smb.conf:
> [global]
> unix charset = LOCALE
> workgroup = CENSORED_domain
> netbios name = CENSORED_server
> security = DOMAIN
> interfaces = eth0, lo
>
> passdb backend = ldapsam:ldap://192.168.1.137
> username map = /etc/samba/smbusers
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 1048576
> smb ports = 139 445
> name resolve order = wins lmhosts bcast hosts
> time server = no
> printcap name = CUPS
> show add printer wizard = Yes
> enable privileges = yes
> ldap suffix = dc=censored,dc=net
> ldap machine suffix = ou=Computers,ou=Accounts
> ldap user suffix = ou=People,ou=Accounts
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=manager,dc=censored,dc=net
> ldap timeout = 20
> idmap backend = ldap:ldap://192.168.1.137
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind nested groups = yes
> winbind trusted domains only = yes
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> #winbind cache time = 1200
> allow trusted domains = yes
> map acl inherit = Yes
> ea support = Yes
> wins server = 192.168.1.137
> nt acl support = yes
>
> PDC smb.conf:
>
> [global]
> workgroup = CENSORED_domain
> netbios name = CENSORED_DC
> interfaces = eth0, lo
> passdb backend = ldapsam:ldap://127.0.0.1
> username map = /etc/samba/smbusers
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 104857
> smb ports = 139 445
> name resolve order = wins lmhosts bcast hosts
> time server = yes
> #printcap name = CUPS
> show add printer wizard = Yes
> enable privileges = yes
> ldap suffix = dc=censored,dc=net
> ldap machine suffix = ou=Computers,ou=Accounts
> ldap user suffix = ou=People,ou=Accounts
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=manager,dc=censored,dc=net
> ldap ssl = no
> ldap timeout = 60
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind nested groups = yes
> winbind trusted domains only = yes
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> allow trusted domains = yes
> map acl inherit = Yes
> ea support = Yes
> #printing = cups
> # printer admin = root
> wins support = yes
> log level = 1
> domain logons = yes
> domain master = yes
> preferred master = yes
> logon drive = H:
> #os level = 35
> passdb expand explicit = yes
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> enable privileges = Yes
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> logon home = ""
> logon path = ""
>
> Regards
>
> Alex
>
>
>
>

More information about the samba mailing list