[Samba] samba 3.6: "autorid" has no domain order

Christian M Ambach christian.ambach at de.ibm.com
Tue Aug 16 09:11:46 MDT 2011


Benedikt wrote on 08/16/2011 11:04:57 AM:

> > i try to create a samba server for more then one trusted domain.
> > I know there were some issues with samba 3.5, and in the internet i
> > always read, i should use samba 3.4.
> > 
> > So i wanted to give 3.6 a chance.
> > 
> > I first tried autorid with a config like this:
> > 
> >         winbind enum users = yes
> >         winbind enum groups = yes
> > 
> >         idmap backend = autorid
> >         idmap gid = 100000-1499999
> >         idmap gid = 100000-1499999
> >         allow trusted domains = yes
> > 
> > It works fine. And Domain A starts in the 200000 and Domain B with
> > 300000. But my problem is, i have two different samba Servers that
> > should get the same uid and gid.
> > On the second Server Domain B also starts with 300000 but domain A
> > starts with 4000000. So there is no correct mapping between these two
> > servers. It is, because the main Domain of the second server is B and
> > not A like in the first server.
> > 
> > Is there a way to tell autorid a order of domains? like: "idmap 
autorid
> > domains = A, B"

no, there isn't a way to do this currently. I planned to eventually 
release
a tool which allows you to derive a static configuration based on 
idmap_rid
out of the values in the autorid database.
Looks like you attempted to do this manually:

> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         allow trusted domains = yes
> > 
> >         idmap config A : backend     = rid
> >         idmap config A : range       = 100000 - 199999
> >         idmap config A : base_rid    = 1000
> > 
> >         idmap config B : backend  = rid
> >         idmap config B : range    = 200000 - 299999
> >         idmap config B : base_rid = 1000

But to use the same mappings as autorid on the first server, you need to 
set base_rid to 0 on the second server.

> if i delete all the "idmap config * " parts it won't work again.
> 
> But also if it does work.... i need trusted domain support.
> the only config that realy works right now, is the new "autorid".

Did you try net cache flush to clear previous mappings with different
configurations from the caches? 
 
> LogLevel10 shows no errors at all.

Can you put the logs somewhere for download or send them over?
log.winbindd-idmap would be of most interest.
 
Regards,
Christian



More information about the samba mailing list