[Samba] winbind: uid range is ignored
steve
steve at steve-ss.com
Fri Aug 3 03:50:35 MDT 2012
On 03/08/12 11:03, Gémes Géza wrote:
> 2012-08-03 10:22 keltezéssel, steve írta:
>> On 03/08/12 09:01, NdK wrote:
>>> Il 03/08/2012 08:01, steve ha scritto:
>>>
>>>> getent passwd/group works fine. I get the names and coresponding
>>>> uid:gid
>>>> numbers within the range specified in smb.conf but all I get when I
>>>> list
>>>> files on the nfs share, are numerical uid:gid values. I want those
>>>> values to be DOMAIN\username DOMAIN\group rather than numerical values.
>>>>
>>>> How do I do that?
>>> Use *the same* range on both server and clients.
>>
>> Hi Diego
>> Thanks for your patience in helping me sort this.
>>
>> It doesn't seem to matter. I can have the same id range on both server
>> and client. What is uid 3000027 on the server becomes uid 3000002 on
>> the client.
>>
>>>
>>>> The uid:gid values are not in the range set in smb.conf. They are the
>>>> uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring
>>>> winbind.
>>> Obvious. NFS passes *numeric* IDs, so if a file is owned by userid
>>> 123456 on the server, then the client will see the same 123456 uid.
>>> That, if not correctly mapped, would give another user access to it
>>> (negating access to the original one).
>>
>> That's exactly my point. My 3000027 maps correctly to DOMAIN\steve2 on
>> the server but getent passwd on the client gives DOMAIN\steve2 as
>> 3000002. If steve2 logs in and creates a file it becomes uid 3000027
>> and _not_ 3000002. If winbind is doing the mapping correctly it should
>> map 3000027 to 3000002 and when I list a file that I have made it
>> should give me back a uid of DOMAIN\steve2. It doesn't. The file
>> created has uid 3000027 which works _but_ I want to see uid's as
>> names, not numbers.
>>
>> I've also tried adding posixAccount, uidNumber and gidNumber to pull
>> the uid:gid directly from AD with:
>> idmap config * : backend = ad
>> but then, getent passwd gives me no list of users.
>>
>> Really stuck on this one. . .
>> The client is Ubuntu 12.04 with samba 3.6.3. Maybe 3.6.3 has bugs?
>>
>> Cheers,
>> steve
>>
> Please try with
>
> idmap backend = tdb
> idmap uid = some uninteresting range
> idmap gid = some uninteresting range
>
> idmap config YOURDOMAINNAMEHERE : backend = ad
> idmap config YOURDOMAINNAMEHERE : range = the range you want your
> uids/gids to be
>
> Like in http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>
> Regards
>
> Geza Gemes
>
>
Thanks again Geza
Am doing a total client reinstall atm, but that looks good.
On the DC, I take it that for a user object I shall need:
objectClass: posixAccount
uidNumber: 123
gidNumber: 456
and for a group object
objectClass: posixGroup
gidNumber: 456
Question:
1. Does the config you give go on both DC and client?
2. confusion:
This:
https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed
says that
idmap uid = some uninteresting range
idmap gid = some uninteresting range
has been replaced by:
idmap config YOURDOMAINNAMEHERE : range= the range you want your
uids/gids to be
Should I remove the:
idmap uid = some uninteresting range
idmap gid = some uninteresting range
My gidNumbers start at 20513 (Domain Users) and my last uidNumber is
currenlty 3000157 so how about:
idmap config YOURDOMAINNAMEHERE : range=20000-4000000
?
3. If uidNumber and gidNumber are pulled from AD, why do I need to
specify a range?
Cheers,
Steve
More information about the samba
mailing list