[Samba] Mapping SID>UID (and reverse)
jrmailgate-samba at yahoo.co.uk
jrmailgate-samba at yahoo.co.uk
Tue Jan 22 04:48:19 MST 2013
Hi
Further to my previous mail on this problem, I've found that
when I connect to the Samba server from a Windows 7 PC, the
"log.winbindd-idmap" file reports the following messages:
On opening the file share: \\fs01:
[2013/01/21 11:18:42.474060, 1] winbindd/idmap.c:288(idmap_init_named_domain)
no backend defined for idmap config CSS
[2013/01/21 11:18:42.722730, 1] winbindd/idmap.c:288(idmap_init_named_domain)
no backend defined for idmap config NT AUTHORITY
[2013/01/21 11:18:42.726528, 1] winbindd/idmap.c:288(idmap_init_named_domain)
no backend defined for idmap config AD
[2013/01/21 11:18:42.736245, 1] winbindd/idmap.c:288(idmap_init_named_domain)
no backend defined for idmap config CSS
(CSS and AD are both Active Directory domains in the same forest).
When I open the contents of the share and mouse-over a file, the following is logged:
[2013/01/21 11:20:20.821208, 4] winbindd/winbindd_dual.c:1549(fork_domain_child)
child daemon request 59
[2013/01/21 11:20:20.823030, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_jsmith
[2013/01/21 11:20:20.823250, 5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid)
pdb_default_uid_to_sid: Did not find user jsmith (4510)
[2013/01/21 11:20:21.279879, 4] winbindd/winbindd_dual.c:1557(fork_domain_child)
Finished processing child request 59
The user "jsmith" is both a NIS Unix user and a Windows AD user in the "CSS" domain.
When
I right-click onthe file and select Properties, then select the
Security tab, I see the list of ACLs listed by SID before they are
resolved. In the above instance, the user "jsmith" SID is
"S-1-22-1-4510". A couple of seconds later this is resolved to "Unix
User\jsmith". I've checked that the 4510 in the SID is the same as the
Unix UID stored in NIS.
If I open the properties of another file and add an ACL entry for user "CSS\jsmith", the following is logged:
[2013/01/22 11:17:27.030191, 4] winbindd/winbindd_dual.c:1549(fork_domain_child)
child daemon request 59
[2013/01/22 11:17:27.031587, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user jsmith
[2013/01/22 11:17:27.031765, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is jsmith
[2013/01/22 11:17:27.034069, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals did find user [jsmith]!
[2013/01/22 11:17:27.034825, 4] winbindd/winbindd_dual.c:1557(fork_domain_child)
Finished processing child request 59
The
entry appears in the file properties box correctly (as CSS\jsmith) and
when I now open the properties of the original file, the file is now
owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it
always maps the Unix UID to the CSS domain SID. Is this possible?
Please can someone advise what I'm doing wrong?
Thanks!!!
JR
This is the output of testparm:
[global]
workgroup = CSS
realm = CSS.AD.COMPANYNAME.CO.UK
server string = Samba %v
security = ADS
kerberos method = system keytab
log file = /var/log/samba/smbd.log
max log size = 50
max protocol = SMB2
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
template shell = /bin/bash
idmap config * : range = 500-999999
idmap config * : backend = nss
ea support = Yes
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
dfree command = /usr/local/bin/dfree
[zfsshare]
comment = ZFS share
path = /testpool/samba
read only = No
inherit permissions = Yes
map archive = No
map readonly = no
store dos attributes = Yes
wide links = Yes
vfs objects = shadow_copy2, streams_xattr, zfsacl
zfsacl:acesort = dontcare
nfs4:mode = special
nfs4:chown = yes
nfs4:acedup = merge
shadow:format = GMT-%Y.%m.%d-%H.%M.%S
shadow:snapdir = .zfs/snapshot
shadow:basedir = /testpool/samba
More information about the samba
mailing list