[Samba] Mapping SID>UID (and reverse)

jrmailgate-samba at yahoo.co.uk jrmailgate-samba at yahoo.co.uk
Thu Jan 24 07:41:53 MST 2013 

I have a solution!

The problem (where files created in Unix were not being mapped to the domain username) was due to a problem in the smb.conf. I had:

        idmap config * : range = 500-999999
        idmap config * : backend = nss

But I needed to _also_ have a section for the current domain (CSS):

        idmap config * : range = 500-999999
        idmap config * : backend = nss
        idmap config CSS : range = 500-999999
        idmap config CSS : backend = nss


With both added, files created on the Unix command line automatically map to the domain user in Windows Explorer.

Hope this helps others.

JR



----- Original Message -----
From: "jrmailgate-samba at yahoo.co.uk" <jrmailgate-samba at yahoo.co.uk>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Cc: 
Sent: Tuesday, 22 January 2013, 11:48
Subject: Re: [Samba] Mapping SID>UID (and reverse)

Hi

Further to my previous mail on this problem, I've found that 
when I connect to the Samba server from a Windows 7 PC, the 
"log.winbindd-idmap" file reports the following messages:

On opening the file share: \\fs01:

[2013/01/21 11:18:42.474060,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config CSS
[2013/01/21 11:18:42.722730,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config NT AUTHORITY
[2013/01/21 11:18:42.726528,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config AD
[2013/01/21 11:18:42.736245,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config CSS


(CSS and AD are both Active Directory domains in the same forest).

When I open the contents of the share and mouse-over a file, the following is logged:

[2013/01/21 11:20:20.821208,  4] winbindd/winbindd_dual.c:1549(fork_domain_child)
  child daemon request 59
[2013/01/21 11:20:20.823030,  5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_jsmith
[2013/01/21 11:20:20.823250,  5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid)
  pdb_default_uid_to_sid: Did not find user jsmith (4510)
[2013/01/21 11:20:21.279879,  4] winbindd/winbindd_dual.c:1557(fork_domain_child)
  Finished processing child request 59


The user "jsmith" is both a NIS Unix user and a Windows AD user in the "CSS" domain.

When
I right-click onthe file and select Properties, then select the 
Security tab, I see the list of ACLs listed by SID before they are 
resolved. In the above instance, the user "jsmith" SID is 
"S-1-22-1-4510". A couple of seconds later this is resolved to "Unix 
User\jsmith". I've checked that the 4510 in the SID is the same as the 
Unix UID stored in NIS.


If I open the properties of another file and add an ACL entry for user "CSS\jsmith", the following is logged:

[2013/01/22 11:17:27.030191,  4] winbindd/winbindd_dual.c:1549(fork_domain_child)
  child daemon request 59
[2013/01/22 11:17:27.031587,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user jsmith
[2013/01/22 11:17:27.031765,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is jsmith
[2013/01/22 11:17:27.034069,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [jsmith]!
[2013/01/22 11:17:27.034825,  4] winbindd/winbindd_dual.c:1557(fork_domain_child)
  Finished processing child request 59


The
entry appears in the file properties box correctly (as CSS\jsmith) and 
when I now open the properties of the original file, the file is now 
owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it
always maps the Unix UID to the CSS domain SID. Is this possible?


Please can someone advise what I'm doing wrong? 


Thanks!!!

JR


This is the output of testparm:

[global]
        workgroup = CSS
        realm = CSS.AD.COMPANYNAME.CO.UK
        server string = Samba %v
        security = ADS
        kerberos method = system keytab
        log file = /var/log/samba/smbd.log
        max log size = 50
        max protocol = SMB2
        unix extensions = No
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        template shell = /bin/bash
        idmap config * : range = 500-999999
        idmap config * : backend = nss
        ea support = Yes
        printing = bsd
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        dfree command = /usr/local/bin/dfree

[zfsshare]
        comment = ZFS share
        path = /testpool/samba
        read only = No
        inherit permissions = Yes
        map archive = No
        map readonly = no
        store dos attributes = Yes
        wide links = Yes
        vfs objects = shadow_copy2, streams_xattr, zfsacl
        zfsacl:acesort = dontcare
        nfs4:mode = special
        nfs4:chown = yes
        nfs4:acedup = merge
        shadow:format = GMT-%Y.%m.%d-%H.%M.%S
        shadow:snapdir = .zfs/snapshot
        shadow:basedir = /testpool/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list