[Samba] idmap problems after update from 3.0.33 to 3.6.6

Thomas Attenberger Thomas.Attenberger at gmx.net
Wed Oct 16 06:56:43 MDT 2013



> Gesendet: Mittwoch, 16. Oktober 2013 um 13:36 Uhr
> Von: steve <steve at steve-ss.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] idmap problems after update from 3.0.33 to 3.6.6
>
> On Wed, 2013-10-16 at 12:12 +0200, Thomas Attenberger wrote:
> > Hello,
> > 
> > we are using a standalone samba server, which is a Win2008R2 domain member.
> > The access rights on the shares are set with acl's.
> > After the update I could access the shares. But if i take a look to the
> > rights on the shares with "getfacl" I see only numbers instead of usernames
> > and groups. Then I did a "getent passwd".There are now other numbers mapped
> > to the users as before the update of samba! So now again "getfacl", there
> > are now wrong user and group names...
> > 
> > Here is the smb.conf after the update. I changed only the idmap parameter.
> > 
> > [global]
> > 
> >         workgroup       = ATRON
> >         realm           = ATRON.LOCAL
> >         security        = ADS
> >         preferred master = no
> >         server string   = %h
> >         log file        = /var/log/samba/smb.log.%m
> >         winbind enum users = Yes
> >         winbind enum groups = Yes
> >         winbind use default domain = Yes
> >         winbind separator = +
> > #       idmap uid       = 10000-20000
> > #       idmap gid       = 10000-20000
> >         idmap config ATRON:range=10000-20000
> >         template shell  = /bin/bash
> >         username map    = /etc/samba/smbusers
> > 
> > Unfortunately I'm no samba expert, so I hope someone can help me...
> > 
> > Regards
> > Tom
> 
> Hi
> It depends where your rfc2307 attributes are coming from. If they are in
> AD then:
> winbind enum users = Yes
> winbind enum groups = Yes
> idmap config *:backend = tdb
> idmap config *:range = 3000-4000
> idmap config ATRON:backend = ad
> idmap config ATRON:range = 10000-20000
> idmap config ATRON:schema_mode = rfc2307 
> winbind nss info = rfc2307
> winbind use default domain = Yes
> 
> and due to me just having happened to have read a recent post, maybe
> also comment out the line:
> winbind separator = +
> 
> Oh, don't forget to specify winbind in nsswitch.conf
> 
> If you're not using AD then there are other alternatives but we do not
> have enough information to help further with the config you have
> provided.
> 
> HTH
> Steve

Hi Steve,

thanks for your help.
Yes, we are using an ActiveDirectory. I did all your suggestions in the smb.conf, also nsswitch.conf is fine. But still "getent passwd" brings only local users.

The "wbinfo -u" is ok, but something not:

[root at pluto3 ~]# wbinfo -t
checking the trust secret for domain ATRON via RPC calls succeeded

[root at pluto3 ~]# wbinfo -i tom
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user tom


Have you any idea, what can I check?

Best Regards
Tom


More information about the samba mailing list