[Samba] IDMAP_NSS on member server

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Dec 17 15:01:43 MST 2014

I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
machines unix accounts and groups are in the LDAP as well as idmap 
entries for trusted domains.   Samba accounts on domain controllers are 
in LDAP so there is problem with consistency unix/windows id and group 
mapping on the domain controllers.    The domain controllers are the 
main file servers as well.

I am configuring a new  member server, also Samba 3.6.4 (Solaris 11.)    
On the member server, I have joined the domain.      When accessing 
shared directory from a Windows 7 machine as a regular user, I can only 
access files that I am the owner.   Group is ignored.    The Security 
properties of files (from windows) show users and groups as "Unix 
User\myname" and "Unix Group\mygroup."

Winbind is running on both the domain controller and the member server.  
The "wbinfo -u" and "winfo -g" commands show the users and groups.  This 
machine does not need to support trusted domains.        It looks like I 
need some sort of IDMapping. SInce I have unix accounts in LDAP backend 
I was trying to configure idmap_nss.

               idmap config MYDOMAIN : backend  = nss
               idmap config MYDOMAIN : range = 100-300

wbinfo correctly translates between names and SIDs

          :/# wbinfo -n myname
        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
        MYDOMAIN\myname 1

however any translation between SID (or name) and unix uidnumber fails

          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid

Member servers have always been problematic no matter what I try (ldap 
backed, idmap_nss, idmap_rid, winbind trusted domains only  = yes)   and 
on Solaris and Linux samba machines of various verions.

I also tried

        idmap config MYDOMAIN : backend  = rid
        idmap config MYDOMAIN : range    = 100-300
        idmap config MYDOMAIN : base_rid = 0

but no luck.

idmap_nss support is enabled

        # smbd -b | grep idmap_nss
             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
        auth_winbind auth_wbc auth_server auth_domain auth_builtin
        vfs_default vfs_solarisacl

        # smbd -b | grep idmap_rid

Any idea what I am missing?


More information about the samba mailing list