[Samba] IDMAP_NSS on member server

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 18 02:29:39 MST 2014 

On 17/12/14 22:01, Gaiseric Vandal wrote:
> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
> machines unix accounts and groups are in the LDAP as well as idmap 
> entries for trusted domains.   Samba accounts on domain controllers 
> are in LDAP so there is problem with consistency unix/windows id and 
> group mapping on the domain controllers. The domain controllers are 
> the main file servers as well.
>
> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
> 11.)    On the member server, I have joined the domain.      When 
> accessing shared directory from a Windows 7 machine as a regular user, 
> I can only access files that I am the owner.   Group is ignored.    
> The Security properties of files (from windows) show users and groups 
> as "Unix User\myname" and "Unix Group\mygroup."
>
>
> Winbind is running on both the domain controller and the member 
> server.  The "wbinfo -u" and "winfo -g" commands show the users and 
> groups.  This machine does not need to support trusted domains.        
> It looks like I need some sort of IDMapping. SInce I have unix 
> accounts in LDAP backend I was trying to configure idmap_nss.
>
>
>               idmap config MYDOMAIN : backend  = nss
>               idmap config MYDOMAIN : range = 100-300
>
>
>
> wbinfo correctly translates between names and SIDs
>
>          :/# wbinfo -n myname
>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>        MYDOMAIN\myname 1
>          /#
>
>
> however any translation between SID (or name) and unix uidnumber fails
>
>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>        /#
>
>
>
> Member servers have always been problematic no matter what I try (ldap 
> backed, idmap_nss, idmap_rid, winbind trusted domains only = yes)   
> and on Solaris and Linux samba machines of various verions.
>
>
> I also tried
>
>
>        idmap config MYDOMAIN : backend  = rid
>        idmap config MYDOMAIN : range    = 100-300
>        idmap config MYDOMAIN : base_rid = 0
>
>
>
> but no luck.

Not surprised really, the rid is calculated using this formula:

ID = RID - BASE_RID + LOW_RANGE_ID.

So, using the info you posted above:

ID = 1234 - 0 + 100

Which becomes:

ID = 1334

There is your problem, The ID number is larger than the high range you 
set in smb.conf, try adding a couple of zero's to the range, i.e change 
100-300 to 100-30000

Rowland

>
>
> idmap_nss support is enabled
>
>        # smbd -b | grep idmap_nss
>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>        vfs_default vfs_solarisacl
>
>
>        # smbd -b | grep idmap_rid
>            idmap_rid_init
>
>
>
> Any idea what I am missing?
>
> Thanks
>
>
>
>

More information about the samba mailing list