[Samba] IDMAP_NSS on member server

Thu Dec 18 09:43:00 MST 2014

I think IDMAP_RID would not be the appropriate solution for me.     Not 
only do I want consistent IDMapping across all servers -  which this 
could do -  but I want them to match the the existing unix uidNumber in 
LDAP.

Thanks for your help.

On 12/18/14 04:29, Rowland Penny wrote:
> On 17/12/14 22:01, Gaiseric Vandal wrote:
>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
>> machines unix accounts and groups are in the LDAP as well as idmap 
>> entries for trusted domains.   Samba accounts on domain controllers 
>> are in LDAP so there is problem with consistency unix/windows id and 
>> group mapping on the domain controllers. The domain controllers are 
>> the main file servers as well.
>>
>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
>> 11.)    On the member server, I have joined the domain. When 
>> accessing shared directory from a Windows 7 machine as a regular 
>> user, I can only access files that I am the owner. Group is 
>> ignored.    The Security properties of files (from windows) show 
>> users and groups as "Unix User\myname" and "Unix Group\mygroup."
>>
>>
>> Winbind is running on both the domain controller and the member 
>> server.  The "wbinfo -u" and "winfo -g" commands show the users and 
>> groups.  This machine does not need to support trusted 
>> domains.        It looks like I need some sort of IDMapping. SInce I 
>> have unix accounts in LDAP backend I was trying to configure idmap_nss.
>>
>>
>>               idmap config MYDOMAIN : backend  = nss
>>               idmap config MYDOMAIN : range = 100-300
>>
>>
>>
>> wbinfo correctly translates between names and SIDs
>>
>>          :/# wbinfo -n myname
>>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>        MYDOMAIN\myname 1
>>          /#
>>
>>
>> however any translation between SID (or name) and unix uidnumber fails
>>
>>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>        /#
>>
>>
>>
>> Member servers have always been problematic no matter what I try 
>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = 
>> yes)   and on Solaris and Linux samba machines of various verions.
>>
>>
>> I also tried
>>
>>
>>        idmap config MYDOMAIN : backend  = rid
>>        idmap config MYDOMAIN : range    = 100-300
>>        idmap config MYDOMAIN : base_rid = 0
>>
>>
>>
>> but no luck.
>
> Not surprised really, the rid is calculated using this formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID.
>
> So, using the info you posted above:
>
> ID = 1234 - 0 + 100
>
> Which becomes:
>
> ID = 1334
>
> There is your problem, The ID number is larger than the high range you 
> set in smb.conf, try adding a couple of zero's to the range, i.e 
> change 100-300 to 100-30000
>
> Rowland
>
>>
>>
>> idmap_nss support is enabled
>>
>>        # smbd -b | grep idmap_nss
>>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>        vfs_default vfs_solarisacl
>>
>>
>>        # smbd -b | grep idmap_rid
>>            idmap_rid_init
>>
>>
>>
>> Any idea what I am missing?
>>
>> Thanks
>>
>>
>>
>>
>