[Samba] IDMAP_NSS on member server

Thu Dec 18 09:57:04 MST 2014

On 18/12/14 16:43, Gaiseric Vandal wrote:
> I think IDMAP_RID would not be the appropriate solution for me. Not 
> only do I want consistent IDMapping across all servers - which this 
> could do -  but I want them to match the the existing unix uidNumber 
> in LDAP.

You never said that you had uidNumber in LDAP!, in fact you seemed to 
mention every winbind backend except the one that uses the rfc2307 
attributes.

Stop messing around and use the winbind ad backend.

Rowland
>
>
> Thanks for your help.
>
>
>
>
> On 12/18/14 04:29, Rowland Penny wrote:
>> On 17/12/14 22:01, Gaiseric Vandal wrote:
>>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
>>> machines unix accounts and groups are in the LDAP as well as idmap 
>>> entries for trusted domains.   Samba accounts on domain controllers 
>>> are in LDAP so there is problem with consistency unix/windows id and 
>>> group mapping on the domain controllers. The domain controllers are 
>>> the main file servers as well.
>>>
>>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
>>> 11.)    On the member server, I have joined the domain. When 
>>> accessing shared directory from a Windows 7 machine as a regular 
>>> user, I can only access files that I am the owner. Group is 
>>> ignored.    The Security properties of files (from windows) show 
>>> users and groups as "Unix User\myname" and "Unix Group\mygroup."
>>>
>>>
>>> Winbind is running on both the domain controller and the member 
>>> server.  The "wbinfo -u" and "winfo -g" commands show the users and 
>>> groups.  This machine does not need to support trusted 
>>> domains.        It looks like I need some sort of IDMapping. SInce I 
>>> have unix accounts in LDAP backend I was trying to configure idmap_nss.
>>>
>>>
>>>               idmap config MYDOMAIN : backend  = nss
>>>               idmap config MYDOMAIN : range = 100-300
>>>
>>>
>>>
>>> wbinfo correctly translates between names and SIDs
>>>
>>>          :/# wbinfo -n myname
>>>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>        MYDOMAIN\myname 1
>>>          /#
>>>
>>>
>>> however any translation between SID (or name) and unix uidnumber fails
>>>
>>>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>>        /#
>>>
>>>
>>>
>>> Member servers have always been problematic no matter what I try 
>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = 
>>> yes)   and on Solaris and Linux samba machines of various verions.
>>>
>>>
>>> I also tried
>>>
>>>
>>>        idmap config MYDOMAIN : backend  = rid
>>>        idmap config MYDOMAIN : range    = 100-300
>>>        idmap config MYDOMAIN : base_rid = 0
>>>
>>>
>>>
>>> but no luck.
>>
>> Not surprised really, the rid is calculated using this formula:
>>
>> ID = RID - BASE_RID + LOW_RANGE_ID.
>>
>> So, using the info you posted above:
>>
>> ID = 1234 - 0 + 100
>>
>> Which becomes:
>>
>> ID = 1334
>>
>> There is your problem, The ID number is larger than the high range 
>> you set in smb.conf, try adding a couple of zero's to the range, i.e 
>> change 100-300 to 100-30000
>>
>> Rowland
>>
>>>
>>>
>>> idmap_nss support is enabled
>>>
>>>        # smbd -b | grep idmap_nss
>>>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>>        vfs_default vfs_solarisacl
>>>
>>>
>>>        # smbd -b | grep idmap_rid
>>>            idmap_rid_init
>>>
>>>
>>>
>>> Any idea what I am missing?
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>
>