[Samba] IDMAP_NSS on member server
gaiseric.vandal at gmail.com
Thu Dec 18 10:02:18 MST 2014
Yes, my each user's ldap entry stores the unix UID and uidNumber (as
well as other unix attributes) , as well as the samba SID and other
samba attributes.) I have so support Windows clients and unix
NFS/LDAP clients. So this works great with domain controllers.
But I didn't want to make every single samba server a domain
controller. I had tried on some machines configuring them as member
servers BUT using LDAP backend for idmapping- but with no luck.
I don't think I tried configuring "security=server" in smb.conf BUT
also specifying " domain logons = no" and "domain master = no".
On some of the linux Samba member servers, even with out windbind, samba
would figure out the correct access for windows users and groups. The
logs would show that "SAMBA\someuser" is connecting, and the domain is
unknown , so just treat "SAMBA\someuser" as the unix "someuser" in terms
of file system permissions. Users could not manage permissions via
Windows but as long as the top level directory had the correct group
owner, everything worked fine (mostly) - these servers are typically
set up to support a small group of people working on the same project.
With my solaris member server, however, the group mapping does not work
I also have found that on my Solaris PDC, that with users from trusted
domains, the group membership seems to be ignored for trusted users.
That is to say, that if TRUSTEDUSER\jsmith is in the local "Sales" group
on the server, he still can NOT access directories accessible to
"Sales." It used to work. It may be some recent upgrade that broke
Thanks for your help.
On 12/18/14 02:25, steve wrote:
> On 17/12/14 23:01, Gaiseric Vandal wrote:
>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On all
>> machines unix accounts and groups are in the LDAP as well as idmap
>> entries for trusted domains. Samba accounts on domain controllers are
>> in LDAP so there is problem with consistency unix/windows id and group
>> mapping on the domain controllers. The domain controllers are the
>> main file servers as well.
>> I am configuring a new member server, also Samba 3.6.4 (Solaris 11.) On
>> the member server, I have joined the domain. When accessing shared
>> directory from a Windows 7 machine as a regular user, I can only access
>> files that I am the owner. Group is ignored. The Security
>> properties of files (from windows) show users and groups as "Unix
>> User\myname" and "Unix Group\mygroup."
>> Winbind is running on both the domain controller and the member server.
>> The "wbinfo -u" and "winfo -g" commands show the users and groups. This
>> machine does not need to support trusted domains. It looks like I
>> need some sort of IDMapping. SInce I have unix accounts in LDAP backend
>> I was trying to configure idmap_nss.
>> idmap config MYDOMAIN : backend = nss
>> idmap config MYDOMAIN : range = 100-300
>> wbinfo correctly translates between names and SIDs
>> :/# wbinfo -n myname
>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>> MYDOMAIN\myname 1
>> however any translation between SID (or name) and unix uidnumber fails
>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>> Member servers have always been problematic no matter what I try (ldap
>> backed, idmap_nss, idmap_rid, winbind trusted domains only = yes) and
>> on Solaris and Linux samba machines of various verions.
>> I also tried
>> idmap config MYDOMAIN : backend = rid
>> idmap config MYDOMAIN : range = 100-300
>> idmap config MYDOMAIN : base_rid = 0
>> but no luck.
>> idmap_nss support is enabled
>> # smbd -b | grep idmap_nss
>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>> auth_winbind auth_wbc auth_server auth_domain auth_builtin
>> vfs_default vfs_solarisacl
>> # smbd -b | grep idmap_rid
>> Any idea what I am missing?
> Does your ldap schema allow for unix uid and gid numbers to be stored
> in user entries and for gid numbers for group entries?
> It's the only way for domain consistency we have ever found.
More information about the samba