[Samba] IDMAP_NSS on member server

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Dec 18 10:24:42 MST 2014 

I don't have an AD backend for this domain.  The DC's are  "classic" 
domain controllers, Samba 3.6 , with LDAP backend for all accounts.    
Would this still be an option?




  I tried adding


idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:backend  = ad
idmap config MYDOMAIN:range = 100-300



Didn't seem to work.


Thanks



On 12/18/14 11:57, Rowland Penny wrote:
> On 18/12/14 16:43, Gaiseric Vandal wrote:
>> I think IDMAP_RID would not be the appropriate solution for me. Not 
>> only do I want consistent IDMapping across all servers - which this 
>> could do -  but I want them to match the the existing unix uidNumber 
>> in LDAP.
>
> You never said that you had uidNumber in LDAP!, in fact you seemed to 
> mention every winbind backend except the one that uses the rfc2307 
> attributes.
>
> Stop messing around and use the winbind ad backend.
>
> Rowland
>>
>>
>> Thanks for your help.
>>
>>
>>
>>
>> On 12/18/14 04:29, Rowland Penny wrote:
>>> On 17/12/14 22:01, Gaiseric Vandal wrote:
>>>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On 
>>>> all machines unix accounts and groups are in the LDAP as well as 
>>>> idmap entries for trusted domains.   Samba accounts on domain 
>>>> controllers are in LDAP so there is problem with consistency 
>>>> unix/windows id and group mapping on the domain controllers. The 
>>>> domain controllers are the main file servers as well.
>>>>
>>>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
>>>> 11.)    On the member server, I have joined the domain. When 
>>>> accessing shared directory from a Windows 7 machine as a regular 
>>>> user, I can only access files that I am the owner. Group is 
>>>> ignored.    The Security properties of files (from windows) show 
>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup."
>>>>
>>>>
>>>> Winbind is running on both the domain controller and the member 
>>>> server.  The "wbinfo -u" and "winfo -g" commands show the users and 
>>>> groups.  This machine does not need to support trusted 
>>>> domains.        It looks like I need some sort of IDMapping. SInce 
>>>> I have unix accounts in LDAP backend I was trying to configure 
>>>> idmap_nss.
>>>>
>>>>
>>>>               idmap config MYDOMAIN : backend  = nss
>>>>               idmap config MYDOMAIN : range = 100-300
>>>>
>>>>
>>>> log.192.168.0.105
>>>> wbinfo correctly translates between names and SIDs
>>>>
>>>>          :/# wbinfo -n myname
>>>>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>>>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>        MYDOMAIN\myname 1
>>>>          /#
>>>>
>>>>
>>>> however any translation between SID (or name) and unix uidnumber fails
>>>>
>>>>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>>>        /#
>>>>
>>>>
>>>>
>>>> Member servers have always been problematic no matter what I try 
>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = 
>>>> yes)   and on Solaris and Linux samba machines of various verions.
>>>>
>>>>
>>>> I also tried
>>>>
>>>>
>>>>        idmap config MYDOMAIN : backend  = rid
>>>>        idmap config MYDOMAIN : range    = 100-300
>>>>        idmap config MYDOMAIN : base_rid = 0
>>>>
>>>>
>>>>
>>>> but no luck.
>>>
>>> Not surprised really, the rid is calculated using this formula:
>>>
>>> ID = RID - BASE_RID + LOW_RANGE_ID.
>>>
>>> So, using the info you posted above:
>>>
>>> ID = 1234 - 0 + 100
>>>
>>> Which becomes:
>>>
>>> ID = 1334
>>>
>>> There is your problem, The ID number is larger than the high range 
>>> you set in smb.conf, try adding a couple of zero's to the range, i.e 
>>> change 100-300 to 100-30000
>>>
>>> Rowland
>>>
>>>>
>>>>
>>>> idmap_nss support is enabled
>>>>
>>>>        # smbd -b | grep idmap_nss
>>>>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>>>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>>>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>>>        vfs_default vfs_solarisacl
>>>>
>>>>
>>>>        # smbd -b | grep idmap_rid
>>>>            idmap_rid_init
>>>>
>>>>
>>>>
>>>> Any idea what I am missing?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>
>>
>

More information about the samba mailing list