[Samba] IDMAP_NSS on member server

Thu Dec 18 10:39:27 MST 2014

On 18/12/14 17:24, Gaiseric Vandal wrote:
> I don't have an AD backend for this domain.  The DC's are  "classic" 
> domain controllers, Samba 3.6 , with LDAP backend for all accounts.    
> Would this still be an option?
>
>
>
>
>  I tried adding
>
>
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:backend  = ad
> idmap config MYDOMAIN:range = 100-300
>
>
>
> Didn't seem to work.
>
>
> Thanks
>
>
>
> On 12/18/14 11:57, Rowland Penny wrote:
>> On 18/12/14 16:43, Gaiseric Vandal wrote:
>>> I think IDMAP_RID would not be the appropriate solution for me. Not 
>>> only do I want consistent IDMapping across all servers - which this 
>>> could do -  but I want them to match the the existing unix uidNumber 
>>> in LDAP.
>>
>> You never said that you had uidNumber in LDAP!, in fact you seemed to 
>> mention every winbind backend except the one that uses the rfc2307 
>> attributes.
>>
>> Stop messing around and use the winbind ad backend.
>>
>> Rowland
>>>
>>>
>>> Thanks for your help.
>>>
>>>
>>>
>>>
>>> On 12/18/14 04:29, Rowland Penny wrote:
>>>> On 17/12/14 22:01, Gaiseric Vandal wrote:
>>>>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On 
>>>>> all machines unix accounts and groups are in the LDAP as well as 
>>>>> idmap entries for trusted domains.   Samba accounts on domain 
>>>>> controllers are in LDAP so there is problem with consistency 
>>>>> unix/windows id and group mapping on the domain controllers. The 
>>>>> domain controllers are the main file servers as well.
>>>>>
>>>>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
>>>>> 11.)    On the member server, I have joined the domain. When 
>>>>> accessing shared directory from a Windows 7 machine as a regular 
>>>>> user, I can only access files that I am the owner. Group is 
>>>>> ignored.    The Security properties of files (from windows) show 
>>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup."
>>>>>
>>>>>
>>>>> Winbind is running on both the domain controller and the member 
>>>>> server.  The "wbinfo -u" and "winfo -g" commands show the users 
>>>>> and groups.  This machine does not need to support trusted 
>>>>> domains.        It looks like I need some sort of IDMapping. SInce 
>>>>> I have unix accounts in LDAP backend I was trying to configure 
>>>>> idmap_nss.
>>>>>
>>>>>
>>>>>               idmap config MYDOMAIN : backend  = nss
>>>>>               idmap config MYDOMAIN : range = 100-300
>>>>>
>>>>>
>>>>> log.192.168.0.105
>>>>> wbinfo correctly translates between names and SIDs
>>>>>
>>>>>          :/# wbinfo -n myname
>>>>>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>>>>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>        MYDOMAIN\myname 1
>>>>>          /#
>>>>>
>>>>>
>>>>> however any translation between SID (or name) and unix uidnumber 
>>>>> fails
>>>>>
>>>>>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>>>>        /#
>>>>>
>>>>>
>>>>>
>>>>> Member servers have always been problematic no matter what I try 
>>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = 
>>>>> yes)   and on Solaris and Linux samba machines of various verions.
>>>>>
>>>>>
>>>>> I also tried
>>>>>
>>>>>
>>>>>        idmap config MYDOMAIN : backend  = rid
>>>>>        idmap config MYDOMAIN : range    = 100-300
>>>>>        idmap config MYDOMAIN : base_rid = 0
>>>>>
>>>>>
>>>>>
>>>>> but no luck.
>>>>
>>>> Not surprised really, the rid is calculated using this formula:
>>>>
>>>> ID = RID - BASE_RID + LOW_RANGE_ID.
>>>>
>>>> So, using the info you posted above:
>>>>
>>>> ID = 1234 - 0 + 100
>>>>
>>>> Which becomes:
>>>>
>>>> ID = 1334
>>>>
>>>> There is your problem, The ID number is larger than the high range 
>>>> you set in smb.conf, try adding a couple of zero's to the range, 
>>>> i.e change 100-300 to 100-30000
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>>
>>>>> idmap_nss support is enabled
>>>>>
>>>>>        # smbd -b | grep idmap_nss
>>>>>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>>>>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>>>>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>>>>        vfs_default vfs_solarisacl
>>>>>
>>>>>
>>>>>        # smbd -b | grep idmap_rid
>>>>>            idmap_rid_init
>>>>>
>>>>>
>>>>>
>>>>> Any idea what I am missing?
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
OK, I think that you are going to have to use 'security = domain' and 
join the machine to your NT4 style domain, see 'man smb.conf'

Rowland