[Samba] IDMAP_NSS on member server
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Dec 18 12:42:34 MST 2014
I did have it setup for security=domain.
As I looked through the logs I saw errors about winbind not being able
to allocated mappings- but for the local groups (e.g.
Administrators.) Normally on member servers I explicitly map well known
local groups to gidNumbers that are consistent across all systems. I
hadn't done that yet. Maybe idmap was choking up on local group
mappings before it even tried dealing with domain users.
Based on some of the examples I saw in man pages and on the web I
changed smb.conf from
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : range = 100-300
to
idmap config * : backend = tdb
idmap config * : range = 5000-6000
idmap config MYDOMAIN : backend = nss
idmap config MYDOMAIN : range = 100-300
Restarted samba and winbind. I could see that it automatically
created a group mapping for the expected local groups
# net groupmap list
Administrators (S-1-5-32-544) -> 5000
Users (S-1-5-32-545) -> 5001
And now "wibinfo -S" will translate a domain user SID into a local uidNumber
So making progress.
Thanks
On 12/18/14 12:39, Rowland Penny wrote:
> On 18/12/14 17:24, Gaiseric Vandal wrote:
>> I don't have an AD backend for this domain. The DC's are "classic"
>> domain controllers, Samba 3.6 , with LDAP backend for all
>> accounts. Would this still be an option?
>>
>>
>>
>>
>> I tried adding
>>
>>
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:range = 100-300
>>
>>
>>
>> Didn't seem to work.
>>
>>
>> Thanks
>>
>>
>>
>> On 12/18/14 11:57, Rowland Penny wrote:
>>> On 18/12/14 16:43, Gaiseric Vandal wrote:
>>>> I think IDMAP_RID would not be the appropriate solution for me. Not
>>>> only do I want consistent IDMapping across all servers - which this
>>>> could do - but I want them to match the the existing unix
>>>> uidNumber in LDAP.
>>>
>>> You never said that you had uidNumber in LDAP!, in fact you seemed
>>> to mention every winbind backend except the one that uses the
>>> rfc2307 attributes.
>>>
>>> Stop messing around and use the winbind ad backend.
>>>
>>> Rowland
>>>>
>>>>
>>>> Thanks for your help.
>>>>
>>>>
>>>>
>>>>
>>>> On 12/18/14 04:29, Rowland Penny wrote:
>>>>> On 17/12/14 22:01, Gaiseric Vandal wrote:
>>>>>> I have two Samba 3.6.24 domain controllers (Solaris 10.) On
>>>>>> all machines unix accounts and groups are in the LDAP as well as
>>>>>> idmap entries for trusted domains. Samba accounts on domain
>>>>>> controllers are in LDAP so there is problem with consistency
>>>>>> unix/windows id and group mapping on the domain controllers. The
>>>>>> domain controllers are the main file servers as well.
>>>>>>
>>>>>> I am configuring a new member server, also Samba 3.6.4 (Solaris
>>>>>> 11.) On the member server, I have joined the domain. When
>>>>>> accessing shared directory from a Windows 7 machine as a regular
>>>>>> user, I can only access files that I am the owner. Group is
>>>>>> ignored. The Security properties of files (from windows) show
>>>>>> users and groups as "Unix User\myname" and "Unix Group\mygroup."
>>>>>>
>>>>>>
>>>>>> Winbind is running on both the domain controller and the member
>>>>>> server. The "wbinfo -u" and "winfo -g" commands show the users
>>>>>> and groups. This machine does not need to support trusted
>>>>>> domains. It looks like I need some sort of IDMapping.
>>>>>> SInce I have unix accounts in LDAP backend I was trying to
>>>>>> configure idmap_nss.
>>>>>>
>>>>>>
>>>>>> idmap config MYDOMAIN : backend = nss
>>>>>> idmap config MYDOMAIN : range = 100-300
>>>>>>
>>>>>>
>>>>>> log.192.168.0.105
>>>>>> wbinfo correctly translates between names and SIDs
>>>>>>
>>>>>> :/# wbinfo -n myname
>>>>>> S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>>>>> :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>> MYDOMAIN\myname 1
>>>>>> /#
>>>>>>
>>>>>>
>>>>>> however any translation between SID (or name) and unix uidnumber
>>>>>> fails
>>>>>>
>>>>>> /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>>>>> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>>>>> /#
>>>>>>
>>>>>>
>>>>>>
>>>>>> Member servers have always been problematic no matter what I try
>>>>>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only
>>>>>> = yes) and on Solaris and Linux samba machines of various verions.
>>>>>>
>>>>>>
>>>>>> I also tried
>>>>>>
>>>>>>
>>>>>> idmap config MYDOMAIN : backend = rid
>>>>>> idmap config MYDOMAIN : range = 100-300
>>>>>> idmap config MYDOMAIN : base_rid = 0
>>>>>>
>>>>>>
>>>>>>
>>>>>> but no luck.
>>>>>
>>>>> Not surprised really, the rid is calculated using this formula:
>>>>>
>>>>> ID = RID - BASE_RID + LOW_RANGE_ID.
>>>>>
>>>>> So, using the info you posted above:
>>>>>
>>>>> ID = 1234 - 0 + 100
>>>>>
>>>>> Which becomes:
>>>>>
>>>>> ID = 1334
>>>>>
>>>>> There is your problem, The ID number is larger than the high range
>>>>> you set in smb.conf, try adding a couple of zero's to the range,
>>>>> i.e change 100-300 to 100-30000
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>>
>>>>>> idmap_nss support is enabled
>>>>>>
>>>>>> # smbd -b | grep idmap_nss
>>>>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>>>>> idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>>>>> auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>>>>> vfs_default vfs_solarisacl
>>>>>>
>>>>>>
>>>>>> # smbd -b | grep idmap_rid
>>>>>> idmap_rid_init
>>>>>>
>>>>>>
>>>>>>
>>>>>> Any idea what I am missing?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
> OK, I think that you are going to have to use 'security = domain' and
> join the machine to your NT4 style domain, see 'man smb.conf'
>
> Rowland
>
More information about the samba
mailing list