[Samba] winbind bug?

Doug Tucker tuckerd at lyle.smu.edu
Thu Mar 27 08:09:01 MDT 2014

Correct, this is how they get mapped from the documentation.  Here is my 
configuration exactly:

  idmap config * : backend = ad
    idmap config * : range = 1000000 - 1999999
    idmap config SEAS:backend = rid
    idmap config SEAS:range = 1000 - 4000000
    idmap config * : schema_mode = rfc2307
    idmap config SEAS-S:backend = rid
    idmap config SEAS-S:range = 1000 - 4000000

And the way the mapping works the way I read it is it takes the unix 
uid, and the last part of the SID from windows AD using a forumula, and 
maps to a new unique ID.  The only way it should fail is if the range 
was not big enough. Mine is 1000-4 million. I could never come even 
close to this with the highest of both values using their algorithm.  I 
have logging set at 3, and it shows the correct value for the unix ID to 
begin the mapping.  It passes authentication, and then samba presents 
the volume for mounting to the client.  Just like you see in every other 
successful drive map.  But at the client opening it, samba and the 
client suddenly show permission denied.  And again in isolating the 
issue, it absolutely has to do with the unix ID being over a certain 
value.  If I take a user that gets permission denied, and change his 
unix ID to something like 3000, wallah, he can mount his home 
directory.  It's literally as if there is some hard coded value of max 
unix ID somewhere in the software or a BUG in WINBIND.

One thing I have not been able to get the system to show me (thought at 
this point I don't think it matters), is how to see what the actual 
virtual ID mapping is that samba creates for a user.  I can see a user 
SID.  I can see a user Unix ID. Can anyone tell me how to see the mapped 
ID created via the idmap?


Doug Tucker

On 03/26/2014 08:02 PM, Linda W wrote:
> Doug Tucker wrote:
>> OK, I have isolated it.  And it is related to the unix id number.  
>> I've googled and I can't find anything. Is there a limitation in 
>> winbind or bug maybe?  Any unix user with a unix id greater than 
>> 11000 cannot map their own home directories on windows 7.  To verify 
>> it wasn't some anomaly, I took a user that could map their home that 
>> had a unix id of 3033.  I then changed the id to 15367 (changed 
>> permissions on the unix side to match) and wallah, same issue.  The 
>> user could no longer map their home directory.  I have about 2000 or 
>> so unix id's that are affected (though many don't map drives).
> ----
> I don't know what was in place in samba 3, but in 3.6 in the idmap 
> functions, they
> can specify ranges.
> How do your windows users get mapped to UID's?  .. example
> from the smb.conf manpage:
>           The following example illustrates how to configure the 
> idmap_ad(8)
>           backend for the CORP domain and the idmap_tdb(8) backend for 
> all
>           other domains. This configuration assumes that the admin of 
>           assigns unix ids below 1000000 via the SFU extensions, and 
> winbind
>           is supposed to use the next million entries for its own 
> mappings
>           from trusted domains and for local groups for example.
>                    idmap config * : backend = tdb
>                    idmap config * : range = 1000000-1999999
>                    idmap config CORP : backend  = ad
>                    idmap config CORP : range = 1000-999999
> So if somewhere there was some range mapping going on, that
> could explain the behavior.
> I'd up the loglevels on things to 3-4 and see what userid
> winbind is mapping them to for requests....See if those
> win-users are being mapped to the UID's you think
> they are.

More information about the samba mailing list