[Samba] winbind bug?
tuckerd at lyle.smu.edu
Thu Mar 27 08:09:01 MDT 2014
Correct, this is how they get mapped from the documentation. Here is my
idmap config * : backend = ad
idmap config * : range = 1000000 - 1999999
idmap config SEAS:backend = rid
idmap config SEAS:range = 1000 - 4000000
idmap config * : schema_mode = rfc2307
idmap config SEAS-S:backend = rid
idmap config SEAS-S:range = 1000 - 4000000
And the way the mapping works the way I read it is it takes the unix
uid, and the last part of the SID from windows AD using a forumula, and
maps to a new unique ID. The only way it should fail is if the range
was not big enough. Mine is 1000-4 million. I could never come even
close to this with the highest of both values using their algorithm. I
have logging set at 3, and it shows the correct value for the unix ID to
begin the mapping. It passes authentication, and then samba presents
the volume for mounting to the client. Just like you see in every other
successful drive map. But at the client opening it, samba and the
client suddenly show permission denied. And again in isolating the
issue, it absolutely has to do with the unix ID being over a certain
value. If I take a user that gets permission denied, and change his
unix ID to something like 3000, wallah, he can mount his home
directory. It's literally as if there is some hard coded value of max
unix ID somewhere in the software or a BUG in WINBIND.
One thing I have not been able to get the system to show me (thought at
this point I don't think it matters), is how to see what the actual
virtual ID mapping is that samba creates for a user. I can see a user
SID. I can see a user Unix ID. Can anyone tell me how to see the mapped
ID created via the idmap?
On 03/26/2014 08:02 PM, Linda W wrote:
> Doug Tucker wrote:
>> OK, I have isolated it. And it is related to the unix id number.
>> I've googled and I can't find anything. Is there a limitation in
>> winbind or bug maybe? Any unix user with a unix id greater than
>> 11000 cannot map their own home directories on windows 7. To verify
>> it wasn't some anomaly, I took a user that could map their home that
>> had a unix id of 3033. I then changed the id to 15367 (changed
>> permissions on the unix side to match) and wallah, same issue. The
>> user could no longer map their home directory. I have about 2000 or
>> so unix id's that are affected (though many don't map drives).
> I don't know what was in place in samba 3, but in 3.6 in the idmap
> functions, they
> can specify ranges.
> How do your windows users get mapped to UID's? .. example
> from the smb.conf manpage:
> The following example illustrates how to configure the
> backend for the CORP domain and the idmap_tdb(8) backend for
> other domains. This configuration assumes that the admin of
> assigns unix ids below 1000000 via the SFU extensions, and
> is supposed to use the next million entries for its own
> from trusted domains and for local groups for example.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config CORP : backend = ad
> idmap config CORP : range = 1000-999999
> So if somewhere there was some range mapping going on, that
> could explain the behavior.
> I'd up the loglevels on things to 3-4 and see what userid
> winbind is mapping them to for requests....See if those
> win-users are being mapped to the UID's you think
> they are.
More information about the samba