[Samba] winbind bug?
Chan Min Wai
dcmwai at gmail.com
Thu Mar 27 08:15:23 MDT 2014
One things I notice on the idmap number.
winbind follow strickly the number you assign to it.
E.g if you have
idmap config SEAS-S:range = 1000 - 4000000
And you AD DC on "SEAS-S" have a few users which uid/gid <= 1000
like 500, 501 502...
These users/group will not show on the winbind list.
I believes this is their design.
Also winbind use some cache (which I don't understand) and thus
Change idmap on smb.conf
It might not reflect immediately until the idmap cache are expired...
I do see this with my wrong configuration :)
On Thu, Mar 27, 2014 at 10:09 PM, Doug Tucker <tuckerd at lyle.smu.edu> wrote:
> Correct, this is how they get mapped from the documentation. Here is my
> configuration exactly:
> idmap config * : backend = ad
> idmap config * : range = 1000000 - 1999999
> idmap config SEAS:backend = rid
> idmap config SEAS:range = 1000 - 4000000
> idmap config * : schema_mode = rfc2307
> idmap config SEAS-S:backend = rid
> idmap config SEAS-S:range = 1000 - 4000000
> And the way the mapping works the way I read it is it takes the unix uid,
> and the last part of the SID from windows AD using a forumula, and maps to
> a new unique ID. The only way it should fail is if the range was not big
> enough. Mine is 1000-4 million. I could never come even close to this with
> the highest of both values using their algorithm. I have logging set at 3,
> and it shows the correct value for the unix ID to begin the mapping. It
> passes authentication, and then samba presents the volume for mounting to
> the client. Just like you see in every other successful drive map. But at
> the client opening it, samba and the client suddenly show permission
> denied. And again in isolating the issue, it absolutely has to do with the
> unix ID being over a certain value. If I take a user that gets permission
> denied, and change his unix ID to something like 3000, wallah, he can mount
> his home directory. It's literally as if there is some hard coded value of
> max unix ID somewhere in the software or a BUG in WINBIND.
> One thing I have not been able to get the system to show me (thought at
> this point I don't think it matters), is how to see what the actual virtual
> ID mapping is that samba creates for a user. I can see a user SID. I can
> see a user Unix ID. Can anyone tell me how to see the mapped ID created via
> the idmap?
> Doug Tucker
> On 03/26/2014 08:02 PM, Linda W wrote:
>> Doug Tucker wrote:
>>> OK, I have isolated it. And it is related to the unix id number. I've
>>> googled and I can't find anything. Is there a limitation in winbind or bug
>>> maybe? Any unix user with a unix id greater than 11000 cannot map their
>>> own home directories on windows 7. To verify it wasn't some anomaly, I
>>> took a user that could map their home that had a unix id of 3033. I then
>>> changed the id to 15367 (changed permissions on the unix side to match) and
>>> wallah, same issue. The user could no longer map their home directory. I
>>> have about 2000 or so unix id's that are affected (though many don't map
>> I don't know what was in place in samba 3, but in 3.6 in the idmap
>> functions, they
>> can specify ranges.
>> How do your windows users get mapped to UID's? .. example
>> from the smb.conf manpage:
>> The following example illustrates how to configure the
>> backend for the CORP domain and the idmap_tdb(8) backend for all
>> other domains. This configuration assumes that the admin of CORP
>> assigns unix ids below 1000000 via the SFU extensions, and
>> is supposed to use the next million entries for its own mappings
>> from trusted domains and for local groups for example.
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000-1999999
>> idmap config CORP : backend = ad
>> idmap config CORP : range = 1000-999999
>> So if somewhere there was some range mapping going on, that
>> could explain the behavior.
>> I'd up the loglevels on things to 3-4 and see what userid
>> winbind is mapping them to for requests....See if those
>> win-users are being mapped to the UID's you think
>> they are.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba