[Samba] winbind bug?

Doug Tucker tuckerd at lyle.smu.edu
Thu Mar 27 08:20:14 MDT 2014 

Thank you for the reply Chan.  With this, how would that relate to users 
in the > 11000 range based on my config?  I'm afraid you said something 
valuable and I'm missing it.

Sincerely,

Doug Tucker

On 03/27/2014 09:15 AM, Chan Min Wai wrote:
> Hi all,
>
> One things I notice on the idmap number.
>
> winbind follow strickly the number you assign to it.
>
> E.g if you have
> idmap config SEAS-S:range = 1000 - 4000000
>
> And you AD DC on "SEAS-S" have a few users which uid/gid <= 1000
> like 500, 501 502...
>
> These users/group will not show on the winbind list.
> I believes this is their design.
>
> Also winbind use some cache (which I don't understand) and thus
> Change idmap on smb.conf
>
> It might not reflect immediately until the idmap cache are expired...
> I do see this with my wrong configuration :)
>
>
>
>
> On Thu, Mar 27, 2014 at 10:09 PM, Doug Tucker <tuckerd at lyle.smu.edu 
> <mailto:tuckerd at lyle.smu.edu>> wrote:
>
>     Correct, this is how they get mapped from the documentation.  Here
>     is my configuration exactly:
>
>      idmap config * : backend = ad
>
>        idmap config * : range = 1000000 - 1999999
>        idmap config SEAS:backend = rid
>        idmap config SEAS:range = 1000 - 4000000
>        idmap config * : schema_mode = rfc2307
>        idmap config SEAS-S:backend = rid
>        idmap config SEAS-S:range = 1000 - 4000000
>
>     And the way the mapping works the way I read it is it takes the
>     unix uid, and the last part of the SID from windows AD using a
>     forumula, and maps to a new unique ID.  The only way it should
>     fail is if the range was not big enough. Mine is 1000-4 million. I
>     could never come even close to this with the highest of both
>     values using their algorithm.  I have logging set at 3, and it
>     shows the correct value for the unix ID to begin the mapping.  It
>     passes authentication, and then samba presents the volume for
>     mounting to the client.  Just like you see in every other
>     successful drive map.  But at the client opening it, samba and the
>     client suddenly show permission denied.  And again in isolating
>     the issue, it absolutely has to do with the unix ID being over a
>     certain value.  If I take a user that gets permission denied, and
>     change his unix ID to something like 3000, wallah, he can mount
>     his home directory.  It's literally as if there is some hard coded
>     value of max unix ID somewhere in the software or a BUG in WINBIND.
>
>     One thing I have not been able to get the system to show me
>     (thought at this point I don't think it matters), is how to see
>     what the actual virtual ID mapping is that samba creates for a
>     user.  I can see a user SID.  I can see a user Unix ID. Can anyone
>     tell me how to see the mapped ID created via the idmap?
>
>     Sincerely,
>
>     Doug Tucker
>
>
>     On 03/26/2014 08:02 PM, Linda W wrote:
>
>         Doug Tucker wrote:
>
>             OK, I have isolated it.  And it is related to the unix id
>             number.  I've googled and I can't find anything. Is there
>             a limitation in winbind or bug maybe?  Any unix user with
>             a unix id greater than 11000 cannot map their own home
>             directories on windows 7.  To verify it wasn't some
>             anomaly, I took a user that could map their home that had
>             a unix id of 3033.  I then changed the id to 15367
>             (changed permissions on the unix side to match) and
>             wallah, same issue.  The user could no longer map their
>             home directory.  I have about 2000 or so unix id's that
>             are affected (though many don't map drives).
>
>         ----
>         I don't know what was in place in samba 3, but in 3.6 in the
>         idmap functions, they
>         can specify ranges.
>         How do your windows users get mapped to UID's?  .. example
>         from the smb.conf manpage:
>
>                   The following example illustrates how to configure
>         the idmap_ad(8)
>                   backend for the CORP domain and the idmap_tdb(8)
>         backend for all
>                   other domains. This configuration assumes that the
>         admin of CORP
>                   assigns unix ids below 1000000 via the SFU
>         extensions, and winbind
>                   is supposed to use the next million entries for its
>         own mappings
>                   from trusted domains and for local groups for example.
>
>                            idmap config * : backend = tdb
>                            idmap config * : range = 1000000-1999999
>
>                            idmap config CORP : backend  = ad
>                            idmap config CORP : range = 1000-999999
>
>         So if somewhere there was some range mapping going on, that
>         could explain the behavior.
>
>         I'd up the loglevels on things to 3-4 and see what userid
>         winbind is mapping them to for requests....See if those
>         win-users are being mapped to the UID's you think
>         they are.
>
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list