[Samba] winbind bug?
tuckerd at lyle.smu.edu
Thu Mar 27 08:20:14 MDT 2014
Thank you for the reply Chan. With this, how would that relate to users
in the > 11000 range based on my config? I'm afraid you said something
valuable and I'm missing it.
On 03/27/2014 09:15 AM, Chan Min Wai wrote:
> Hi all,
> One things I notice on the idmap number.
> winbind follow strickly the number you assign to it.
> E.g if you have
> idmap config SEAS-S:range = 1000 - 4000000
> And you AD DC on "SEAS-S" have a few users which uid/gid <= 1000
> like 500, 501 502...
> These users/group will not show on the winbind list.
> I believes this is their design.
> Also winbind use some cache (which I don't understand) and thus
> Change idmap on smb.conf
> It might not reflect immediately until the idmap cache are expired...
> I do see this with my wrong configuration :)
> On Thu, Mar 27, 2014 at 10:09 PM, Doug Tucker <tuckerd at lyle.smu.edu
> <mailto:tuckerd at lyle.smu.edu>> wrote:
> Correct, this is how they get mapped from the documentation. Here
> is my configuration exactly:
> idmap config * : backend = ad
> idmap config * : range = 1000000 - 1999999
> idmap config SEAS:backend = rid
> idmap config SEAS:range = 1000 - 4000000
> idmap config * : schema_mode = rfc2307
> idmap config SEAS-S:backend = rid
> idmap config SEAS-S:range = 1000 - 4000000
> And the way the mapping works the way I read it is it takes the
> unix uid, and the last part of the SID from windows AD using a
> forumula, and maps to a new unique ID. The only way it should
> fail is if the range was not big enough. Mine is 1000-4 million. I
> could never come even close to this with the highest of both
> values using their algorithm. I have logging set at 3, and it
> shows the correct value for the unix ID to begin the mapping. It
> passes authentication, and then samba presents the volume for
> mounting to the client. Just like you see in every other
> successful drive map. But at the client opening it, samba and the
> client suddenly show permission denied. And again in isolating
> the issue, it absolutely has to do with the unix ID being over a
> certain value. If I take a user that gets permission denied, and
> change his unix ID to something like 3000, wallah, he can mount
> his home directory. It's literally as if there is some hard coded
> value of max unix ID somewhere in the software or a BUG in WINBIND.
> One thing I have not been able to get the system to show me
> (thought at this point I don't think it matters), is how to see
> what the actual virtual ID mapping is that samba creates for a
> user. I can see a user SID. I can see a user Unix ID. Can anyone
> tell me how to see the mapped ID created via the idmap?
> Doug Tucker
> On 03/26/2014 08:02 PM, Linda W wrote:
> Doug Tucker wrote:
> OK, I have isolated it. And it is related to the unix id
> number. I've googled and I can't find anything. Is there
> a limitation in winbind or bug maybe? Any unix user with
> a unix id greater than 11000 cannot map their own home
> directories on windows 7. To verify it wasn't some
> anomaly, I took a user that could map their home that had
> a unix id of 3033. I then changed the id to 15367
> (changed permissions on the unix side to match) and
> wallah, same issue. The user could no longer map their
> home directory. I have about 2000 or so unix id's that
> are affected (though many don't map drives).
> I don't know what was in place in samba 3, but in 3.6 in the
> idmap functions, they
> can specify ranges.
> How do your windows users get mapped to UID's? .. example
> from the smb.conf manpage:
> The following example illustrates how to configure
> the idmap_ad(8)
> backend for the CORP domain and the idmap_tdb(8)
> backend for all
> other domains. This configuration assumes that the
> admin of CORP
> assigns unix ids below 1000000 via the SFU
> extensions, and winbind
> is supposed to use the next million entries for its
> own mappings
> from trusted domains and for local groups for example.
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config CORP : backend = ad
> idmap config CORP : range = 1000-999999
> So if somewhere there was some range mapping going on, that
> could explain the behavior.
> I'd up the loglevels on things to 3-4 and see what userid
> winbind is mapping them to for requests....See if those
> win-users are being mapped to the UID's you think
> they are.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba