[Samba] winbind bug?

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 27 12:18:46 MDT 2014 

On 27/03/14 17:46, Doug Tucker wrote:
>
>>>> Rowland
>>> Thanks for the once over.  Helps to have multiple eyes to verify 
>>> things.  But in the end I'm still in the same boat and not a single 
>>> suggestion to the facts of my issue.  My config does work as long as 
>>> the unix ID isn't over 11000 and the client windows 7. Nobody wants 
>>> to even acknowledge or touch that.  I've verified it down to every 
>>> detail I can think of. I don't know if you read my threads earlier, 
>>> but I can change an existing user to a unix id less than 11000 and 
>>> they then work.  Switch them back, broken again.
>>>
>>> My back end windows server is 2003.
>>
>> After looking at your smb.conf again, I noticed something, could you 
>> try changing the idmap config section to this:
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 3000000-3100000
>>    idmap config SEAS:backend = rid
>>    idmap config SEAS:range = 1000-40000
>>    idmap config SEAS:schema_mode = rfc2307
>>    idmap config SEAS-S:backend = rid
>>    idmap config SEAS-S:range = 40001-60000
>>    idmap config SEAS-S:schema_mode = rfc2307
>>
>> Rowland
>>
> Before doing so...this server is live...I read a long article on the 
> rfc2307 yesterday and my understanding of it was you would only put 
> this in your domain configs IF the backend AD had the rfc 
> configuration and held the unix uid's, etc..that this would tell samba 
> to look to AD for those values (which concerns me to put that in and 
> break all the existing users) and we certainly do not have that in our 
> AD here.  Is that your understanding of it? Honestly after reading 
> that article I considered taking that out of my config altogether as I 
> didn't think it had any real purpose.  I put it IN based on another 
> persons smb.conf that had been helpful in solving an auth issue I had 
> early on.
>
AH, because you referred to the 'ad' backend, I thought that you did 
have the required RFC2307 attributes, in which, use this:

    idmap config *:backend = tdb
    idmap config *:range = 3000000-3100000
    idmap config SEAS:backend = rid
    idmap config SEAS:range = 1000-40000
    idmap config SEAS-S:backend = rid
    idmap config SEAS-S:range = 40001-60000

The Unix ID for a user will be calculated by obtaining the users SID, 
removing the RID from the end, and using that in  this way:

ID = RID - 1000 + LOW_RANGE_ID.

so if the SEAS users RID = 1142, then:

ID=1142-1000 = 142+1000 = 1142

and if the SEAS-S users RID = 1142, then:

ID=1142-1000 = 142+40001 = 40142

So users from the two domains can never have the same Unix ID. The 
downside is that any user whose Unix ID falls outside the range is ignored.

Rowland

More information about the samba mailing list