[Samba] winbind bug?

Doug Tucker tuckerd at lyle.smu.edu
Thu Mar 27 12:30:59 MDT 2014


>>
> AH, because you referred to the 'ad' backend, I thought that you did 
> have the required RFC2307 attributes, in which, use this:
>
>    idmap config *:backend = tdb
>    idmap config *:range = 3000000-3100000
>    idmap config SEAS:backend = rid
>    idmap config SEAS:range = 1000-40000
>    idmap config SEAS-S:backend = rid
>    idmap config SEAS-S:range = 40001-60000
Right, that was my thoughts after reading it, that I could just take 
that out.  But being that it is for * and not a domain config mapping, I 
didn't see it as doing any harm (and everything was working except unix 
id's > 11000..did i mention that?)

>
> The Unix ID for a user will be calculated by obtaining the users SID, 
> removing the RID from the end, and using that in  this way:
>
> ID = RID - 1000 + LOW_RANGE_ID.
>
> so if the SEAS users RID = 1142, then:
>
> ID=1142-1000 = 142+1000 = 1142
>
> and if the SEAS-S users RID = 1142, then:
>
> ID=1142-1000 = 142+40001 = 40142
>
> So users from the two domains can never have the same Unix ID. The 
> downside is that any user whose Unix ID falls outside the range is 
> ignored.
>
> Rowland
That is my understanding as well.  And using the formula the failing 
user falls in the range.  And on top of that, when failing user maps, he 
shows in the log as passing auth, and samba then presents his home 
directory to him.  The user is NOT being ignored.


More information about the samba mailing list