[Samba] Winbind backend : rid is too much underappreciated
miguelmedalha at sapo.pt
Sun Feb 22 15:27:12 MST 2015
> > idmap config * :backend = tdb
> > idmap config * :range = 10000-99999
> > idmap config DOMAIN : backend = rid
> > idmap config DOMAIN : range = 100000-199999
> Taking your example 'idmap config DOMAIN : range = 100000-199999' it is
> very easy, you just need users whose RIDs are larger than 200000, these
> users will be ignored.
> Something similar was problem wrong with the 'ad' backend when you tried
> it, failing that it was probably a lack of 'uidNumber' & 'gidNumber' in
Nope! I had 'uidNumber' & 'gidNumber' in AD.
Well, maybe I should explain everything in a orderly way, which, being too
tired, I hadn't the patience to do the other day.
I had a AD DC running Samba 4.1.x for some time, doubling as a file server.
Yes, I know it is not the recommended way, but sometimes real life leads
us into particular situations. (It was a long-thought decision, but it
would be boring to go through the details here.)
Then, two days ago I finally got another server and I wanted to join it to
the domain as a member server. All went smoothly from that point of view.
I then went to ADUC (Active Directory Users and Computers) and started to
fill the 'UNIX Attributes' tab with 'uidNumber' & 'gidNumber'. I started
with the Administrator account, accepting the proposed uid 10000 and so
on. Then, bang, I couldn't connect with my user profile when logging in
to the domain from the same Windows machine I always used.
I had previously noticed that getent on the AD DC gave me ids in a range
starting with 3000000, and I thought that this could be the reason why
the Administrator account had lost access to essential folders on the
server, since the default range and the range entered with ADUC didn't
match. I then tried to give some users the same id in the 3000000 range
reported by getent on the DC, except for Administrator, to which I gave
id 0, as again reported by getent on the DC. Now, I could see all the
users from the member server, except for Administrator and except again
for 'getent group' unless I specified the group. I must add that 'wbinfo
-u/-g' always showed me all users and groups, including Administrator.
(Yes, I have 'passwd: files winbind' 'and group: files winbind' in
/etc/nsswitch.conf. And yes I changed the idmap config range to
3000000-4000000 in smb.conf for the experience I just described)
I tried to set permissions on a share from Windows, to which the reply was
that I (Administrator) did not have the permissions to set or even view
permissions. And yes, I had granted all the necessary rights to
Administrator and Domain Admins.
After a lot of trials including username mapping and so on, I decided to
try the rid backend, which worked immediately.
I am probably commiting some basic mistake that is ridiculous from the
developers' point of view. I am not a developer and my knowledge of the
inner workings of Samba is limited, although I have been using it
successfully for more than 10 years with file servers and NT4-style
domain controllers. I just feel that simply following the instructions on
the Wiki is not enough to painlessly configure a member server.
Maybe some unfortunate decisions have been made through the development of
the Samba AD DC regarding winbind and id mapping that led to confusing
users. Please note that I am not bitching or even complaining. I admire
the work of the Samba team and I grateful for it. But maybe real life and
real problems led to some decisions that were not the easiest for users.
Than you for you patience
As an aside, username mapping does not seem to be working in the usual way,
as described in the man page. If I entered more than one name after the
'=' sign, mapping stopped working. For example:
'root = Administrator' did map root to administrator, getent showed me
'root = Administrator admin' did not work, getent ceased to show
The use of !root as described in the manual also caused getent not to show
More information about the samba