[Samba] Winbind backend : rid is too much underappreciated

Miguel Medalha miguelmedalha at sapo.pt
Sun Feb 22 15:27:12 MST 2015 

> >
> > 	idmap config * :backend = tdb
> > 	idmap config * :range = 10000-99999
> > 	idmap config DOMAIN : backend = rid
> > 	idmap config DOMAIN : range = 100000-199999
> >
> 
> Taking your example 'idmap config DOMAIN : range = 100000-199999' it is 
> very easy, you just need users whose RIDs are larger than 200000, these 
> users will be ignored.
> 
> Something similar was problem wrong with the 'ad' backend when you tried 
> it, failing that it was probably a lack of 'uidNumber' & 'gidNumber' in 
AD.
> 


Nope! I had 'uidNumber' & 'gidNumber' in AD.

Well, maybe I should explain everything in a orderly way, which, being too 
tired, I hadn't the patience to do the other day.


I had a AD DC running Samba 4.1.x for some time, doubling as a file server. 
Yes, I know it is not the recommended way, but sometimes real life leads 
us into particular situations. (It was a long-thought decision, but it 
would be boring to go through the details here.)

Then, two days ago I finally got another server and I wanted to join it to 
the domain as a member server. All went smoothly from that point of view. 
I then went to ADUC (Active Directory Users and Computers) and started to 
fill the 'UNIX Attributes' tab with 'uidNumber' & 'gidNumber'. I started 
with the Administrator account, accepting the proposed uid 10000 and so 
on. Then, bang, I couldn't connect with my user profile when logging in 
to the domain from the same Windows machine I always used.

I had previously noticed that getent on the AD DC gave me ids in a range 
starting with 3000000, and I thought that this could be the reason why 
the Administrator account had lost access to essential folders on the 
server, since the default range and the range entered with ADUC didn't 
match. I then tried to give some users the same id in the 3000000 range 
reported by getent on the DC, except for Administrator, to which I gave 
id 0, as again reported by getent on the DC. Now, I could see all the 
users from the member server, except for Administrator and except again 
for 'getent group' unless I specified the group. I must add that 'wbinfo 
-u/-g'  always showed me all users and groups, including Administrator.


(Yes, I have 'passwd: files winbind' 'and group: files winbind' in 
/etc/nsswitch.conf. And yes I changed the idmap config range to 
3000000-4000000 in smb.conf for the experience I just described)


I tried to set permissions on a share from Windows, to which the reply was 
that I (Administrator) did not have the permissions to set or even view 
permissions. And yes, I had granted all the necessary rights to 
Administrator and Domain Admins.

After a lot of trials including username mapping and so on, I decided to 
try the rid backend, which worked immediately. 


I am probably commiting some basic mistake that is ridiculous from the 
developers' point of view. I am not a developer and my knowledge of the 
inner workings of Samba is limited, although I have been using it 
successfully for more than 10 years with file servers and NT4-style 
domain controllers. I just feel that simply following the instructions on 
the Wiki is not enough to painlessly configure a member server.

Maybe some unfortunate decisions have been made through the development of 
the Samba AD DC regarding winbind and id mapping that led to confusing 
users. Please note that I am not bitching or even complaining. I admire 
the work of the Samba team and I grateful for it. But maybe real life and 
real problems led to some decisions that were not the easiest for users.


Than you for you patience

--------

As an aside, username mapping does not seem to be working in the usual way, 
as described in the man page. If I entered more than one name after the 
'=' sign, mapping stopped working. For example:

'root = Administrator' did map root to administrator, getent showed me 
Administrator

'root = Administrator admin' did not work, getent ceased to show 
Administrator

The use of !root as described in the manual also caused getent not to show 
Administrator

More information about the samba mailing list