[Samba] samba4 server member of a samba 3 domain

Guilhem Souque gsouque at artprice.com
Wed Nov 4 09:20:24 UTC 2015 

Hi,
I try to configure a samba 4.1.17 server member of a samba3.5.6 (ldap 
backend ) domain.
i can mount the smb share on a windows client but i cant modify the acl.
this is  the samba server logs:
  create_canon_ace_lists: unable to map SID 
S-1-5-21-856890099-1868262392-538272213-2012 to uid or gid
when i try to manually map SID to UID with wbinfo:
  wbinfo -S S-1-5-21-856890099-1868262392-538272213-2012
  it returns -1 instead of 1537.
i can see some warnings about deprecated options in the log file:
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated

I guess i have miss-configured the idmap part of my smb.conf.
this is my smb.conf:

workgroup = FOO
        #security = DOMAIN
        security = ADS
        log level = 2
        syslog = 0
        log file = /var/log/samba/%m
        max log size =2048
        smb ports = 139
        name resolve order = wins bcast hosts
        wins server = 192.168.10.150
        ldap admin dn = cn=admin,dc=artprice,dc=bil
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap suffix = dc=artprice,dc=bil
        ldap ssl = no
        ldap timeout = 20
        ldap user suffix = ou=Users
        idmap backend = ldap:ldap://172.16.10.150
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = /
        idmap config FOO : range = 1000-999999
        idmap config FOO : backend = nss
        admin users = "@foo/domain admins"
        winbind use default domain = Yes

Thank you for your precious help!

Regards

Guilhem

-- 

Souque Guilhem
Service informatique
Tel: +33 (0)4 72 42 90 78
Mail: gsouque at artprice.com

---------------------------
24/7 Artprice live on Facebook with 50 posts per day for exclusive and global art market information
24h/24 Artprice en live sur Facebook: 50 posts/jour pour une information exclusive et mondiale sur le marche de l'art


Artprice on Facebook : https://www.facebook.com/artpricedotcom
Artprice on twitter: http://twitter.com/artpricedotcom
Artprice on Google+: https://plus.google.com/+Artpricedotcom/posts

Plus d'info >>> http://web.artprice.com/classifieds/info?l=fr
Artprice est une infrasctructure permettant la realisation d'operations de courtage aux encheres
realisees a distance par voie electronique (article 5 de la loi  2011-850 du 20 juillet 2011)
--- Alchemy and Mysteries of Artprice ---
View the video
http://web.artprice.tv/video
---------------------------


"Ce message et toutes les pieces jointes sont des informations
strictement confidentielles et reservees au(x) destinataire(s). Ce
courriel n'a pas de valeur contractuelle et son contenu ne constitue ni
une acceptation, ni un engagement de la part de l'auteur et des societes
du groupe Serveur et Artprice, sauf dans le cas ou cela aurait ete prevu
avec le destinataire par un accord ecrit. Le contenu de ce message et
les pieces jointes ne peuvent constituer une preuve au sens de l'article
1316-1 du Code Civil. L'auteur et les societes du groupe Serveur et
Artprice declinent toute responsabilite au titre de ce courriel s'il a
ete altere, deforme, falsifie ou indument utilise par des tiers ou
encore s'il a cause tout dommage ou perte de toute nature. Si vous
n'etes pas le bon destinataire, merci de nous contacter et de ne pas le
divulguer."

"This message including any attachments are confidential and privileged
material intended solely for the addressees. Its contents do not
constitute a commitment by groupe Serveur sas and Artprice SA, except
when provided for in a written agreement with the addressees. The
contents of this message cannot constitute neither the proof nor the
acceptance of any agreement as per article 1316-1 of the French civil code.
Groupe Serveur sas and Artprice SA shall not be rendered liable in any
manner whatsoever for the delay and/or loss in transit of this message,
for corruption, alteration, falsification, misuse or fraudulent use
(which may be made) of this message. If you receive this message in
error, please delete it and immediately notify the sender. If the reader
of this message is not the intended recipient, you are hereby notified
that any unauthorized use, copying or dissemination is prohibited."

More information about the samba mailing list