Dietrich Streifert
2010-Oct-29 15:21 UTC
[Samba] samba 3.4 and 3.5 bug or misconfig: why is idmap uid and idmap gid needed for an AD only idmap config?
Hello list,
I'm currently struggling in creating a running config for samba 3.4.9
and 3.5.6 on solaris 9
(active directory on windows 2003 R2 SP2 with rfc2307 schema extension,
openssl
0.9.8o, libiconv 1.13.1, heimdal 1.4, cyrus-sasl 2.1.23, openldap 2.4.23)
The relevant part in smb.conf is in
[global]
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind expand groups = 3
winbind nss info = rfc2307
idmap backend = tdb
idmap config DOMAIN:readonly = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1-65535
idmap uid = 65536 - 65537
idmap gid = 65536 - 65537
The setup basicly works, but some group ids are spotted into the group
list which do not belong to gid numbers in AD. This seems to happen for
users being members in nested groups while some of the groups have gid
numbers assigned in AD and some group don't.
A given user (testuser) is in 3 groups and additionally in the group
domain-users. domain-users is member of four other groups without a gid
number assigned.
After su to testuser it depends on how id is called:
srv{testuser}[/home/testuser]: id -a
uid=10309(testuser) gid=11007(testgroup)
groups=11007(testgroup),65536,65537,10010(domain-users),11009(testgroup3),11008(testgroup2)
srv{testuser}[/home/testuser]: id -a testuser
uid=10309(testuser) gid=11007(testgroup)
groups=10010(domain-users),11008(testgroup2),11008(testgroup2),11009(testgroup3),11009(testgroup3)
The additional ids show up as group id 65536 and 65537 in "id -a" but
not in "id -a testuser".
Retreiving the groups of the user testuser via wbinfo -r gives:
./wbinfo -r testuser
11007
65536
65537
10010
11009
11008
also showing the non existing ad group ids (65536,65537) which
correspond to the settings in "idmap uid" and "idmap gid".
I think the idmap default tdb backend is trying to map somehow ids to
the groups which do not have gid numbers assigned in AD.
So how can I get rid of this unwanted mappings? Why do they occus
Any help would be great!.
Regards...
--
Mit freundlichen Gr??en
Dietrich Streifert
--
Visionet GmbH
Firmensitz: Am Weichselgarten 7, 91058 Erlangen
Registergericht: Handelsregister F?rth, HRB 6573
Gesch?ftsf?hrer: Stefan Lindner
Maybe Matching Threads
- significance testing for the difference in the ratio of means
- Re: Request for sample qmailGroup ldif: LDAP attribute is not given b ut mandatory. (#5.3.5) error
- file permissions with inherit permission + ACL's
- Samba misconfig... (long)
- Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6
Wisdom of the Ancients
