Jason Haar
2013-Sep-16 06:26 UTC
[Samba] question about "idmap config" in multi-forest environment
Hi there We're having problems with users attaching to our (winbind) Samba servers and being assigned the same UID. Rarely happens - not repeatable - but definitely a pattern Anyway, I've been googling about and I think I've figured out the root cause, so I thought I'd check with the community first, because if I go off an change to my new model, it could take months before I find out if the change worked or not On our CentOS-6 servers, running samba-3.5.16-1, our smb.conf currently contains winbind uid = 10000-20000 idmap backend = tdb idmap config * : range = 10000-200000 I *think* the problem is that users connecting from different trusted domains are being mapped onto the same uid because Samba doesn't magically figure that out? ie you have to explicitly reference EVERY domain you have in smb.conf - giving EVERY one of those domains a separate range of uids? Is that correct? We have over 20 trusted domains (although that number depends on what domain a given samba server is joined to) - so do I have to create a different "idmap config XXXX: range = 10000-190000" for every one of those domains, otherwise at some stage I might get a conflict? That seems like such an overhead. Couldn't samba have a new feature like "idmap config *: domain block = 10000" - so that Samba automagically splits any domain into it's own chunk of the "range"? eg you set range to "10000 - 1000000" and then "block = 10000" would allow up to 99 domains without any effort? I know there are ldap and ad backends - but they all assume your Windows environment is "Unix friendly" which ours isn't. I'm just trying to make our Samba servers play nicely within our Windows-dominated empire ;-) Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Possibly Parallel Threads
- samba-3.5.14 (and less) corrupting AD->UID mappings
- Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
- idmap config doesn't allow range to be changed?
- Vista SP1-rc1 appears to break against Samba-3.0.27a
- NT_STATUS_INSUFFICIENT_RESOURCES - but only from Samba - works for Windows?