Jim Laverty
2004-Jul-01 18:59 UTC
[Samba] Samba 3.0.2 - Unix Name Mapping not working properly with Windows 2003 ADS with Trust to NT 4.0 PDC, running on RH AS 3.0
Environment Summary: Samba version 3.0.2-6.3E (Red Hat AS 3.0) Kerberos version 1.3.4 (MIT download - Kerberos 5 release 1.3.4) openLDAP version 2.0.27-11 (Red Hat version - we may try 2.2.13 or 14) pam_smb version 1.1.7-1 (Red Hat version) Red Hat AS 3.0 (2.4.21-15.0.2.ELsmp kernel on a Dell 1750) Windows 2003 using Active Directory One-way trust from Windows 2003 to an NT 4.0 PDC smb.conf is setup as (important stuuf): security = ads workgroup = ACMESPROCKETS netbios name = SAMBA realm = ACMESPROCKETS.LOCAL wins server = 172.16.0.151 password server = keymaster.acmesprockets.local winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/ksh We have to separate domains: ACME.COM (NT 4.0 PDC Environment) ACMESPROCKETS.LOCAL (Windows 2003 ADS and Linux Environment) ACME.COM trusts ACMESPROCKETS.LOCAL, but not vis-a-versa. Problem Summary: We can not get the user and group mappings to actually occur when creating a file via Samba onto an NFS share. With 'ls -la' we see "george:Domain Users somefile.txt" vs. "george:users somefile.txt" I can chown the files back and forth using either the Windows names/groups or the Linux names (UIDs/GUIDs). The winbind separator is set to '+' and all the enumeration options are enabled at the moment. Now wbinfo -u shows the following: ACME+Domain Users Domain Users If I check the sids, ACME+Domain Users matches the NT 4.0 domain and Domain Users matches the Windows 2003 domain. The same goes for the user listing (wbinfo -u). One question is: why do I not see ACMESPROCKETS+Domain Users? Could this have an effect on the user/group mappings? The next item is that 'net groupmap list' shows the correct group name, SID, RID and GUID. [root@samba bin]# net groupmap list (security aside for now) Guests (S-1-5-32-546) -> nfsnobody Domain Users (S-1-5-21-3508889641-3407867016-1978114707-513) -> users Power Users (S-1-5-32-547) -> users Print Operators (S-1-5-32-550) -> lp Domain Admins (S-1-5-21-3508889641-3407867016-1978114707-512) -> root Domain Guests (S-1-5-21-3508889641-3407867016-1978114707-514) -> nfsnobody Users (S-1-5-32-545) -> users I have also tried the old /etc/samba/smbusers maps with no luck. [root@samba bin]# wbinfo -t checking the trust secret via RPC calls succeeded Is there any way for me to get ACME out of the sequence enitrely? [root@samba bin]# wbinfo --sequence ACME : 13376 ACMESPROCKETS : 233894 [root@samba bin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: george@ACMESPROCKETS.LOCAL Valid starting Expires Service principal 07/01/04 10:02:29 07/01/04 20:02:33 krbtgt/ACMESPROCKETS.LOCAL@ACMESPROCKETS.LOCAL renew until 07/02/04 10:02:29 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Any suggestions are welcome. I can supply much more detail, just ask.