I'm having some kind of trouble mapping all users in an ADS group to a Unix
id.
I'm running Samba 3.0.7 on Solaris 9 as a member of a Windows 2000 ADS
Domain.
Here's my smb.conf:
********************************************************************************************************
[global]
workgroup = ADSDOM
realm = ADSDOM.MY.COM
server string = Samba 3.0.7 Test Server
log level = 2
max log size = 100
security = ADS
local master = no
os level = 0
domain master = no
preferred master = no
wins server = ###.###.###.###
dns proxy = no
encrypt passwords = yes
idmap uid = 60000-70000
idmap gid = 80000-90000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = no
username map = /opt/samba/lib/username.map
[space]
comment = Space Partition Share
path = /space
public = no
writable = yes
printable = no
browsable = no
create mask = 0777
********************************************************************************************************
and here's /opt/samba/lib/username.map
********************************************************************************************************
!smbadmin = @"ADSDOM\Domain Admins"
!smbuser = @"ADSDOM\Domain Users"
smbguest = '*'
********************************************************************************************************
I know of a user that is in the "ADSDOM\Domain Users" group, called
imguser... if I do
getent passwd | grep imguser
I get
ADSDOM+imguser:x:60001:80000:imguser Imaging
User:/home/EDSADDDM/imguser:/bin/false
so, that user is in group 80000, so I do
getent group 80000
and get
EDSADDDM+Domain Users:x:80000:
Now... If I map the space share from a Windows XP client, I get the
following lines in log.smbd:
[2004/10/08 15:16:54, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2004/10/08 15:16:54, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [imguser] ->
[smbguest] -> [smbguest] succeeded
[2004/10/08 15:16:54, 1] smbd/service.c:make_connection_snum(648)
mule (199.42.192.45) connect to service space initially as user
smbguest (uid=689013, gid=2503) (pid 1108)
I get the same thing,... where the user gets mapped to smbguest, no
matter what user I use. Winbind isn't correctly determining the group
for the ADS domain users.
Also, another problem that might be related... getent group doesn't
show all the groups I expect it to show. The ADS domain has trusts to
another ADS domain, and also to an NT4 domain. I know for certain that
not all of the NT4 domains show up in wbinfo -g, and even fewer show
up in getent group. And the output of wbinfo -g and getent group are
both not consistent. Sometimes no domain groups at all show up in
getent group.
Anybody have any ideas? I desperately need this functionality to work.
Greg Adams
