Hello, I am trying out Samba + Winbind + NSS + CIFS in a test environment, which currently consists of a PDC, a fileserver, and a client, all with samba 3.0.11 I got everything working more or less, but noticed that the uid's are different on the fileserver and on the client (resulting in erroneous file ownership on the cifs mount). This is also very obvious when doing a getent passwd. The [global] portion in the smb.conf file on fileserver and client: [global] winbind separator = + realm = testwg workgroup = testwg encrypt passwords = true password server = testpdc security = DOMAIN idmap uid = 10000-65000 idmap gid = 10000-65000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes allow trusted domains = No unix extensions = yes After reading the docs, I get the impression that I should use a idmap backend to have consistent uid's. Am I correct? I don't have an LDAP server, and I'd prefer not to add another service to the chain, so I recompiled samba with --with-shared-modules=idmap_rid and tried adding idmap backend = idmap_rid:TESTWG=1000-50000000 to both the fileserver and client smb.conf files. This breaks uid mapping. in log.winbindd, i got lots of entries like: [2005/03/04 14:21:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-1893565685-1185636268-3552291067-3110 [2005/03/04 14:21:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user Any idea? Maarten
>After reading the docs, I get the impression that I should use a idmap >backend to have consistent uid's. Am I correct? > >Not so much, you're on the right path tho. The idmap is primarily to give a mapping between unix uids and windows SIDs when the users come from an AD system or something of that nature. Basically if you don't have real unix users you use winbind and idmap to get it done... if I understand correctly. I don't use either.>I don't have an LDAP server, and I'd prefer not to add another service >to the chain, so I recompiled samba with > >That's essentially what you need to do unfortunately. You need to store the mapping someplace globally accessable for both machines to read it. I see the light bulb going off in your head WRT storing the idmap file on an nfs mount or some other shared filesystem, don't do it, it won't work. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
I disagree. According to the Release Notes the idmap_rid does NOT require an LDAP server. The way I understand it is uses the last part of your SID to derive what your UID will be, thus you will have consistancy across your Sambas. I compiled my samba the same way and it is working however I am encountering problems with the winbind daemon while in this mode. I have submitted another topic on this problem. Did you setup your /etc/nsswitch.conf file ? Josh -----Original Message----- From: samba-bounces+samba=guidemail.com@lists.samba.org [mailto:samba-bounces+samba=guidemail.com@lists.samba.org] On Behalf Of Paul Gienger Posted At: Friday, March 04, 2005 8:39 AM Posted To: Samba Conversation: [Samba] idmap backend problems Subject: Re: [Samba] idmap backend problems>After reading the docs, I get the impression that I should use a idmap >backend to have consistent uid's. Am I correct? > >Not so much, you're on the right path tho. The idmap is primarily to give a mapping between unix uids and windows SIDs when the users come from an AD system or something of that nature. Basically if you don't have real unix users you use winbind and idmap to get it done... if I understand correctly. I don't use either.>I don't have an LDAP server, and I'd prefer not to add another service >to the chain, so I recompiled samba with > >That's essentially what you need to do unfortunately. You need to store the mapping someplace globally accessable for both machines to read it. I see the light bulb going off in your head WRT storing the idmap file on an nfs mount or some other shared filesystem, don't do it, it won't work. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba