hi,
it?s me again :(
i?m still not able to use idmap_rid in a trusted domain environment
(samba v3.0.20b Sernet).
well, to be clear: NSS is not working (id, getent passwd <user>, ...) so
samba does not find the posix information for any user from a foreign domain
it?s working in a single domain with
#####################################
# WINBIND - Settings
idmap backend = idmap_rid:DOMA=10000-50000
idmap uid = 10000-50000
idmap gid = 10000-50000
allow trusted domains = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind trusted domains only = no
allow trusted domains = no
winbind cache time = 60
template shell = /bin/bash
template homedir = /data/users/%U
#####################################
but it?s not working with
#####################################
# WINBIND - Settings
idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000
idmap uid = 10000-50000
idmap gid = 10000-50000
allow trusted domains = yes
winbind use default domain = no
winbind enum users = no
winbind enum groups = no
winbind trusted domains only = no
allow trusted domains = no
winbind cache time = 60
template shell = /bin/bash
template homedir = /data/users/%U
#####################################
wbinfo -u gives me all users from all domains.
id DOMA\user gives me the correct information.
id DOMB\user gives me "No such user" and winbind says:
NT_STATUS_NONE_MAPPED
Could not lookup name for user DOMB\user
wbinfo -n "DOMB\user" does not work, too. but DOMA\user works.
is there a good manual for idmap_rid and trusts?
do i have to create two-way-trusts? we just have a one-way with DOMB.
i always just find idmap_rid in single domains and people telling me "it
works!"
thx in advance!
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
[Update] wbinfo -n now works also for trusted accounts. but id DOMB\user gives "No suitable range available for sid <DOMBSID>-... " although winbind says "enabling trusted domain mapping" and i have > idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000 > idmap uid = 10000-50000 > idmap gid = 10000-5000 please see attachment for winbind logs (don?t look too much into detail regarding packets and corresponding ASCII code - i changed domain names for sec. reasons). does anyone have a working setup please? it?s working with tdbsam backend, but that?s not what i want. thx!!! @john: the documentation says about idmap_rid: "The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations." but this seems to be wrong because even samba developers (volker&jerry) say, that it works?!?! Michael Gasch wrote:> hi, > > it?s me again :( > > i?m still not able to use idmap_rid in a trusted domain environment > (samba v3.0.20b Sernet). > well, to be clear: NSS is not working (id, getent passwd <user>, ...) so > samba does not find the posix information for any user from a foreign > domain > > it?s working in a single domain with > ##################################### > # WINBIND - Settings > idmap backend = idmap_rid:DOMA=10000-50000 > idmap uid = 10000-50000 > idmap gid = 10000-50000 > > allow trusted domains = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind trusted domains only = no > allow trusted domains = no > winbind cache time = 60 > template shell = /bin/bash > template homedir = /data/users/%U > ##################################### > > but it?s not working with > ##################################### > # WINBIND - Settings > idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000 > idmap uid = 10000-50000 > idmap gid = 10000-50000 > > allow trusted domains = yes > winbind use default domain = no > winbind enum users = no > winbind enum groups = no > winbind trusted domains only = no > allow trusted domains = no > winbind cache time = 60 > template shell = /bin/bash > template homedir = /data/users/%U > ##################################### > > wbinfo -u gives me all users from all domains. > id DOMA\user gives me the correct information. > id DOMB\user gives me "No such user" and winbind says: > > NT_STATUS_NONE_MAPPED > Could not lookup name for user DOMB\user > > wbinfo -n "DOMB\user" does not work, too. but DOMA\user works. > > is there a good manual for idmap_rid and trusts? > do i have to create two-way-trusts? we just have a one-way with DOMB. > i always just find idmap_rid in single domains and people telling me "it > works!" > > thx in advance! > >-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137
[Update] wbinfo -n now works also for trusted accounts. but id DOMB\user gives "No suitable range available for sid <DOMBSID>-... " although winbind says "enabling trusted domain mapping" and i have > idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000 > idmap uid = 10000-50000 > idmap gid = 10000-5000 please see attachment for winbind logs (don?t look too much into detail regarding packets and corresponding ASCII code - i changed domain names for sec. reasons). does anyone have a working setup please? it?s working with tdbsam backend, but that?s not what i want. thx!!! @john: the documentation says about idmap_rid: "The downside is that it can be used only within a single ADS domain and is not compatible with trusted domain implementations." but this seems to be wrong because even samba developers (volker&jerry) say, that it works?!?! Michael Gasch wrote:> hi, > > it?s me again :( > > i?m still not able to use idmap_rid in a trusted domain environment > (samba v3.0.20b Sernet). > well, to be clear: NSS is not working (id, getent passwd <user>, ...) so > samba does not find the posix information for any user from a foreign > domain > > it?s working in a single domain with > ##################################### > # WINBIND - Settings > idmap backend = idmap_rid:DOMA=10000-50000 > idmap uid = 10000-50000 > idmap gid = 10000-50000 > > allow trusted domains = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind trusted domains only = no > allow trusted domains = no > winbind cache time = 60 > template shell = /bin/bash > template homedir = /data/users/%U > ##################################### > > but it?s not working with > ##################################### > # WINBIND - Settings > idmap backend = idmap_rid:DOMA=10000-20000,DOMB=20001-50000 > idmap uid = 10000-50000 > idmap gid = 10000-50000 > > allow trusted domains = yes > winbind use default domain = no > winbind enum users = no > winbind enum groups = no > winbind trusted domains only = no > allow trusted domains = no > winbind cache time = 60 > template shell = /bin/bash > template homedir = /data/users/%U > ##################################### > > wbinfo -u gives me all users from all domains. > id DOMA\user gives me the correct information. > id DOMB\user gives me "No such user" and winbind says: > > NT_STATUS_NONE_MAPPED > Could not lookup name for user DOMB\user > > wbinfo -n "DOMB\user" does not work, too. but DOMA\user works. > > is there a good manual for idmap_rid and trusts? > do i have to create two-way-trusts? we just have a one-way with DOMB. > i always just find idmap_rid in single domains and people telling me "it > works!" > > thx in advance! > >-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137