Hello List, After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use of the new syntax for IDMAP. But I failed, Also there is a lack on documentation how to us it. (Yes there is a man, but it contains limited explanation and examples). What do I want? What (I think a lot of people wants) I have two samba domain members and a Windows 2003 DC without R2 / SFU shema extension. So I want make use of the RID facility. Same GID/ UID mappings on all samba servers in the domain, with support of BUILTIN groups, and without installing schema extensions on the DC. I assume that RID was designed for this scenario Can anyone assist me and everyone on list struggling with the same problems, how to proper configure SAMBA for this scenario? Old syntax works, but lack support for BUILT-IN groups, and gives following complaints in syslog Module '/usr/lib/samba/idmap/rid.so' initialization failed: NT_STATUS_OBJECT_NAME_COLLISION and: lib/util_str.c:safe_strcpy_fn(659) Dec 19 13:12:47 s-0009 winbindd[5454]: ERROR: string overflow by 1 (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255) in safe_strcpy [Added timed event "async_request_timeout": 8843878 The new syntax I tried: idmap domains = DOMAIN-NL idmap config DOMAIN:default = yes idmap configDOMAIN:backend = rid idmap config DOMAIN:base_rid = 1000 idmap config DOMAIN:range = 1000-1000000 # For BUILTIN GROUPS idmap alloc backend = tdb idmap alloc config:range = 800-999 After restarting samba/ winbind, it fails after 2-3 minutus wbinfo -u and wbinfo -g works ok getent group works also ok, but getent passwd does not shown domain users anymore. Leave ADS cleaning up all tdb's and rejoining ADS did not provide the solution. I also tried several other options but all failed the same way. idmap domains = BUILTIN, DOMAIN idmap config DOMAIN:default = yes idmap configDOMAIN:backend = rid idmap config DOMAIN:base_rid = 1000 idmap config DOMAIN:range = 1000-1000000 idmap config BUILTIN:backend = tdb idmap config BUILTIN:base_rid = 800 idmap config BUILTIN:range = 800-999 OS: CentOS 4.6 Samba version: CentOS/ RH 3.0.25b (with backported fixes from 3.0.28) and samba 3.0.28 No nscd running Snipped of /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind Full smb.conf Global parameters [global] workgroup = DOMAIN-NL security = ADS netbiosname = s-0009-a realm = CORP.DOMAIN.NL server string = SAMBA DOOS Loglevel = 10 interfaces = eth2 lo bind interfaces only = yes preferred master = no domain master = no allow trusted domains = no winbind separator = / # Officially supported old syntax idmap backend = rid idmap uid = 1000-1000000 idmap gid = 1000-1000000 # New syntax equivilent to pre3.0.25 tdb # idmap domains = DOMAIN-NL # idmap config DOMAIN-NL:default = yes # idmap config DOMAIN-NL:backend = tdb # idmap configDOMAIN-NL:range = 1000 - 1000000 # idmap alloc backend = tdb # idmap alloc config:range = 1000 - 1000000 # New syntax rid # idmap domains = DOMAIN-NL # idmap config DOMAIN-NL:default = yes # idmap config DOMAIN-NL:backend = rid # idmap config DOMAIN-NL:base_rid = 1000 # idmap config DOMAIN-NL:range = 1000-1000000 # idmap config BUILTIN:backend = tdb # idmap config BUILTIN:base_rid = 800 # idmap config BUILTIN:range = 800-999 # idmap alloc backend = tdb # idmap alloc config:range = 800-999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes template homedir = /home/domain-nl/%U template shell = /bin/bash wins server = 192.168.0.51 load printers = no printing = cups printcap name = cups show add printer wizard = yes use client driver = yes [printers] comment = All Printers path = /var/spool/samba browseable = no public = yes guest ok = yes writable = no printable = yes printer admin = @"Domain Admins" # Printer shares [print$] comment = Printer Driver Download Area path = /var/lib/samba/drivers browseable = yes guest ok = yes read only = no write list = @ntadmin, @"Domain Admins", root admin users = @"Domain Admins", @ntadmin, root, administrator, admin [Homedirs] comment = De gebruikers directories path = /home/domain-nl/ force group = users read only = No create mask = 0644 hide dot files = Yes hide unreadable = Yes admin users = @"DOMAIN-NL/Domain Admins" valid users = @"DOMAIN-NL/Domain Admins" Regards, John The Netherlands
John wrote:> Hello List, > > After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use of > the new syntax for IDMAP. But I failed, Also there is a lack on > documentation how to us it. (Yes there is a man, but it contains > limited explanation and examples). > > What do I want? What (I think a lot of people wants) > I have two samba domain members and a Windows 2003 DC without R2 / > SFU shema extension. So I want make use of the RID facility. > Same GID/ UID mappings on all samba servers in the domain, with > support of BUILTIN groups, and without installing schema extensions > on the DC. I assume that RID was designed for this scenario > Can anyone assist me and everyone on list struggling with the same > problems, how to proper configure SAMBA for this scenario? > > Old syntax works, but lack support for BUILT-IN groups, and gives > following complaints in syslog > Module '/usr/lib/samba/idmap/rid.so' initialization failed: > NT_STATUS_OBJECT_NAME_COLLISION > and: > lib/util_str.c:safe_strcpy_fn(659) > Dec 19 13:12:47 s-0009 winbindd[5454]: ERROR: string overflow by 1 > (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255) > in safe_strcpy [Added timed event "async_request_timeout": 8843878 >I have just fixed one of our Samba servers this morning after an the upgrade from CentOS 5 -> 5.1 broke winbind resolution. The below winbind config worked for me. [global] workgroup = COMM server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 dns proxy = No cups options = raw password server = amachine.us.domain.co.uk realm = US.DOMAIN.CO.UK security = ads # OLD IDMAP settings # idmap uid = 16777216-33554431 # idmap gid = 16777216-33554431 # idmap backend = rid:"US=16777216-33554431" # NEW IDMAP settings idmap domains = US idmap config US: default = yes idmap config US: backend = rid idmap config US: range = 16777216-33554431 idmap alloc config: range = 16777216-33554431 template shell = /sbin/nologin winbind use default domain = yes allow trusted domains = no host msdfs = no winbind enum users = no winbind enum groups = no wins server = 192.168.1.10 Hope this helps Dean
simo wrote:> On Wed, 2007-12-19 at 13:58 +0000, Plant, Dean wrote: > >> # NEW IDMAP settings >> idmap domains = US >> idmap config US: default = yes >> idmap config US: backend = rid >> idmap config US: range = 16777216-33554431 >> idmap alloc config: range = 16777216-33554431 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > You don't need an alloc config range when using the RID backend, but > if you want to use (eg for trusted domains) then you *ABSOLUTELY > DON'T* want it to *conflict* with the same range used for the RID > backend.Ok, point noted. I have removed that option and all is still working. Thanks. Dean Although
Charles Marcus wrote:> Plant, Dean, on 12/19/2007 8:58 AM, said the following: >> John wrote: >>> Hello List, >>> >>> After upgrading to 3.0.25b (Also tried 3.0.28) I tried to make use >>> of the new syntax for IDMAP. But I failed, Also there is a lack on >>> documentation how to us it. (Yes there is a man, but it contains >>> limited explanation and examples). >>> >>> What do I want? What (I think a lot of people wants) >>> I have two samba domain members and a Windows 2003 DC without R2 / >>> SFU shema extension. So I want make use of the RID facility. >>> Same GID/ UID mappings on all samba servers in the domain, with >>> support of BUILTIN groups, and without installing schema extensions >>> on the DC. I assume that RID was designed for this scenario >>> Can anyone assist me and everyone on list struggling with the same >>> problems, how to proper configure SAMBA for this scenario? >>> >>> Old syntax works, but lack support for BUILT-IN groups, and gives >>> following complaints in syslog >>> Module '/usr/lib/samba/idmap/rid.so' initialization failed: >>> NT_STATUS_OBJECT_NAME_COLLISION >>> and: >>> lib/util_str.c:safe_strcpy_fn(659) >>> Dec 19 13:12:47 s-0009 winbindd[5454]: ERROR: string overflow by 1 >>> (256 - 255) in safe_strcpy [ERROR: string overflow by 1 (256 - 255) >>> in safe_strcpy [Added timed event "async_request_timeout": 8843878 >>> >> >> I have just fixed one of our Samba servers this morning after an the >> upgrade from CentOS 5 -> 5.1 broke winbind resolution. >> >> The below winbind config worked for me. > > I'm curious - what exactly CHANGED (or, what did you have to change)? >We had been running with these idmap settings for an AD integrated file server. idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 idmap backend = rid:"US=16777216-33554431" After the upgrade to CentOS 5.1 our winbind mappings were lost and group permissions were no longer working. Reading the Samba release notes and trawling the net I found the below settings, although as it has been pointed out the "idmap alloc config" is not required. With these settings all winbind mappings were restored and everything seems to be working as normal. idmap domains = US idmap config US: default = yes idmap config US: backend = rid idmap config US: range = 16777216-33554431 idmap alloc config: range = 16777216-33554431 Dean