Jens Nissen
2008-Apr-08 10:04 UTC
[Samba] Issues with migration from default mapping to idmap_rid in 3.0.26a
What I want to do: I have a lot of Samba AD member server which all should have the same mapping of Domain Users (SIDs) to local UID/GID, so files with ACLs can be moved from one machine to another and still grant the access rights to the same users as on the other machine. What I have: idmap uid=1000-60000 idmap gid=1000-60000 winbind use default domain=no winbind enum users=Yes winbind enum groups=Yes winbind nested groups=Yes winbind nss info=template winbind offline logon=True security=Ads passdb backend=tdbsam This is working fine, but (of course) leads to indeterministic UID/GID mappings. So I want to change to RID - this is all I changed: #idmap uid=1000-60000 #idmap gid=1000-60000 idmap domains=MYDOMAIN idmap config MYDOMAIN:backend=rid idmap config MYDOMAIN:base_rid=1000 idmap config MYDOMAIN:range=998 - 60000 (I have two manually mapped groups, thus starting the allowed range at 998) I clear all TDB files and join the server from scratch to the domain. This still works. Then I look at wbinfo -u which shows all Domain users correctly. Trouble already starts with wbinfo -i MYDOMAIN\\dagobert > Could not get info for user MYDOMAIN\\dagobert The Domain Administrator can actually connect to the Samba server, but no other user can. From the log, I retrieve a lot like this: Could not query gid for user MYDOMAIN\dagobert [2008/04/08 11:12:34, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is MYDOMAIN\dagobert [2008/04/08 11:12:34, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn GETPWNAM [2008/04/08 11:12:34, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346) [20573]: getpwnam MYDOMAIN\dagobert [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15771 [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15771 [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15786 [2008/04/08 11:12:34, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545) winbindd_sid2gid_async: Resolving S-1-5-21-1214440339-113007714-839522115-513 to a gid [2008/04/08 11:12:34, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 15786 [2008/04/08 11:12:34, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) sid2gid returned an error It looks as though conversion of SIDs to IDs is not correctly working. # wbinfo -G 1000 S-1-5-21-1214440339-113007714-839522115-1002 # wbinfo -S S-1-5-21-1214440339-113007714-839522115-1002 Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to uid # wbinfo -Y S-1-5-21-1214440339-113007714-839522115-1002 Could not convert sid S-1-5-21-1214440339-113007714-839522115-1002 to gid # wbinfo -R 1000 Domain: MYDOMAIN 1000: TsInternetUser (User) Manually added SIDs are actually working, so winbind is operational: # wbinfo -Y S-1-5-13 998 So my questions are: (1) Is idmap_rid suitable for what I want? (2) Is idmap_rid working 3.0.26a , is there someone who got this working? (3) Is there anything else I need to change in smb.conf when migrating as above? (4) Is there some trick with compilation/configuration necessary? I have an Intel ARM Big Endian architecture and have the RID module statically linked (dynamic loading does not work on this architecture). Kind regards and thanks for any advice or help, Jens P.S testparm of smb.conf [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = MYDOMAIN realm = MYDOMAIN.TEST server string = myserver interfaces = ixp0 security = ADS allow trusted domains = No password server = sbs2000.mydomain.test private dir = /var/lib/adsamba/private passdb backend = tdbsam guest account = samba username map = /etc/cfg_user/usermap.ads log level = 6 winbind:10 log file = /export/log/smblog.ad max log size = 0 name resolve order = wins bcast host socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No show add printer wizard = No preferred master = No local master = No domain master = No wins server = 192.168.1.4 lock directory = /var/lib/adsamba idmap domains = MYDOMAIN winbind enum users = Yes winbind enum groups = Yes winbind offline logon = Yes ldapsam:trusted = No idmap config MYDOMAIN:range = 998 - 60000 idmap config MYDOMAIN:base_rid = 1000 idmap config MYDOMAIN:backend = rid ea support = Yes [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 inherit permissions = Yes inherit acls = Yes inherit owner = Yes map acl inherit = Yes map archive = No map readonly = no store dos attributes = Yes dos filemode = Yes