I have two servers running Samba, one as a Domain Controller one as a Member Server. Both are running Ubuntu 8.10 and running smbd, nmbd and winbindd using the tdb back end. I am having a problem understanding ID mapping. The mapping is not the same on both machines. On the Domain Controller> root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\rob' > rob:*:1000:2003:Robert Steinmetz,,,:/home/ATLANTA/rob:/bin/false > root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\trish' > trish:*:1033:2003::/home/ATLANTA/trish:/bin/falseOn the Member Server> root at louise:/etc/samba# wbinfo -i 'ATLANTA\rob' > ATLANTA\rob:*:10020:10001:Robert Steinmetz,,,:/home/ATLANTA/rob:/bin/bash> root at louise:/etc/samba# wbinfo -i 'ATLANTA\trish' > ATLANTA\trish:*:10037:10001::/home/ATLANTA/trish:/bin/bashNote the different UID and GID -- Robert Steinmetz, AIA Principal Steinmetz & Associates
On the PDC, both the unix and samba account info is on that machine. The samba user info includes which is the local unix user. On the member server, the samba account info is pulled from the PDC. Which means that even both unix machines have identical unix accounts (e.g. the same /etc/passwd and /etc/group file, or use NIS, NIS+ or LDAP) winbind ignores this. Your member machine probably has an idmap range - so that samba can assign unix uid and gid's for the "foreign" samba accounts. (Even though you would think this isn't necessary.) I found this wasn't so much a problem if most of the permission management was handle on the unix level- but the moment you started setting perms in windows the "rob 1000" and "rob 10020" became a problem. This bugged me for years. My first work around was to use LDAP for the IDMAP backend and then manually edit the uid and gid fields in the idmap entries to match the unix ones. In the end, I changed everything to an ldap backend and changed the member server to a BDC. On 01/13/10 16:39, Robert Steinmetz wrote:> I have two servers running Samba, one as a Domain Controller one as a > Member Server. Both are running Ubuntu 8.10 and running smbd, nmbd and > winbindd using the tdb back end. > > I am having a problem understanding ID mapping. The mapping is not the > same on both machines. > > On the Domain Controller > >> root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\rob' >> rob:*:1000:2003:Robert Steinmetz,,,:/home/ATLANTA/rob:/bin/false >> root at thelma:/etc/init.d# wbinfo -i 'ATLANTA\trish' >> trish:*:1033:2003::/home/ATLANTA/trish:/bin/false > On the Member Server >> root at louise:/etc/samba# wbinfo -i 'ATLANTA\rob' >> ATLANTA\rob:*:10020:10001:Robert >> Steinmetz,,,:/home/ATLANTA/rob:/bin/bash > >> root at louise:/etc/samba# wbinfo -i 'ATLANTA\trish' >> ATLANTA\trish:*:10037:10001::/home/ATLANTA/trish:/bin/bash > Note the different UID and GID >
The PDC may also have an idmap range but I think, unless you ldap as a backend, they will not necessary be the same. If I set the permissions for a file under unix to be accessible to unix rob, and rob from windows tries to read the file- I think what happens is it will try to map "DOMAIN\rob" to the local unix rob and still allow access. If you tail the various samba logs you should see it trying to map the windows user to the unix user. I think I had to set the samba share as public and then rely on the file system ACL's to restrict files. This is because, for verifying access to the shares, the user mapping wasn't working properly. Typically, in my environment, the main bulk of the files for both samba and nfs access was on one machine, which was also the PDC. The other samba machines were typically machines used primarily by unix users who needed to share some data with windows users. This was a workaround that met the limited requirements of our situation. This is with Samba 3.0.x. I am hoping when I move to Samba 3.4.x a lot of this stuff will work better. On 01/13/10 20:30, Robert Steinmetz wrote:> You are correct that the member machine has an idmap range, but so > does the PDC. Are you suggesting that in a simple setup (two nearly > identical servers) where users and groups are manually coordinated > that isn't necessary? > > Gaiseric Vandal wrote: >> On the PDC, both the unix and samba account info is on that >> machine. The samba user info includes which is the local unix user. >> On the member server, the samba account info is pulled from the >> PDC. Which means that even both unix machines have identical >> unix accounts (e.g. the same /etc/passwd and /etc/group file, or use >> NIS, NIS+ or LDAP) winbind ignores this. Your member machine >> probably has an idmap range - so that samba can assign unix uid and >> gid's for the "foreign" samba accounts. (Even though you would >> think this isn't necessary.) >> >> >> I found this wasn't so much a problem if most of the permission >> management was handle on the unix level- but the moment you started >> setting perms in windows the "rob 1000" and "rob 10020" became a >> problem. This bugged me for years. >> >> My first work around was to use LDAP for the IDMAP backend and then >> manually edit the uid and gid fields in the idmap entries to match >> the unix ones. In the end, I changed everything to an ldap backend >> and changed the member server to a BDC. > -- > Robert Steinmetz, AIA > Principal > Steinmetz & Associates