lizard at blue.dyn-o-saur.com
2011-May-24 13:22 UTC
[Samba] Samba 3.5 uid gid winbindd_idmap.tdb severe problems
Hello all, right now I am using Samba 3.0.33 on Centos 5.6. The users need to access the files from Linux and from Windows so I maintain the Linux users in nis and the Windows users in AD. Samba is AD integrated. I am using an custom python script that collects some data from nis and from winbindd_idmap.tdb, creates a new file and imports it into winbindd_idmap.tdb. This works remarkably well. Known users get mapped to the same uid that they have on Linux. The same happens with the groups too. The rest gets an id from the range defined in smb.conf. I need/want to upgrade samba to Samba 3.5 and here my problems begin. My script creates winbindd_idmap.tdb like before and with net idmap dump I am able to check that is has the correct mappings (the mappings that I want). Unfortunately they never take effect. No matter what i do Samba seems to not read the file anymore. id -a $usernames shows me a list where every group is twice in. The first with the nis gid and the second with the idmap gid. Reading through a lot of stuff the last 3 days I came across this wbinfo commands that should do the same but show me that the mapping fails. Here is a small session that show what happens: id -a testuser uid=1042(testuser) gid=2000(testgroup) groups=2000(testgroup) ...... 11000(testgroup) # the first one from nis the second from winbind # we try to map the gid to the sid from AD wbinfo -n testgroup S-1-5-21-966306815-3935059601-1604263782-1350 SID_DOM_GROUP (2) wbinfo --set-gid-mapping=2000,S-1-5-21-966306815-3935059601-1604263782-1350 gid 2000 now mapped to sid S-1-5-21-966306815-3935059601-1604263782-1350 # !! he lies I prove it wbinfo --gid-to-sid=2000 Could not convert gid 2000 to sid wbinfo --gid-to-sid=11000 S-1-5-21-966306815-3935059601-1604263782-1350 wbinfo --sid-to-gid=S-1-5-21-966306815-3935059601-1604263782-1350 11000 Could anybody please enlighten me? Here is my smb.conf [global] realm = example.com security = ADS workgroup = example encrypt passwords = yes password server = * netbios name = testserver idmap backend = tdb #idmap alloc backend = tdb idmap uid = 11000-12000 idmap gid = 11000-12000 winbind enum users = yes winbind enum groups = yes winbind cache time = 1 encrypt passwords = yes winbind use default domain = Yes winbind nested groups = Yes log level = 2 enable privileges = yes nt acl support = yes client use spnego = yes socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 log file = /var/log/samba/%U.%m.log Thank you