samba - Aug 2011 - samba 3.6: "autorid" has no domain order

Hello,

i try to create a samba server for more then one trusted domain.
I know there were some issues with samba 3.5, and in the internet i
always read, i should use samba 3.4.

So i wanted to give 3.6 a chance.

I first tried autorid with a config like this:

        winbind enum users = yes
        winbind enum groups = yes

        idmap backend = autorid
        idmap gid = 100000-1499999
        idmap gid = 100000-1499999
        allow trusted domains = yes

It works fine. And Domain A starts in the 200000 and Domain B with
300000. But my problem is, i have two different samba Servers that
should get the same uid and gid.
On the second Server Domain B also starts with 300000 but domain A
starts with 4000000. So there is no correct mapping between these two
servers. It is, because the main Domain of the second server is B and
not A like in the first server.

Is there a way to tell autorid a order of domains? like: "idmap autorid
domains = A, B"

I also read the mail about the new idmapping so i also tried these
configuration:

        winbind enum users = yes
        winbind enum groups = yes
        allow trusted domains = yes

        idmap config A : backend     = rid
        idmap config A : range       = 100000 - 199999
        idmap config A : base_rid    = 1000

        idmap config B : backend  = rid
        idmap config B : range    = 200000 - 299999
        idmap config B : base_rid = 1000

With this configuration i get with "winbind -u" all users, but
"getent
passwd" is still empty.

And a group group-info shows WBC_ERR_DOMAIN_NOT_FOUND.

server:/ # wbinfo --group-info A\\marketing
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group A\marketing
server:/ # wbinfo --group-info B\\marketing
failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group B\marketing


I didn't find any real helpfull logs to get a clue what's wrong with
this config. But i think it is the same as in 3.5 and i have to go back
to 3.4?

any ideas?

best regards
Benedikt

Hello,

also in LogLevel 10 there is no error i could find.
But i have more config examples and what happens.

if i use this config:
>         winbind enum users = yes
>         winbind enum groups = yes
>         allow trusted domains = yes
>
>        idmap config * : backend     = tdb
>        idmap config * : range       = 70000-99999
>
>         idmap config A : backend     = rid
>         idmap config A : range       = 100000 - 199999
>         idmap config A : base_rid    = 1000
>
>         idmap config B : backend  = rid
>         idmap config B : range    = 200000 - 299999
>         idmap config B : base_rid = 1000
i get folowing message from a SID of domain A:

server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-1004336348-920026266-682003330-1113 to uid

i change this line
>         allow trusted domains = no
server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-1004336348-920026266-682003330-1113 to uid

it does not work.
i change this line
>        idmap config * : backend     = rid

server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113
100113

so it "works" ... but "getent passwd" still does not show
any user.
so there is still a long way to go.

if i delete all the "idmap config * " parts it won't work again.

But also if it does work.... i need trusted domain support.
the only config that realy works right now, is the new "autorid".


LogLevel10 shows no errors at all.


------------
Benedikt



Am 12.08.2011 18:23, schrieb Benedikt Schindler:
> Hello,
> 
> i try to create a samba server for more then one trusted domain.
> I know there were some issues with samba 3.5, and in the internet i
> always read, i should use samba 3.4.
> 
> So i wanted to give 3.6 a chance.
> 
> I first tried autorid with a config like this:
> 
>         winbind enum users = yes
>         winbind enum groups = yes
> 
>         idmap backend = autorid
>         idmap gid = 100000-1499999
>         idmap gid = 100000-1499999
>         allow trusted domains = yes
> 
> It works fine. And Domain A starts in the 200000 and Domain B with
> 300000. But my problem is, i have two different samba Servers that
> should get the same uid and gid.
> On the second Server Domain B also starts with 300000 but domain A
> starts with 4000000. So there is no correct mapping between these two
> servers. It is, because the main Domain of the second server is B and
> not A like in the first server.
> 
> Is there a way to tell autorid a order of domains? like: "idmap
autorid
> domains = A, B"
> 
> I also read the mail about the new idmapping so i also tried these
> configuration:
> 
>         winbind enum users = yes
>         winbind enum groups = yes
>         allow trusted domains = yes
> 
>         idmap config A : backend     = rid
>         idmap config A : range       = 100000 - 199999
>         idmap config A : base_rid    = 1000
> 
>         idmap config B : backend  = rid
>         idmap config B : range    = 200000 - 299999
>         idmap config B : base_rid = 1000
> 
> With this configuration i get with "winbind -u" all users, but
"getent
> passwd" is still empty.
> 
> And a group group-info shows WBC_ERR_DOMAIN_NOT_FOUND.
> 
> server:/ # wbinfo --group-info A\\marketing
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group A\marketing
> server:/ # wbinfo --group-info B\\marketing
> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for group B\marketing
> 
> 
> I didn't find any real helpfull logs to get a clue what's wrong
with
> this config. But i think it is the same as in 3.5 and i have to go back
> to 3.4?
> 
> any ideas?
> 
> best regards
> Benedikt