samba - Nov 2011 - ADS Domain Member smb.conf using idmap_ad

Greetings samba community,

I am running samba version: Version 3.5.11-79. fc14. Trying to join 
linux servers to the windows 2003 domain by running winbind and smb.  I 
have configured the following smb.conf file which worked but can't seem 
to understand why the uid is different from the windows side when the 
windows side has already mapped some kind of uid to the sid.

If i were to log into this machine from another linux box and run the 
command 'id' i get the uid of 1000. When i try to run this command 
wbinfo -n flo on the member server, i get some other number:

[root at moe samba]# wbinfo -n flo
S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1)

# from a linux client machine after logging onto the server which joined 
the domain
-bash-4.1$ id
uid=1000(flo) gid=1000(domain users) groups=1000(domain users),

what do these numbers mean ? and does it have to match the number that 
has been setup for me on the windows side ? Am i still missing some 
parameters on my configuration ?

i was able to have this server join our internal windows network as a 
member and was able to log into this server with my windows credential 
instead of my nis credential.

i don't understand how "idmap uid=range values" vs   "idmap
config AD :
range = range values"
By omitting this "idmap config AD : range = range values" from my 
configuration, i am able to gain access to this server which join the 
windows domain from another linux machine. If i left it uncomment in my 
configuration, i can't seem to login to this machine.

Freeman

[global]
    workgroup = ad
    password server = server1,server2,server3
    realm = myDomain.com
    security = ads
    allow trusted domains = no
    disable netbios = yes

# this doesn't seem to work for some reason
# i am trying to use idmap_ad
#   idmap backend = ad
    idmap backend = tdb
    idmap uid = 1000-5000000
    idmap gid = 1000-5000000

    idmap config AD : default = yes
    idmap config AD : cache time = 180
    idmap config AD : backend  = ad
    # idmap config AD : range = 100001-200000
    idmap config AD : schema_mode = rfc2307


    template shell = /bin/bash
    template homedir = /mnt/%D/home/%U
    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind offline logon = yes
    winbind nested groups = yes
    encrypt passwords = yes
    obey pam restrictions = yes
    unix password sync = no
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    domain master = no
    local master = no

On Tue, 2011-11-22 at 16:47 -0500, Freeman wrote:

[SNIP]
> # this doesn't seem to work for some reason
> # i am trying to use idmap_ad
> #   idmap backend = ad
>     idmap backend = tdb
>     idmap uid = 1000-5000000
>     idmap gid = 1000-5000000
> 
>     idmap config AD : default = yes
>     idmap config AD : cache time = 180
>     idmap config AD : backend  = ad
>     # idmap config AD : range = 100001-200000
>     idmap config AD : schema_mode = rfc2307
> 
> 
Your problem is the id ranges for the tdb and ad backends overlap. I am
not sure exactly why this is a problem, but the basics are it don't work
if they do. Fix that, and restart everything and it will all start
magically working.

JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

From: Freeman <flo at email.unc.edu>
Date: Tue, 22 Nov 2011 16:47:01 -0500
> Greetings samba community,
> 
> I am running samba version: Version 3.5.11-79. fc14. Trying to join 
> linux servers to the windows 2003 domain by running winbind and smb.  I 
> have configured the following smb.conf file which worked but can't seem
> to understand why the uid is different from the windows side when the 
> windows side has already mapped some kind of uid to the sid.
(snip)
> By omitting this "idmap config AD : range = range values" from my
> configuration, i am able to gain access to this server which join the 
> windows domain from another linux machine. If i left it uncomment in my 
> configuration, i can't seem to login to this machine.
(snip)
> [global]
>     workgroup = ad
>     password server = server1,server2,server3
>     realm = myDomain.com
>     security = ads
>     allow trusted domains = no
>     disable netbios = yes
> 
> # this doesn't seem to work for some reason
> # i am trying to use idmap_ad
> #   idmap backend = ad
>     idmap backend = tdb
>     idmap uid = 1000-5000000
>     idmap gid = 1000-5000000
> 
>     idmap config AD : default = yes
>     idmap config AD : cache time = 180
>     idmap config AD : backend  = ad
>     # idmap config AD : range = 100001-200000
>     idmap config AD : schema_mode = rfc2307
Have you already set values into "UNIX attributes" for every user you
want to "activate" under Winbind.

Setting "idmap backend = ad", uid/gid and some other values are gotten
from those in "UNIX attributes".
> If i were to log into this machine from another linux box and run the 
> command 'id' i get the uid of 1000. When i try to run this command 
> wbinfo -n flo on the member server, i get some other number:
> 
> [root at moe samba]# wbinfo -n flo
> S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1)
uid/gid does not have nothing to do with SID/RID.

If you want to keep some relationship between RID and uid, use
idmap_rid(8) instead.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>