Greetings samba community, I am running samba version: Version 3.5.11-79. fc14. Trying to join linux servers to the windows 2003 domain by running winbind and smb. I have configured the following smb.conf file which worked but can't seem to understand why the uid is different from the windows side when the windows side has already mapped some kind of uid to the sid. If i were to log into this machine from another linux box and run the command 'id' i get the uid of 1000. When i try to run this command wbinfo -n flo on the member server, i get some other number: [root at moe samba]# wbinfo -n flo S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1) # from a linux client machine after logging onto the server which joined the domain -bash-4.1$ id uid=1000(flo) gid=1000(domain users) groups=1000(domain users), what do these numbers mean ? and does it have to match the number that has been setup for me on the windows side ? Am i still missing some parameters on my configuration ? i was able to have this server join our internal windows network as a member and was able to log into this server with my windows credential instead of my nis credential. i don't understand how "idmap uid=range values" vs "idmap config AD : range = range values" By omitting this "idmap config AD : range = range values" from my configuration, i am able to gain access to this server which join the windows domain from another linux machine. If i left it uncomment in my configuration, i can't seem to login to this machine. Freeman [global] workgroup = ad password server = server1,server2,server3 realm = myDomain.com security = ads allow trusted domains = no disable netbios = yes # this doesn't seem to work for some reason # i am trying to use idmap_ad # idmap backend = ad idmap backend = tdb idmap uid = 1000-5000000 idmap gid = 1000-5000000 idmap config AD : default = yes idmap config AD : cache time = 180 idmap config AD : backend = ad # idmap config AD : range = 100001-200000 idmap config AD : schema_mode = rfc2307 template shell = /bin/bash template homedir = /mnt/%D/home/%U winbind nss info = rfc2307 winbind use default domain = yes winbind offline logon = yes winbind nested groups = yes encrypt passwords = yes obey pam restrictions = yes unix password sync = no winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes domain master = no local master = no
On Tue, 2011-11-22 at 16:47 -0500, Freeman wrote: [SNIP]> # this doesn't seem to work for some reason > # i am trying to use idmap_ad > # idmap backend = ad > idmap backend = tdb > idmap uid = 1000-5000000 > idmap gid = 1000-5000000 > > idmap config AD : default = yes > idmap config AD : cache time = 180 > idmap config AD : backend = ad > # idmap config AD : range = 100001-200000 > idmap config AD : schema_mode = rfc2307 > >Your problem is the id ranges for the tdb and ad backends overlap. I am not sure exactly why this is a problem, but the basics are it don't work if they do. Fix that, and restart everything and it will all start magically working. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
TAKAHASHI Motonobu
2011-Nov-23 11:59 UTC
[Samba] ADS Domain Member smb.conf using idmap_ad
From: Freeman <flo at email.unc.edu> Date: Tue, 22 Nov 2011 16:47:01 -0500> Greetings samba community, > > I am running samba version: Version 3.5.11-79. fc14. Trying to join > linux servers to the windows 2003 domain by running winbind and smb. I > have configured the following smb.conf file which worked but can't seem > to understand why the uid is different from the windows side when the > windows side has already mapped some kind of uid to the sid.(snip)> By omitting this "idmap config AD : range = range values" from my > configuration, i am able to gain access to this server which join the > windows domain from another linux machine. If i left it uncomment in my > configuration, i can't seem to login to this machine.(snip)> [global] > workgroup = ad > password server = server1,server2,server3 > realm = myDomain.com > security = ads > allow trusted domains = no > disable netbios = yes > > # this doesn't seem to work for some reason > # i am trying to use idmap_ad > # idmap backend = ad > idmap backend = tdb > idmap uid = 1000-5000000 > idmap gid = 1000-5000000 > > idmap config AD : default = yes > idmap config AD : cache time = 180 > idmap config AD : backend = ad > # idmap config AD : range = 100001-200000 > idmap config AD : schema_mode = rfc2307Have you already set values into "UNIX attributes" for every user you want to "activate" under Winbind. Setting "idmap backend = ad", uid/gid and some other values are gotten from those in "UNIX attributes".> If i were to log into this machine from another linux box and run the > command 'id' i get the uid of 1000. When i try to run this command > wbinfo -n flo on the member server, i get some other number: > > [root at moe samba]# wbinfo -n flo > S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1)uid/gid does not have nothing to do with SID/RID. If you want to keep some relationship between RID and uid, use idmap_rid(8) instead. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>