samba - Dec 2014 - IDMAP_NSS on member server

I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
machines unix accounts and groups are in the LDAP as well as idmap 
entries for trusted domains.   Samba accounts on domain controllers are 
in LDAP so there is problem with consistency unix/windows id and group 
mapping on the domain controllers.    The domain controllers are the 
main file servers as well.

I am configuring a new  member server, also Samba 3.6.4 (Solaris 11.)    
On the member server, I have joined the domain.      When accessing 
shared directory from a Windows 7 machine as a regular user, I can only 
access files that I am the owner.   Group is ignored.    The Security 
properties of files (from windows) show users and groups as "Unix 
User\myname" and "Unix Group\mygroup."


Winbind is running on both the domain controller and the member server.  
The "wbinfo -u" and "winfo -g" commands show the users and
groups.  This
machine does not need to support trusted domains.        It looks like I 
need some sort of IDMapping. SInce I have unix accounts in LDAP backend 
I was trying to configure idmap_nss.


               idmap config MYDOMAIN : backend  = nss
               idmap config MYDOMAIN : range = 100-300



wbinfo correctly translates between names and SIDs

          :/# wbinfo -n myname
        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
        MYDOMAIN\myname 1
          /#


however any translation between SID (or name) and unix uidnumber fails

          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
        /#



Member servers have always been problematic no matter what I try (ldap 
backed, idmap_nss, idmap_rid, winbind trusted domains only  = yes)   and 
on Solaris and Linux samba machines of various verions.


I also tried


        idmap config MYDOMAIN : backend  = rid
        idmap config MYDOMAIN : range    = 100-300
        idmap config MYDOMAIN : base_rid = 0



but no luck.


idmap_nss support is enabled

        # smbd -b | grep idmap_nss
             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
        auth_winbind auth_wbc auth_server auth_domain auth_builtin
        vfs_default vfs_solarisacl


        # smbd -b | grep idmap_rid
            idmap_rid_init



Any idea what I am missing?

Thanks

On 17/12/14 23:01, Gaiseric Vandal wrote:
> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all
> machines unix accounts and groups are in the LDAP as well as idmap
> entries for trusted domains.   Samba accounts on domain controllers are
> in LDAP so there is problem with consistency unix/windows id and group
> mapping on the domain controllers.    The domain controllers are the
> main file servers as well.
>
> I am configuring a new  member server, also Samba 3.6.4 (Solaris 11.) On
> the member server, I have joined the domain.      When accessing shared
> directory from a Windows 7 machine as a regular user, I can only access
> files that I am the owner.   Group is ignored.    The Security
> properties of files (from windows) show users and groups as "Unix
> User\myname" and "Unix Group\mygroup."
>
>
> Winbind is running on both the domain controller and the member server.
> The "wbinfo -u" and "winfo -g" commands show the users
and groups.  This
> machine does not need to support trusted domains.        It looks like I
> need some sort of IDMapping. SInce I have unix accounts in LDAP backend
> I was trying to configure idmap_nss.
>
>
>                idmap config MYDOMAIN : backend  = nss
>                idmap config MYDOMAIN : range = 100-300
>
>
>
> wbinfo correctly translates between names and SIDs
>
>           :/# wbinfo -n myname
>         S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>           :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>         MYDOMAIN\myname 1
>           /#
>
>
> however any translation between SID (or name) and unix uidnumber fails
>
>           /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>         failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>         Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>         /#
>
>
>
> Member servers have always been problematic no matter what I try (ldap
> backed, idmap_nss, idmap_rid, winbind trusted domains only  = yes)   and
> on Solaris and Linux samba machines of various verions.
>
>
> I also tried
>
>
>         idmap config MYDOMAIN : backend  = rid
>         idmap config MYDOMAIN : range    = 100-300
>         idmap config MYDOMAIN : base_rid = 0
>
>
>
> but no luck.
>
>
> idmap_nss support is enabled
>
>         # smbd -b | grep idmap_nss
>              pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>         idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>         auth_winbind auth_wbc auth_server auth_domain auth_builtin
>         vfs_default vfs_solarisacl
>
>
>         # smbd -b | grep idmap_rid
>             idmap_rid_init
>
>
>
> Any idea what I am missing?
>
> Thanks
>
>
>
>
Hi
Does your ldap schema allow for unix uid and gid numbers to be stored in 
user entries and for gid numbers for group entries?

It's the only way for domain consistency we have ever found.
HTH,
Steve

On 17/12/14 22:01, Gaiseric Vandal wrote:
> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
> machines unix accounts and groups are in the LDAP as well as idmap 
> entries for trusted domains.   Samba accounts on domain controllers 
> are in LDAP so there is problem with consistency unix/windows id and 
> group mapping on the domain controllers. The domain controllers are 
> the main file servers as well.
>
> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
> 11.)    On the member server, I have joined the domain.      When 
> accessing shared directory from a Windows 7 machine as a regular user, 
> I can only access files that I am the owner.   Group is ignored.    
> The Security properties of files (from windows) show users and groups 
> as "Unix User\myname" and "Unix Group\mygroup."
>
>
> Winbind is running on both the domain controller and the member 
> server.  The "wbinfo -u" and "winfo -g" commands show
the users and
> groups.  This machine does not need to support trusted domains.        
> It looks like I need some sort of IDMapping. SInce I have unix 
> accounts in LDAP backend I was trying to configure idmap_nss.
>
>
>               idmap config MYDOMAIN : backend  = nss
>               idmap config MYDOMAIN : range = 100-300
>
>
>
> wbinfo correctly translates between names and SIDs
>
>          :/# wbinfo -n myname
>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>        MYDOMAIN\myname 1
>          /#
>
>
> however any translation between SID (or name) and unix uidnumber fails
>
>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>        /#
>
>
>
> Member servers have always been problematic no matter what I try (ldap 
> backed, idmap_nss, idmap_rid, winbind trusted domains only = yes)   
> and on Solaris and Linux samba machines of various verions.
>
>
> I also tried
>
>
>        idmap config MYDOMAIN : backend  = rid
>        idmap config MYDOMAIN : range    = 100-300
>        idmap config MYDOMAIN : base_rid = 0
>
>
>
> but no luck.
Not surprised really, the rid is calculated using this formula:

ID = RID - BASE_RID + LOW_RANGE_ID.

So, using the info you posted above:

ID = 1234 - 0 + 100

Which becomes:

ID = 1334

There is your problem, The ID number is larger than the high range you 
set in smb.conf, try adding a couple of zero's to the range, i.e change 
100-300 to 100-30000

Rowland
>
>
> idmap_nss support is enabled
>
>        # smbd -b | grep idmap_nss
>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>        vfs_default vfs_solarisacl
>
>
>        # smbd -b | grep idmap_rid
>            idmap_rid_init
>
>
>
> Any idea what I am missing?
>
> Thanks
>
>
>
>

I think IDMAP_RID would not be the appropriate solution for me.     Not 
only do I want consistent IDMapping across all servers -  which this 
could do -  but I want them to match the the existing unix uidNumber in 
LDAP.


Thanks for your help.




On 12/18/14 04:29, Rowland Penny wrote:
> On 17/12/14 22:01, Gaiseric Vandal wrote:
>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all 
>> machines unix accounts and groups are in the LDAP as well as idmap 
>> entries for trusted domains.   Samba accounts on domain controllers 
>> are in LDAP so there is problem with consistency unix/windows id and 
>> group mapping on the domain controllers. The domain controllers are 
>> the main file servers as well.
>>
>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 
>> 11.)    On the member server, I have joined the domain. When 
>> accessing shared directory from a Windows 7 machine as a regular 
>> user, I can only access files that I am the owner. Group is 
>> ignored.    The Security properties of files (from windows) show 
>> users and groups as "Unix User\myname" and "Unix
Group\mygroup."
>>
>>
>> Winbind is running on both the domain controller and the member 
>> server.  The "wbinfo -u" and "winfo -g" commands
show the users and
>> groups.  This machine does not need to support trusted 
>> domains.        It looks like I need some sort of IDMapping. SInce I 
>> have unix accounts in LDAP backend I was trying to configure idmap_nss.
>>
>>
>>               idmap config MYDOMAIN : backend  = nss
>>               idmap config MYDOMAIN : range = 100-300
>>
>>
>>
>> wbinfo correctly translates between names and SIDs
>>
>>          :/# wbinfo -n myname
>>        S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>          :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>        MYDOMAIN\myname 1
>>          /#
>>
>>
>> however any translation between SID (or name) and unix uidnumber fails
>>
>>          /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>        failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>        Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>        /#
>>
>>
>>
>> Member servers have always been problematic no matter what I try 
>> (ldap backed, idmap_nss, idmap_rid, winbind trusted domains only = 
>> yes)   and on Solaris and Linux samba machines of various verions.
>>
>>
>> I also tried
>>
>>
>>        idmap config MYDOMAIN : backend  = rid
>>        idmap config MYDOMAIN : range    = 100-300
>>        idmap config MYDOMAIN : base_rid = 0
>>
>>
>>
>> but no luck.
>
> Not surprised really, the rid is calculated using this formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID.
>
> So, using the info you posted above:
>
> ID = 1234 - 0 + 100
>
> Which becomes:
>
> ID = 1334
>
> There is your problem, The ID number is larger than the high range you 
> set in smb.conf, try adding a couple of zero's to the range, i.e 
> change 100-300 to 100-30000
>
> Rowland
>
>>
>>
>> idmap_nss support is enabled
>>
>>        # smbd -b | grep idmap_nss
>>             pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>        idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>        auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>        vfs_default vfs_solarisacl
>>
>>
>>        # smbd -b | grep idmap_rid
>>            idmap_rid_init
>>
>>
>>
>> Any idea what I am missing?
>>
>> Thanks
>>
>>
>>
>>
>

Yes, my each user's ldap entry stores the unix UID and uidNumber (as 
well as other unix attributes) , as well as the samba SID and other 
samba attributes.)     I have so support Windows clients and unix 
NFS/LDAP clients.   So this works great with domain controllers.

But I didn't want to make every single samba server a domain 
controller.      I had tried on some machines configuring them as member 
servers BUT using LDAP backend for idmapping-   but with no luck.


I don't think I tried  configuring "security=server" in smb.conf
BUT
also specifying " domain logons = no" and  "domain master =
no".


On some of the linux Samba member servers, even with out windbind, samba 
would figure out the correct access for windows users and groups.   The 
logs would show that "SAMBA\someuser" is connecting, and the domain is
unknown , so just treat "SAMBA\someuser" as the unix
"someuser" in terms
of file system permissions.  Users could not manage permissions via 
Windows but as long as the top level directory had the correct group 
owner, everything worked fine (mostly) -  these servers are typically 
set up to support a small group of people working on the same project.

With my solaris member server, however, the group mapping does not work 
out.


I also have found that on my Solaris PDC, that with users from trusted 
domains, the group membership seems to be ignored for trusted users.  
That is to say, that if TRUSTEDUSER\jsmith is in the local "Sales"
group
on the server, he still can NOT access directories accessible to 
"Sales."     It used to work.  It may be some recent upgrade that
broke
that.



Thanks for your help.



On 12/18/14 02:25, steve wrote:
> On 17/12/14 23:01, Gaiseric Vandal wrote:
>> I have two  Samba 3.6.24 domain controllers (Solaris 10.)     On all
>> machines unix accounts and groups are in the LDAP as well as idmap
>> entries for trusted domains.   Samba accounts on domain controllers are
>> in LDAP so there is problem with consistency unix/windows id and group
>> mapping on the domain controllers.    The domain controllers are the
>> main file servers as well.
>>
>> I am configuring a new  member server, also Samba 3.6.4 (Solaris 11.)
On
>> the member server, I have joined the domain.      When accessing shared
>> directory from a Windows 7 machine as a regular user, I can only access
>> files that I am the owner.   Group is ignored.    The Security
>> properties of files (from windows) show users and groups as "Unix
>> User\myname" and "Unix Group\mygroup."
>>
>>
>> Winbind is running on both the domain controller and the member server.
>> The "wbinfo -u" and "winfo -g" commands show the
users and groups.  This
>> machine does not need to support trusted domains.        It looks like
I
>> need some sort of IDMapping. SInce I have unix accounts in LDAP backend
>> I was trying to configure idmap_nss.
>>
>>
>>                idmap config MYDOMAIN : backend  = nss
>>                idmap config MYDOMAIN : range = 100-300
>>
>>
>>
>> wbinfo correctly translates between names and SIDs
>>
>>           :/# wbinfo -n myname
>>         S-1-5-21-xxxxx-xxxxx-xxxxx-1234 SID_USER (1)
>>           :/# S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>         MYDOMAIN\myname 1
>>           /#
>>
>>
>> however any translation between SID (or name) and unix uidnumber fails
>>
>>           /# wbinfo -S S-1-5-21-xxxxx-xxxxx-xxxxx-1234
>>         failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
>>         Could not convert sid S-1-5-21-xxxxx-xxxxx-xxxxx-1234 to uid
>>         /#
>>
>>
>>
>> Member servers have always been problematic no matter what I try (ldap
>> backed, idmap_nss, idmap_rid, winbind trusted domains only  = yes)  
and
>> on Solaris and Linux samba machines of various verions.
>>
>>
>> I also tried
>>
>>
>>         idmap config MYDOMAIN : backend  = rid
>>         idmap config MYDOMAIN : range    = 100-300
>>         idmap config MYDOMAIN : base_rid = 0
>>
>>
>>
>> but no luck.
>>
>>
>> idmap_nss support is enabled
>>
>>         # smbd -b | grep idmap_nss
>>              pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam idmap_tdb
>>         idmap_passdb idmap_nss nss_info_template auth_sam auth_unix
>>         auth_winbind auth_wbc auth_server auth_domain auth_builtin
>>         vfs_default vfs_solarisacl
>>
>>
>>         # smbd -b | grep idmap_rid
>>             idmap_rid_init
>>
>>
>>
>> Any idea what I am missing?
>>
>> Thanks
>>
>>
>>
>>
> Hi
> Does your ldap schema allow for unix uid and gid numbers to be stored 
> in user entries and for gid numbers for group entries?
>
> It's the only way for domain consistency we have ever found.
> HTH,
> Steve
>