On Sat, 21 Oct 2017 08:50:06 +0000
Andreas Hauffe via samba <samba at lists.samba.org> wrote:
> Hi,
>
> I have two member server and both with Samba 4.6.7. I'm using winbind
> for NSS and PAM. One of the member server is exporting an NFS4 mount
> which the other member server is mounting. For users with an
> rid-mapped uid below some value everything works fine. If the uid is
> above this value the group permissions are not evaluated and I'm
> getting a permission denied if a folder or file is only accessable by
> group membership. I haven't evaluated the value exactly but it is
> below 100000. The problem is that there are RIDs above 100000. Is
> there a known limit for the uid?
>
> The resolv.conf, nsswitch.conf and krb5.conf is taken from the wiki
> and just the domains are replace.
>
> smb.conf
> ?
> [global]
> security = ADS
> workgroup = SUBDOM
> realm = SUBDOM.DOM.EXAMPLE.DE
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> template homedir = /home/%D/%U
> template shell = /bin/bash
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config SUBDOM: backend = rid
> idmap config SUBDOM: range = 1000000-2000000 # UID aus RID für
> SUBDOM idmap config DOM : backend = rid
> idmap config DOM : range = 3000000-4000000 # UID aus RID für DOM
>
> If I'm changing the range of SUBDOM to 10000-20000 and the uid of the
> user is in this range everything works fine. This does not happen
> using SSSD with large UID, that's why I asking if I did something
> wrong conntected to winbind. SSSD has other shortcomings.
>
> Regards
> Andreas
>
I think we need more info here:
is there a two way trust between SUBDOM and DOM ?
You say that it works if 'the uid of the user is in this range'
The 'uid' will be set from either 'idmap config SUBDOM' or
'idmap
config DOM' by this formula:
ID = RID + LOW_RANGE_ID
Which equates to:
SUBDOM_ID = RID + 1000000
And
DOM_ID = RID + 3000000
If you use the same smb.conf on all Unix domain members, you should get
the same IDs on all Unix domain members.
By default, Windows RIDs start at 1000, so if a user connects from
SUBDOM with the RID 9999, the user will get the ID 1009999, this is
well within the 1000000-2000000 range.
If the user is from DOM, again with the RID 9999, this user will get the
ID 3009999, again within the 3000000-4000000 range.
As you can see, there should be no problem with Large IDs
What group are you using ?
What is the OS and how have you set up PAM ?
Rowland