You may need to specify separate idmap sections for each domain, as well
as general settings. Samples of my smb.conf (samba 3.4.x ) are below.
When I was on samba 3.0.x, idmap entries would populate for each domain
in the correct OU. It would use the general idmap range, not domain
specific range (which wasn't a problem.) The problem with samba 3.0.x
is that one the idmap cache expired it would not renew. I moved to
samba 3.4.x which fixed some issue BUT now stuff does not auto
populate. For "trustedomain1" there is only a handful of users, and
that almost never changes so manually adding idmap entries (via an ldap
editor or wbinfo --allocate-uid / --allocate-gid) was OK.
idmap backend=ldap:ldap://ldap1.domain.com
# Next two lines restored to 3.4 - but prob don't need
idmap uid = 70000-79999
idmap gid = 70000-79999
#IDMAP DEFAULT ALLOC
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.domain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:range = 30000 - 79999
idmap config TRUSTEDOMAIN1:backend = ldap
idmap config TRUSTEDOMAIN1:readonly = no
idmap config TRUSTEDOMAIN1:default=no
idmap config TRUSTEDOMAIN1:ldap_base_dn =
ou=trustedomain1,ou=idmap,o=domain.com
idmap config TRUSTEDOMAIN1:ldap_user_dn = cn=Directory Manager
idmap config TRUSTEDOMAIN1:ldap_url = ldap://domain.ssci.com
idmap config TRUSTEDOMAIN1:range = 40000-45999
idmap config TRUSTEDOMAIN2:backend = ldap
idmap config TRUSTEDOMAIN2:readonly = no
idmap config TRUSTEDOMAIN2:default=no
idmap config TRUSTEDOMAIN2:ldap_base_dn =
ou=trustedomain2,ou=idmap,o=domain.com
idmap config TRUSTEDOMAIN2:ldap_user_dn = cn=Directory Manager
idmap config TRUSTEDOMAIN2:ldap_url = ldap://ldap1.domain.com
idmap config TRUSTEDOMAIN2:range = 30000-39999
My mapped groups (i.e. with both unix id's and well known samba sids)
include the following
Everyone (S-1-1-0) -> Everyone
Creator_Owner (S-1-3-0) -> Creator_Owner
Batch Process (S-1-5-3) -> Batch Process
Authenticated Users (S-1-5-11) -> Authenticated Users
System (S-1-5-18) -> System
Network (S-1-5-2) -> Network
Interactive (S-1-5-4) -> Interactive
Local Service (S-1-5) -> Local Service
I don't have everything working 100%. I need dummy unix accounts for
users from trustedomain1. Users from trusted domains are
authenticating properly with their windows passwords (not the passwords
in the dummy accounts.)
On 10/26/2010 10:08 AM, Alex Crow wrote:
Hi,
I have recently upgraded a system with a Samba BDC, PDC and a couple
of member servers from 3.2.14 to 3.4.9 (and also tested with 3.5.6).
There appears to be some problem with Winbind (we need to run it on
all servers as we have a trust relationship to a domain at another
office).
I have an Idmap range set up in our LDAP database.
With 3.2.14, all worked well. The Idmap ou would be populated with,
and only with, entries for the accounts on the trusted domain.
However, with 3.4.9 and 3.5.6, as soon as a member server is accessed,
spurious entries appear in the Idmap ou from the "own domain". In
addition, other entries are added for local groups (these are not
showing in the screenshot but they are S-1-1-0,S-1-5-11 and S-1-5-2).
On another test domain I get entries like
I have attached a screenshot from an LDAP client to illustrate the
issue. The green box shows the entries I expect (from the trusted
domain). The red boxes show entries that have only appeared since the
upgrade.
I am concerned about this as all the entries for the local domain (dom
sid ends 8426) may be causing access control to stop working correctly
- I have not seen any hard evidence of this so far, but there have
been times we had to restart winbind on the member servers after the
initial startup as no-one could access shares on them.
The trusted domain is the one ending 4828. Please also note the entry
highlighted in red at the bottom. That SID is the one for one of the
newly upgraded member servers (plus -513 for Domain Users). Again I
don't know why that has been added.
Member server smb.conf:
[global]
unix charset = LOCALE
workgroup = CENSORED_domain
netbios name = CENSORED_server
security = DOMAIN
interfaces = eth0, lo
passdb backend = ldapsam:ldap://192.168.1.137
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 1048576
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=censored,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=censored,dc=net
ldap timeout = 20
idmap backend = ldap:ldap://192.168.1.137
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
#winbind cache time = 1200
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes
wins server = 192.168.1.137
nt acl support = yes
PDC smb.conf:
[global]
workgroup = CENSORED_domain
netbios name = CENSORED_DC
interfaces = eth0, lo
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 104857
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = yes
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=censored,dc=net
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=manager,dc=censored,dc=net
ldap ssl = no
ldap timeout = 60
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes
map acl inherit = Yes
ea support = Yes
#printing = cups
# printer admin = root
wins support = yes
log level = 1
domain logons = yes
domain master = yes
preferred master = yes
logon drive = H:
#os level = 35
passdb expand explicit = yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
enable privileges = Yes
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon home = ""
logon path = ""
Regards
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
