On 26/10/10 16:32, Gaiseric Vandal wrote:
You may need to specify separate idmap sections for each domain, as well as general settings. Samples of my smb.conf (samba 3.4.x ) are below.

When I was on samba 3.0.x, idmap entries would populate for each domain in the correct OU. It would use the general idmap range, not domain specific range (which wasn't a problem.) The problem with samba 3.0.x is that one the idmap cache expired it would not renew. I moved to samba 3.4.x which fixed some issue BUT now stuff does not auto populate. For "trustedomain1" there is only a handful of users, and that almost never changes so manually adding idmap entries (via an ldap editor or wbinfo --allocate-uid / --allocate-gid) was OK.

Strange - I have the opposite problem in that I get my Idmap ou populated but also "contaminated" with stuff that should not be there (because it is in the LDAP db and is in the local domain). However to get the population to work at all I had to remove the gencache.tdb and winbind_cache.tdb (and the old idmap_cache.tdb) files before starting samba and winbind.

I /do/ get my trusted domain working OK - from what you say you are having to add Idmap entries by hand, which in my situation would be completely impractical (500 accounts in one of the domains - it's a bidirectional trust). Perhaps you could try removing the cache files.

I have tried adding this to my config files on a test 3.5.6 domain:

idmap config TESTDOM1 : backend = nss
idmap config TESTDOM1 : range = 500-9999

Which seems to help stop the entries for accounts already in the LDAP db being put into Idmap, but I am not sure if I should reduce the lower boundary to "0" as I still get entries added for widely known SIDs as soon as a client connects to a share on the member server:

dn: sambaSID=S-1-1-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10028
sambaSID: S-1-1-0
structuralObjectClass: sambaSidEntry
entryUUID: b7a12d38-7565-102f-938a-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

dn: sambaSID=S-1-5-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10029
sambaSID: S-1-5-2
structuralObjectClass: sambaSidEntry
entryUUID: b7a30e6e-7565-102f-938b-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026155911Z
entryCSN: 20101026155911Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026155911Z

And even odder entries like this which do not match any "widely know SIDs":

dn: sambaSID=S-1-22-2-0,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10032
sambaSID: S-1-22-2-0
structuralObjectClass: sambaSidEntry
entryUUID: f93738b4-7565-102f-938e-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000001#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-1,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10033
sambaSID: S-1-22-2-1
structuralObjectClass: sambaSidEntry
entryUUID: f937bfb4-7565-102f-938f-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000003#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-2,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10034
sambaSID: S-1-22-2-2
structuralObjectClass: sambaSidEntry
entryUUID: f93828d2-7565-102f-9390-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000005#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-3,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10035
sambaSID: S-1-22-2-3
structuralObjectClass: sambaSidEntry
entryUUID: f9389114-7565-102f-9391-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000007#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-4,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10036
sambaSID: S-1-22-2-4
structuralObjectClass: sambaSidEntry
entryUUID: f9390388-7565-102f-9392-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#000009#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-6,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10037
sambaSID: S-1-22-2-6
structuralObjectClass: sambaSidEntry
entryUUID: f9399cd0-7565-102f-9393-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000b#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

dn: sambaSID=S-1-22-2-10,ou=Idmap,dc=testdom1,dc=net
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 10038
sambaSID: S-1-22-2-10
structuralObjectClass: sambaSidEntry
entryUUID: f93a2952-7565-102f-9394-0b1afbda8e53
creatorsName: cn=Manager,dc=testdom1,dc=net
createTimestamp: 20101026160101Z
entryCSN: 20101026160101Z#00000d#00#000000
modifiersName: cn=Manager,dc=testdom1,dc=net
modifyTimestamp: 20101026160101Z

I really think there is some breakage here!

Cheers

Alex

--
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under number: 
3727592)
Authorised and regulated by the Financial Services Authority (entered on the 
FSA Register; number: 190856)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to