Hi Brian, the id mapping configuration hat changed (again) between 3.2 and 3.3. The "idmap domains" setting has vanished.
Could you try and use the id mapping config from your 3.0 setup, i.e. simply this > > idmap backend = rid:KPAK=500-100000000 > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 instead of this: > > idmap domains = default, domain.utah.edu > > idmap config default: default = yes > > idmap config domain.utah.edu: range = 500-100000000 > > idmap config domain.utah.edu: backend = ad > > idmap alloc backend = tdb > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 Er, btw, can it be that "KPAK" should actually read "DOMAIN" in the first section? ;-) Then, for debugging, please paste the output of "wbinfo -n DOMAIN+gregorcy" I should list the sid of gegorcy. I expect the rid to be 2433. What I think happened is that your 3.5 config fell back to tdb id mapping because the domain "DOMAIN" did not match the domain name "domain.utah.edu" that you gave in the idmap config... The recommended setting would be to have a tdb backend default idmap range and explicit and disjoint ranges with rid backend vor various domains like this: idmap backend = tdb idmap uid = 100000-199999 idmap gid = 100000-199999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 200000-299999 (see man idmap_rid) But you should not change your config in that way if you are updating a production server, since it would change the uids/gids that users are accessing the disk with, and so, permissions and ownerships would be broken. Hope this helps, Michael gregorcy wrote: > Hi, > > I am hoping someone can point out what I am doing wrong, I am upgrading samba > from 3.0.37 to 3.5.6 and running into > trouble with idmapping using ADS security. I have multiple linux boxes > running 3.0.37 and when I execute getent passwd > I get: > > # getent passwd DOMAIN+gregorcy > gregorcy:*:2933:1013:Brian Gregorcy:/home/DOMAIN/gregorcy:/bin/bash > > on all the boxes running 3.0.37. > > On my new box running 3.5.6 I get: > > # getent passwd DOMAIN+gregorcy > gregorcy:*:502:506::/home/DOMAIN/gregorcy:/bin/bash > > > Which is not what I had hoped for. Both machines are joined to my domain and > allow me to ssh into them using my AD > cred, just the uid & gid are not lining up. > > My 3.0.37 smb.conf > > > [global] > > workgroup = DOMAIN > > netbios name = harley > > realm = DOMAIN.UTAH.EDU > > server string = harley > > security = ADS > > preferred master = no > > client use spnego = yes > > server signing = auto > > encrypt passwords = yes > > nt acl support = yes > > acl map full control = yes > > socket options = TCP_NODELAY SO_RCVBUF=8192 > > SO_SNDBUF=8192 > > template shell = /bin/false > > password server = * > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 100 > > preferred master = No > > dns proxy = No > > wins server = 192.168.1.100 192.168.1.101 > > winbind cache time = 0 > > winbind nested groups = yes > > allow trusted domains = No > > idmap backend = rid:KPAK=500-100000000 > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 > > template shell = /bin/bash > > winbind use default domain = Yes > > winbind separator = + > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > obey pam restrictions = yes > > > > My 3.5.6 smb.conf > > > > [global] > > workgroup = DOMAIN > > netbios name = vwww3 > > realm = DOMAIN.UTAH.EDU > > server string = web3 > > security = ADS > > preferred master = no > > client use spnego = yes > > server signing = auto > > encrypt passwords = yes > > nt acl support = yes > > acl map full control = yes > > wide links = no > > password server = * > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 100 > > wins server = 192.168.1.100 192.168.1.101 > > winbind offline logon = yes > > idmap domains = default, domain.utah.edu > > idmap config default: default = yes > > idmap config domain.utah.edu: range = 500-100000000 > > idmap config domain.utah.edu: backend = ad > > idmap alloc backend = tdb > > idmap uid = 500-100000000 > > idmap gid = 500-100000000 > > winbind separator = + > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > winbind nested groups = yes > > client ntlmv2 auth = yes > > encrypt passwords = yes > > template shell = /bin/bash > > allow trusted domains = yes > > > > > Thanks for any help, > > Brian Gregorcy > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
pgpVHeYpxdhZ3.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba