Re: [Samba] Mapping SIDUID (and reverse)
I have a solution! The problem (where files created in Unix were not being mapped to the domain username) was due to a problem in the smb.conf. I had: idmap config * : range = 500-99 idmap config * : backend = nss But I needed to _also_ have a section for the current domain (CSS): idmap config * : range = 500-99 idmap config * : backend = nss idmap config CSS : range = 500-99 idmap config CSS : backend = nss With both added, files created on the Unix command line automatically map to the domain user in Windows Explorer. Hope this helps others. JR - Original Message - From: jrmailgate-sa...@yahoo.co.uk jrmailgate-sa...@yahoo.co.uk To: samba@lists.samba.org samba@lists.samba.org Cc: Sent: Tuesday, 22 January 2013, 11:48 Subject: Re: [Samba] Mapping SIDUID (and reverse) Hi Further to my previous mail on this problem, I've found that when I connect to the Samba server from a Windows 7 PC, the log.winbindd-idmap file reports the following messages: On opening the file share: \\fs01: [2013/01/21 11:18:42.474060, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS [2013/01/21 11:18:42.722730, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config NT AUTHORITY [2013/01/21 11:18:42.726528, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config AD [2013/01/21 11:18:42.736245, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS (CSS and AD are both Active Directory domains in the same forest). When I open the contents of the share and mouse-over a file, the following is logged: [2013/01/21 11:20:20.821208, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/21 11:20:20.823030, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_jsmith [2013/01/21 11:20:20.823250, 5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid) pdb_default_uid_to_sid: Did not find user jsmith (4510) [2013/01/21 11:20:21.279879, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The user jsmith is both a NIS Unix user and a Windows AD user in the CSS domain. When I right-click onthe file and select Properties, then select the Security tab, I see the list of ACLs listed by SID before they are resolved. In the above instance, the user jsmith SID is S-1-22-1-4510. A couple of seconds later this is resolved to Unix User\jsmith. I've checked that the 4510 in the SID is the same as the Unix UID stored in NIS. If I open the properties of another file and add an ACL entry for user CSS\jsmith, the following is logged: [2013/01/22 11:17:27.030191, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/22 11:17:27.031587, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user jsmith [2013/01/22 11:17:27.031765, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is jsmith [2013/01/22 11:17:27.034069, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [jsmith]! [2013/01/22 11:17:27.034825, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The entry appears in the file properties box correctly (as CSS\jsmith) and when I now open the properties of the original file, the file is now owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it always maps the Unix UID to the CSS domain SID. Is this possible? Please can someone advise what I'm doing wrong? Thanks!!! JR This is the output of testparm: [global] workgroup = CSS realm = CSS.AD.COMPANYNAME.CO.UK server string = Samba %v security = ADS kerberos method = system keytab log file = /var/log/samba/smbd.log max log size = 50 max protocol = SMB2 unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash idmap config * : range = 500-99 idmap config * : backend = nss ea support = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j dfree command = /usr/local/bin/dfree [zfsshare] comment = ZFS share path = /testpool/samba read only = No inherit permissions = Yes map archive = No map readonly = no store dos attributes = Yes wide links = Yes vfs objects = shadow_copy2, streams_xattr, zfsacl zfsacl:acesort = dontcare nfs4:mode = special nfs4:chown = yes nfs4:acedup = merge shadow:format = GMT-%Y.%m.%d-%H.%M.%S shadow:snapdir = .zfs/snapshot shadow:basedir
Re: [Samba] Mapping SIDUID (and reverse)
Hi Further to my previous mail on this problem, I've found that when I connect to the Samba server from a Windows 7 PC, the log.winbindd-idmap file reports the following messages: On opening the file share: \\fs01: [2013/01/21 11:18:42.474060, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS [2013/01/21 11:18:42.722730, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config NT AUTHORITY [2013/01/21 11:18:42.726528, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config AD [2013/01/21 11:18:42.736245, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config CSS (CSS and AD are both Active Directory domains in the same forest). When I open the contents of the share and mouse-over a file, the following is logged: [2013/01/21 11:20:20.821208, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/21 11:20:20.823030, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_jsmith [2013/01/21 11:20:20.823250, 5] passdb/pdb_interface.c:1347(pdb_default_uid_to_sid) pdb_default_uid_to_sid: Did not find user jsmith (4510) [2013/01/21 11:20:21.279879, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The user jsmith is both a NIS Unix user and a Windows AD user in the CSS domain. When I right-click onthe file and select Properties, then select the Security tab, I see the list of ACLs listed by SID before they are resolved. In the above instance, the user jsmith SID is S-1-22-1-4510. A couple of seconds later this is resolved to Unix User\jsmith. I've checked that the 4510 in the SID is the same as the Unix UID stored in NIS. If I open the properties of another file and add an ACL entry for user CSS\jsmith, the following is logged: [2013/01/22 11:17:27.030191, 4] winbindd/winbindd_dual.c:1549(fork_domain_child) child daemon request 59 [2013/01/22 11:17:27.031587, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user jsmith [2013/01/22 11:17:27.031765, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is jsmith [2013/01/22 11:17:27.034069, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [jsmith]! [2013/01/22 11:17:27.034825, 4] winbindd/winbindd_dual.c:1557(fork_domain_child) Finished processing child request 59 The entry appears in the file properties box correctly (as CSS\jsmith) and when I now open the properties of the original file, the file is now owned by CSS\jsmith and not Unix User\jsmith. I would like it so that it always maps the Unix UID to the CSS domain SID. Is this possible? Please can someone advise what I'm doing wrong? Thanks!!! JR This is the output of testparm: [global] workgroup = CSS realm = CSS.AD.COMPANYNAME.CO.UK server string = Samba %v security = ADS kerberos method = system keytab log file = /var/log/samba/smbd.log max log size = 50 max protocol = SMB2 unix extensions = No load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash idmap config * : range = 500-99 idmap config * : backend = nss ea support = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j dfree command = /usr/local/bin/dfree [zfsshare] comment = ZFS share path = /testpool/samba read only = No inherit permissions = Yes map archive = No map readonly = no store dos attributes = Yes wide links = Yes vfs objects = shadow_copy2, streams_xattr, zfsacl zfsacl:acesort = dontcare nfs4:mode = special nfs4:chown = yes nfs4:acedup = merge shadow:format = GMT-%Y.%m.%d-%H.%M.%S shadow:snapdir = .zfs/snapshot shadow:basedir = /testpool/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Mapping SIDUID (and reverse)
Hi I have a new Samba 3.6.10 server running on Solaris 10. The server is a member of the local Active Directory (which I'll call DOMAIN in this email). Unix username resolution is via NIS. All domain users have NIS usernames as well.Winbind is running to allow SMBD to perform siduid mapping and I have setup idmap_nss. I am not using winbind in /etc/nsswitch.conf as NIS performs that function already. The issue: If I create a file or ACL through Windows for user jack, the security tab ACL appears as DOMAIN\jack. If I add a file or filesystem ACL through Unix for user jill, the Windows security tab shows the ACL as Unix User\jill. However, if I later add a file, or ACL to a file, through Windows for user jill, the Windows security tab now reports the ACL as DOMAIN\jill. Files that previously reported Unix User\jill now correctly report DOMAIN\jill. So it would appear that Winbind is performing and storing the SIDUID mapping when an ACL is *set* through Samba, but it is not storing the mapping (or performing a UIDSID mapping) when performing a *read* of existing Unix file ownership or ACLs. Is this by design, a bug, or have I made a mistake somewhere? I would like it so that if a file or ACL is created on a file through Unix, then Samba will automatically map this to the domain SID. Can this be done? Thanks for any help! JR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
