Hi Guys,
i have a problem getting id mapping to work as it should. My setup is as
follows:
Samba 3.0.22 on Debian Sarge 3.1 . I 've got SFU 3.5 installed on a W2K3
DC with SP1. I 'm using winbindd in "idmap proxy only" mode. Here 's my
generic smb.conf:
workgroup = METADS
realm = META.XXX.XX "it 's not the real realm, of course !"
security = ADS
server string = %h server (Samba %v)
wins support = no
wins proxy = no
wins server = nbns
dns proxy = no
name resolve order = wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
loglevel = 3 passdb:5 auth:5 winbind:10 idmap:10
panic action = /usr/share/samba/panic-action %d
unix charset = ISO8859-1
display charset = ISO8859-1
load printers = no
encrypt passwords = true
preferred master = no
enable privileges = yes
idmap uid = 30000-40000
idmap gid = 30000-40000
idmap backend = ad
winbind nss info = template sfu
winbind use default domain = yes
winbind nested groups = yes
template shell = /bin/bash
[profiles]
path = /var/profiles
browseable = no
read only = no
create mask = 0600
directory mode = 0700
profile acls = yes
csc policy = disable
force user = %U
[homes]
comment = Home Directories
path = /home/%U
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
# root preexec = /usr/sbin/mkhomedir %U %G
[server]
comment = Test Share
path = /var/server
browseable = yes
read only = no
create mask = 0660
directory mode = 0770
Ok, let 's get to the point. Winbind -u/g returns all the user and group
information out of the AD as expected. Getent passwd/group works fine
also. I have access to the shares and can view the ownership/rights via
the security tab in windoof. Doing a "chown dmg" (this group exists only
in AD !!) is also possible. But if i do a "ls -la" i only get the
gidNumber (6000) of this group !! The same happens to the owner of the
file, for example Administrator with uidNumber (37). I tried to get
around this problem using "idmap uid = 999-1000" and "idmap gid
999-1000" as a workaround described in bug 3289 but this doesn 't fix my
problem.
Here is some debugging output:
test:/var/server# ls -la
total 3
drwxrwx--- 3 6340 6000 1024 May 23 17:01 .
drwxr-xr-x 17 root root 1024 May 16 11:12 ..
drwxrwx--- 3 37 6000 1024 May 24 08:49 test
winbind output:
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgrgid 6000
Doing a "chown administrator.dmg test/" gives:
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgrgid 6000
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getgroups root
[ 2113]: lookupname METADS\root
string_to_sid: Sid S-0-0 is not in a valid format.
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: getpwnam administrator.dmg
[ 2113]: lookupname METADS\administrator.dmg
rpc: name_to_sid name=METADS\administrator.dmg
name_to_sid [rpc] administrator.dmg for domain METADS
[ 0]: getpwnam administrator
[ 2113]: lookupname METADS\administrator
rpc: name_to_sid name=METADS\administrator
name_to_sid [rpc] administrator for domain METADS
[ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500
ads: query_user
ads query_user gave Administrator
[ 2113]: lookupsid S-1-5-21-2857693109-2026923775-3634067142-500
[ 2113]: sid to uid S-1-5-21-2857693109-2026923775-3634067142-500
Connected to LDAP server 10.33.8.108
got ldap server name [EMAIL PROTECTED], using bind path:
dc=META,dc=XXX,dc=XX
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006
19:17:30 CEST
ad_idmap_get_id_from_sid mapped SID
[S-1-5-21-2857693109-2026923775-3634067142-500] to POSIX UID 37
[ 0]: getgrnam dmg
rpc: name_to_sid name=METADS\dmg
name_to_sid [rpc] dmg for domain METADS
No nmbd found " Ok, only winbind is running !"
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=111)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got [EMAIL PROTECTED]
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Tue, 30 May 2006 19:17:30
CEST
rpc_pipe_bind: Remote machine EWT-MASTER pipe \lsarpc fnum 0xc00a bind
request returned ok.
Got challenge flags:
Got NTLMSSP neg_flags=0x62890235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080235
lsa_io_sec_qos: length c does not match size 8
Connected to LDAP server 10.33.x.xxx
got ldap server name [EMAIL PROTECTED], using bind path:
dc=META,dc=XXX,dc=XX
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 30 May 2006
19:17:30 CEST
ads lookup_groupmem for sid=S-1-5-21-2857693109-2026923775-3634067142-1366
And a wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366 gives:
test:/var/server# wbinfo -s S-1-5-21-2857693109-2026923775-3634067142-1366
METADS\dmg 2
As you can see, the conversion sid to gid works ! I 've also tried
playing with the idmapping ranges, but no go.
test:/var/server# getent passwd administrator
administrator:x:37:6000:Administrator:/home/Administrator:/bin/bash
This information is also correct (The Unix attributes are set for
Administrator)
Please, could someone shed some light on this strange behaviour.
Regards Tom
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
