Prev: [Samba] Winbind problem: can't convert sids and gids
Next: Samba not implementing "rights" correctly on server. Shouldn't it use "Capabilities" or equiv?
From: Gaiseric Vandal on 23 Jun 2010 15:10 Which samba version? I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and gids to users and groups from trusted domain (at least to Windows 2003 domains in mixed mode.) When I switched to a Samba 3.4.x PDC the allocation of new uids and gids broke. I suspect there is some configuration change in smb.conf I needed to make that was not obvious (to me) in the documenation. I have an ldap backend- but temporarily changing to a TDB backend didn't help. I worked around this by manually allocating uids and gids. With ldap you can do this with an ldap editor. But you can also use the wbinfo command to manuallly create uid-to-sid or gid-to-sid mappings with ldap or tdb backend. It isn't really a long term solution but fortunately account additions/deletions are minimal where I work. I did have idmap entries in smb.conf for each domain I wanted to trust, in addition to the entries you listed. On 06/23/2010 02:24 PM, Rob Moser wrote: > I have a problem where I can't browse to a samba share from Windows > (Server 2008); instead I get the error: > > The group name could not be found > > The winbind log contains the message: > > could not convert gid 507 to sid > > Suspecting a permissions problem, I went and looked at the files and the > group ownership has been set to BUILTIN\guests, which is not what I > want. So I try to chgrp them to the domain group: > > chgrp -R 'dss users' /file > chgrp: invalid group `dss users' > > But I know that that is the domain group that I want: > > wbinfo -g | grep dss > dss users > > wbinfo -n 'dss users' > S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) > > But winbind apparently cannot resolve it to a gid: > > wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 > Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 > to gid > > My nsswitch.conf file does list winbind for users and groups. My > smb.conf file contains (in part, obviously): > > idmap alloc backend = tdb > idmap alloc config:range = 10000 - 4000000 > idmap uid = 10000 - 4000000 > idmap gid = 10000 - 4000000 > > winbind enum users = no > winbind enum groups = no > winbind nested groups = yes > winbind use default domain = yes > > So it is using a default domain (the correct one; I checked) and I'm not > just running out of gids. My various /var/log/samba/log.* files contain > almost exactly nothing from the time of the transaction. > > Any help appreciated, > > - rob. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Rob Moser on 23 Jun 2010 16:00
I've had the problem with various versions of 3.3.x - most recently 3.3.8 and 3.3.12. I have an older machine running 3.2.8 which works fine using essentially an identical smb.conf file. My smb.conf file also has the idmap entries for each trusted domain, with non-overlapping id ranges. I did see the manual mapping option in wbinfo, but we have a fairly dynamic user base, so manual configuration didn't seem viable. Thanks for your help though! Hopefully someone can tell us both how to get the automatic mapping working... - rob. On 06/23/2010 12:04 PM, Gaiseric Vandal wrote: > Which samba version? > > I had Samba 3.0.x on Solaris 10, and winbind able to allocate uids and > gids to users and groups from trusted domain (at least to Windows 2003 > domains in mixed mode.) When I switched to a Samba 3.4.x PDC the > allocation of new uids and gids broke. I suspect there is some > configuration change in smb.conf I needed to make that was not obvious > (to me) in the documenation. > > I have an ldap backend- but temporarily changing to a TDB backend > didn't help. > > I worked around this by manually allocating uids and gids. With ldap > you can do this with an ldap editor. But you can also use the wbinfo > command to manuallly create uid-to-sid or gid-to-sid mappings with ldap > or tdb backend. > > It isn't really a long term solution but fortunately account > additions/deletions are minimal where I work. > > I did have idmap entries in smb.conf for each domain I wanted to trust, > in addition to the entries you listed. > > On 06/23/2010 02:24 PM, Rob Moser wrote: > > >> I have a problem where I can't browse to a samba share from Windows >> (Server 2008); instead I get the error: >> >> The group name could not be found >> >> The winbind log contains the message: >> >> could not convert gid 507 to sid >> >> Suspecting a permissions problem, I went and looked at the files and the >> group ownership has been set to BUILTIN\guests, which is not what I >> want. So I try to chgrp them to the domain group: >> >> chgrp -R 'dss users' /file >> chgrp: invalid group `dss users' >> >> But I know that that is the domain group that I want: >> >> wbinfo -g | grep dss >> dss users >> >> wbinfo -n 'dss users' >> S-1-5-21-2129867641-1992771036-1243820751-107019 Domain Group (2) >> >> But winbind apparently cannot resolve it to a gid: >> >> wbinfo -Y S-1-5-21-2129867641-1992771036-1243820751-107019 >> Could not convert sid S-1-5-21-2129867641-1992771036-1243820751-107019 >> to gid >> >> My nsswitch.conf file does list winbind for users and groups. My >> smb.conf file contains (in part, obviously): >> >> idmap alloc backend = tdb >> idmap alloc config:range = 10000 - 4000000 >> idmap uid = 10000 - 4000000 >> idmap gid = 10000 - 4000000 >> >> winbind enum users = no >> winbind enum groups = no >> winbind nested groups = yes >> winbind use default domain = yes >> >> So it is using a default domain (the correct one; I checked) and I'm not >> just running out of gids. My various /var/log/samba/log.* files contain >> almost exactly nothing from the time of the transaction. >> >> Any help appreciated, >> >> - rob. >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |