Bug 609222
Summary: | Cannot use idmap_adex to obtain uid and gid from AD, but idmap_ad works | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kirby Zhou <kirbyzhou> |
Component: | samba3x | Assignee: | Andreas Schneider <asn> |
Status: | CLOSED WONTFIX | QA Contact: | qe-baseos-daemons |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.5 | CC: | asn, azelinka, dpal, ssorce |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-11 19:26:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kirby Zhou
2010-06-29 17:18:20 UTC
Is there a feature of idmap_adex you depend on that is not provided by idmap_ad ? for domain trustes / two-way cross forest trusts. Additionaly, by ad and adex's example, it seems that: If I create a domain within a forest, I must modify the smb.conf in each of my samba conf to reflect the changes with idmap_ad, but idmap_adex do not need it. Do you have DNS properly configured, so that samba can identify the global catalog via DNS SRV lookups ? I set my DNS to the PDC of my domain. Additionaly, A idmap_ad backend system sometimes allocate uid/gid by itself, for example: I have assigned gid 10001 to 'BUILTIN\Administrator', gid 10000 to 'Domain Users' and assigned no gid to 'BUILTIN\Guests'. But: ~]# wbinfo --group-info 'Domain Users' domain_users:*:10000 ~]# wbinfo --group-info 'BUILTIN\Administrators' BUILTIN\administrators:*:10000 ~]# wbinfo --group-info 'BUILTIN\Guests' BUILTIN\guests:*:10006 You can see, domain_users was conflict with BUILTIN\administrators, and BUILTIN\Guests got its invalid gid. My conf: ===== [global] workgroup = SOHU-RD template shell = /bin/bash security = ads realm = SOHU-RD.COM password server = RD-DC10.SOHU-RD.COM RD-DC01.SOHU-RD.COM RD-DC02.SOHU-RD.COM winbind offline logon = true netbios name = RD-HOME log file = /var/log/samba/log.%m max log size = 50 idmap uid = 10000 - 40000 idmap gid = 10000 - 40000 idmap backend = ad idmap config BUILTIN: backend = ad idmap config BUILTIN: range = 10000 - 40000 idmap config BUILTIN: schema_mode = rfc2307 idmap config SOHU-RD: backend = ad idmap config SOHU-RD: range = 10000 - 40000 idmap config SOHU-RD: schema_mode = rfc2307 winbind normalize names = yes winbind nss info = template winbind use default domain = yes wins server = 10.1.160.225 cups options = raw ==== idmap_adex shouldn't be used anymore. You should use the idmap_ad module, define the right 'schema_mode' and set 'winbind nss info'. You shouldn't use ad for BUILTIN these are local accounts and can't be in AD. The next thing is that id ranges for the backends shouldn't overlap. idmap_ad isn't able to allocate a uid or gid. There is no allocater code in the module. The config for AD with Unix Extensions should look like this: idmap backend = tdb idmap uid = 1000000-1999999 udmap gid = 1000000-1999999 idmap config SOHU-RD: backend = ad idmap config SOHU-RD: range = 10000-999999 idmap config SOHU-RD: schema_mode = rfc2307 winbind nss info = rfc2307 Ranges should never overlap especially if you use idmap_ad. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Closing wontfix based on the comment 11. |