Linux, Windows AD domain, and IDs

Norbert Schuehler nschuehler-F76l3niPtDrUp2yKEfVny0EOCMrvLtNR at public.gmane.org
Tue Dec 7 13:32:36 EST 2010 

Hi Scott, 

I seem to remember that the idmap_rid as used by Samba is unique and correlated with your AD SID but not identical (not as a whole or portion).  I thought idmap only ensures that you have a unique uid/gid pair generated which is used throughout your Samba installs, but that this idmap_rid differs from your SID.  All this is from memory, so I advise to check the facts :)

I repeated your test on two of my file servers and I get identical results, but they have nothing in common with my AD SID.

File Server 1:
getent passwd nschuehler
nschuehler:*:23760:20513:Norbert Schuehler:<PATH TO HOME>/nschuehler:/bin/false

File Server 2:
getent passwd nschuehler
nschuehler:*:23760:20513:Norbert Schuehler:/<PATH TO HOME>/nschuehler:/bin/false


-----Original Message-----
From: Scott Ehrlich [mailto:srehrlich-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org] 
Sent: Monday, December 06, 2010 6:04 PM
To: Norbert Schuehler
Cc: discuss-mNDKBlG2WHs at public.gmane.org
Subject: Re: Linux, Windows AD domain, and IDs

On Mon, Dec 6, 2010 at 9:39 AM, Norbert Schuehler <nschuehler-F76l3niPtDrUp2yKEfVny0EOCMrvLtNR at public.gmane.org> wrote:
> Hi Scott,
>
> here is my smb.conf.  With this I get the same UID on the local boxes for all my AD accounts.
>
> ns
>
> ---------
> # Use the ADs RIDs to create unique Unix uids which are the same on 
> all file servers
>        idmap backend = idmap_rid:<Your Kerberos Realm>=20000-1000000
>        idmap uid = 20000-1000000
>        idmap gid = 20000-1000000
>        winbind use default domain = yes
>        winbind enum users = no
>        winbind enum groups = no
>        winbind nested groups = yes
> ---------

I spent about an hour or two playing with various configurations and
options of idmap and winbind.   Along the way, some testing revealed:

getent passwd my_ad_account returned almost all appropriate values, but the uid and gid were both 10000, clearly not correct.

wbinfo -n my_ad_account returned my correct sid (I think that was the wbinfo syntax used.  In any event, whatever syntax I used for me returned the correct sid.

So we know the system can see me - I just need the uid to be accurate.

As an update, I need the uid to return the numeric portion of my ad_account username, so if I am se123456, I need the uid to return 123456, thus getent passwd would show se123456:x:123456:blah....

Thanks.

Scott

More information about the Discuss mailing list