Hello. I had been successfully using idmap with rid backend through several versions of samba/winbind with a configuration like this: idmap backend = idmap_rid idmap uid = 100000-200000 idmap gid = 100000-200000 Then with Samba 3.0.23 that config essentially quit working, more specifically I was getting very erratic results, basically users from trusted domains where being mapped ontop of the users I wanted mapped from my own domain. That exact same old syntax continued to work fine in 3.0.23 on a server I have that is firewalled off from the other domains. Eventually I figured out that if I went to the new syntax: idmap domains = MYDOMAIN TRUSTEDDOMAIN idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 100000 - 200000 idmap config TRUSTEDDOMAIN:backend = rid idmap config TRUSTEDSOMAIN:range = 200001 - 300000 Everything works and now I'm even able to successfully use map and use accounts in trusted domains, bravo! Really that is a spectular new feature in my opinion. But I just wanted to mention, at least it was my experience, that if you are joined to a domain that trusts other domains and your smb.conf file is still using the old syntax you'll get erratic results. If there are no trusted domains, or samba/winbind is blocked from the trusted domains by firewalls, then the old syntax still works with the current samba/winbind.
There have been long discusions. Apoligies for not beter documenting it, but this is a nofix bug. The trusted domains in idmap_rid was never sanctioned officially so we have decided not to maintain backwards compatible syntax with it. The supported idmap backedn and official syntax is fine.
Hello Gerald, I read through those extended discussions before creating this bug ticket. I'm not talking about using the syntax that was never officially supported, if you look closely at my bug report you'll see I am specifically talking about using the syntax that was officially supported idmap backend = idmap_rid period. It boils down to this, I can take a winbind prior to 3.0.23, configure it WITH THE OFFICIALLY SUPPORTED SYNTAX, be using it successfully, then upgrade samba/winbind and if the domain I'm joined to trusts other domains WINBIND BREAKS. I can fix it by changing to the new syntax but I think either winbind should be backwards compatible with the prior officially supported syntax or it should be spelled out somewhere, whatsnew.txt, that it isn't. Thank you, Tom Schaefer
Hey Tom, I don't understand this statement: "...basically users from trusted domains where being mapped ontop of the users I wanted mapped from my own domain." idmap_rid without the experimental trusted domain support was for one domain only. That sounds more like you were relying upon undefined brhavior. Please explain.
I'll try and explain better. For example, my orginization has several Windows domains. Lets call them DOMAINA, DOMAINB, DOMAINC. DOMAINA is what we use for just about everything it has accounts for all employees. DOMAINA has 2 way trust relationships with DOMAINSB and DOMAINSC which are small special purpose domains with a handful of special purpose accounts. All I really want to do is let users in DOMAINA log into a Linux box. I could accomplish this prior to 3.0.23 by joining my linux box to DOMAINA and use idmap backend = rid idmap uid = 100000-200000 idmap gid = 100000-200000 getent passwd and getent groups would show me that only users and groups from DOMAINA had been mapped, thats mainly all I wanted anyway, I understood that mapping users from DOMAINB and DOMAINC with rid wasn't an option, so be it. I then upgrade to 3.0.23 without changing my config and suddenly idmap_rid is going out and fetching user lists from all 3 domains DOMAINA, DOMAINB, and DOMAINC and erraticly mapping users on top of each other in the 100000 to 200000 uid range and even creating mappings for users that don't exist, for example say joeuser exists in DOMAINA only, now I might be getting him mapped as DOMAINC\joeuser.
ok. I understand now. Thanks for clarifying.
this was a mistake (maybe) made 10 years ago. can't be made undone. closing bug