Bug 5210 - smb.conf rid syntax not backwards compatible if trusted domains
Summary: smb.conf rid syntax not backwards compatible if trusted domains
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Config Files (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-17 10:47 UTC by Tom Schaefer
Modified: 2018-12-09 17:32 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Schaefer 2008-01-17 10:47:36 UTC
Hello.  I had been successfully using idmap with rid backend through several versions of samba/winbind with a configuration like this:

idmap backend = idmap_rid
idmap uid = 100000-200000
idmap gid = 100000-200000

Then with Samba 3.0.23 that config essentially quit working, more specifically I was getting very erratic results, basically users from trusted domains where being mapped ontop of the users I wanted mapped from my own domain.

That exact same old syntax continued to work fine in 3.0.23 on a server I have that is firewalled off from the other domains.

Eventually I figured out that if I went to the new syntax:

idmap domains = MYDOMAIN TRUSTEDDOMAIN
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 100000 - 200000
idmap config TRUSTEDDOMAIN:backend = rid
idmap config TRUSTEDSOMAIN:range = 200001 - 300000

Everything works and now I'm even able to successfully use map and use accounts in trusted domains, bravo!  Really that is a spectular new feature in my opinion.

But I just wanted to mention, at least it was my experience, that if you are joined to a domain that trusts other domains and your smb.conf file is still using the old syntax you'll get erratic results.  If there are no trusted domains, or samba/winbind is blocked from the trusted domains by firewalls, then the old syntax still works with the current samba/winbind.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2008-01-17 11:12:24 UTC
There have been long discusions.  Apoligies for not beter documenting it, but this is a nofix bug.  The trusted domains in idmap_rid was never sanctioned officially so we have decided not to maintain backwards compatible syntax with it.  The supported idmap backedn and official syntax is fine.
Comment 2 Tom Schaefer 2008-01-17 12:18:32 UTC
Hello Gerald,

I read through those extended discussions before creating this bug ticket.

I'm not talking about using the syntax that was never officially supported, if you look closely at my bug report you'll see I am specifically talking about using the syntax that was officially supported idmap backend = idmap_rid period.

It boils down to this, I can take a winbind prior to 3.0.23, configure it WITH THE OFFICIALLY SUPPORTED SYNTAX, be using it successfully, then upgrade samba/winbind and if the domain I'm joined to trusts other domains WINBIND BREAKS.  I can fix it by changing to the new syntax but I think either winbind should be backwards compatible with the prior officially supported syntax or it should be spelled out somewhere, whatsnew.txt, that it isn't.

Thank you,
Tom Schaefer
Comment 3 Gerald (Jerry) Carter (dead mail address) 2008-01-17 12:23:18 UTC
Hey Tom,

I don't understand this statement:

  "...basically users from trusted domains where
   being mapped ontop of the users I wanted mapped from 
   my own domain."

idmap_rid without the experimental trusted domain support was for 
one domain only.  That sounds more like you were relying upon undefined 
brhavior.  Please explain.
Comment 4 Tom Schaefer 2008-01-17 13:01:25 UTC
I'll try and explain better.  For example, my orginization has several Windows domains.  Lets call them DOMAINA, DOMAINB, DOMAINC.  

DOMAINA is what we use for just about everything it has accounts for all employees.  DOMAINA has 2 way trust relationships with DOMAINSB and DOMAINSC which are small special purpose domains with a handful of special purpose accounts.

All I really want to do is let users in DOMAINA log into a Linux box.  I could accomplish this prior to 3.0.23 by joining my linux box to DOMAINA and use 

idmap backend = rid
idmap uid = 100000-200000
idmap gid = 100000-200000

getent passwd and getent groups would show me that only users and groups from DOMAINA had been mapped, thats mainly all I wanted anyway, I understood that mapping users from DOMAINB and DOMAINC with rid wasn't an option, so be it.

I then upgrade to 3.0.23 without changing my config and suddenly idmap_rid is going out and fetching user lists from all 3 domains DOMAINA, DOMAINB, and DOMAINC and erraticly mapping users on top of each other in the 100000 to 200000 uid range and even creating mappings for users that don't exist, for example say joeuser exists in DOMAINA only, now I might be getting him mapped as DOMAINC\joeuser.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2008-01-17 13:04:36 UTC
ok.  I understand now.  Thanks for clarifying.
Comment 6 Björn Jacke 2018-12-09 17:32:59 UTC
this was a mistake (maybe) made 10 years ago. can't be made undone. closing bug