How To Set Up A Basic idmap_rid Backend on SLES 11 SP 2

This document (7016070) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12

Situation

After reviewing TID 7007006, some users have desired additional assistance in setting up a basic idmap_rid backend. This TID will identify the basic steps to accomplish this. The Windows Server used is Windows 2008 R2. Identity Management for UNIX has not been installed, nor has an NIS domain been setup (they aren't required--unlike an idmap_ad setup).

Resolution

The following are the basic steps, initially followed to setup an idmap_rid backend on SLES 11. Later this was also successfully repeated on SLES 12 SP2.

The first step is to make sure that time is in sync for the Linux server and the Windows server. This issue cannot be overemphasized.
Edit the /etc/resolv.conf file on the Linux server and include a 'nameserver ip.addr.of.srvr' entry that points the SLES' DNS resolver to the Active Directory (AD) server -- or to the server that contains the DNS information for the AD server.
From the Linux server launch 'yast2 samba-client', otherwise known as the Windows Domain Membership plugin (if browsing the YaST gui).
- After the domain/workgroup is verified, change the "Domain or Workgroup" field to the netbios name of your domain.
- Check the box "Also Use SMB Information for Linux Authentication"
- If desired, check other options (such as creating the home directory on login)*
- Click OK, and authenticate to the AD server.
*SIDE NOTE: Users logging in from windows will not trigger the pam authentication event necessary to create the home directory on login. The login must be done via ssh, locally, or in some other method where pam is utilized. However, a script can be executed during a samba login to accomplish this for windows logins as specified at the following URL:

https://lists.samba.org/archive/samba/2005-June/106958.html
Edit the /etc/samba/smb.conf on the Linux server. Under the [global] section do the following:
- Make sure the "workgroup =" contains the netbios name of the domain as specified under the WINDOWS DOMAIN MEMBERSHIP plugin as mentioned in the previous step
- Make sure "realm = " is set to the domain name (this should have been already completed by the plugin. If not, rerun the plugin)
- Security should be set to ADS (should have been done already)--other options are also valid (IE security = domain)
- Remove the deprecated entries that are auto-populated in the file (or comment them out):
  - idmap uid = 10000-30000
  - idmap gid = 10000-30000
  - passdb backend = <some backend>
Add the following entries to the [global] section of /etc/samba/smb.conf:

               idmap config YOURDOMAIN : backend = rid
               idmap config YOURDOMAIN : range = 10000 - 50000
               idmap config * : backend = tdb
               idmap config * : range = 1000 - 9999

NOTES: Replace YOURDOMAIN with the netbios name of your domain. The ranges specified will vary depending on your requirements and preferences. UIDs and GIDs are calculated for users based on the range information. If the RID portion of the SID of the user (as seen under Windows ADSI Edit > User properties > Object SID) has 6 digits, the range should be large enough to encapsulate the number. If the largest RID in my environment was 1234567, and I had a range of 1000-123456 specified, then that user will be excluded from being mapped. The range, as one of its functions, acts as a filter to exclude certain ranges of numbers if desired.

The second range, as specified by the * domain listing, is a catch all for any users that don't fit under the above specified range. This range should NOT overlap the other range. It doesn't really matter, however, what ranges are specified as long as they are large enough to capture current and future users.

Another point to note, a previously used setting, "idmap config DOMAIN: base_rid", has been deprecated. The man pages may show it being used as an example, but it will break rid mappings if it is included in a version of samba where it has been deprecated. That is the reason for its exclusion here.
Save the smb.conf file. Backup the /var/lib/samba/*tdb files, delete them from that directory, and restart samba and winbind. This removes any existing user mappings and allows new mappings under the RID method to take place.
NOTES: RID maps users with an algorithm which uses the idmap configuration in the smb.conf. As long as the ranges aren't changed, the users should be mapped the same way every time, on every machine, even if the *tdb files get wiped out. This isn't true with other idmap backends, such as idmap_ad.

The man page gives the formula as to how uids and gids are calculated, but will be repeated here:

ID = RID - BASE_RID + LOW_RANGE_ID

In the above example, a user with an SID of S-1-5-21-1234567890-1234567890-123456789-526 will be calculated as follows:

uid = 526 - 0 + 10000, or 10526. As the base_rid has been deprecated zero is now used in its place.

Troubleshooting: While utilizing RID backend, should a user coming across winbind not map correctly to the specified backend's range, or not map at all, then double-check the user in the Windows environment. Check the properties of the user, and check the "Members Of" tab. The primary group specified for the user must be Unix enabled. If it isn't, mapping issues can occur. Either make the primary group Unix enabled, or change the primary group to a group that is Unix enabled.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.