[Samba] winbind users not getting groups. idmap backend problem?

Chris Jeter cjeter at sunflowerbroadband.com
Wed Dec 5 17:06:08 GMT 2007 

> [global]
> workgroup = OURWORKGROUP
> netbios name = hostname
> server string = Linux workstation 1
> security = ADS
> log file = /var/log/samba/samba.%m
> max log size = 50
> local master = no
> preferred master = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> template homedir = /home/%U
> template shell = /bin/bash
> encrypt passwords = yes
> dns proxy = no
> realm = REALM.COMPANY.COM
> password server = servername.company.com
> wins proxy = no
> allow trusted domains = no
> 
>  
>  
> i vaguely suspect that i need something like this:
>  
> idmap backend = idmap_rid:REALM.COMPANY.COM=10000-20000
>  
> ...but if i put that in, winbind completely stops working and i can't
> do anything. thoughts?
       

Here is my Global section of our smb conf. This is running in the same
envirment as yours. Our host OS is FC7 and our samba version is Version
3.0.26a-6.fc7

	 security = ads
        netbios name = hostname
        realm = ADDOMAIN.domain
        password server = ADDOMAIN.domain
        workgroup = ADDOMAIN
        idmap uid = 500-10000000
        idmap gid = 500-10000000
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        preserve case=yes
        short preserve case=yes
        case sensitive=no
        template homedir = /home/shares/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        domain master = no
        encrypt passwords = yes

I'm not setting the idmap backend option and have no problems. I've
also read a couple of places that the server string option needs to be
set to your FQDN, mine is not though and it's still working.

Also make sure you are syncing your time between your AD and your samba
box. You will see a time drift issue if you aren't running vmtools and
syncing to your esx server or some form of ntp. Your kerberos tickets
will start expiring. 

-- 
--------------------
Chris Jeter
Senior IT Technician
The World Company
785.312.6911
--------------------

More information about the samba mailing list