[Samba] Winbind on Samba 3.5.5 (centos5)

Adrian Graham binarydinosaurs at gmail.com
Tue Oct 19 08:50:43 MDT 2010 

Folks,

Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5.
I’ve got it working so ssh logins work correctly and file permissions
are seemingly correct with created files etc. Backend authentication
is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all
UIDs etc are assigned for the users who need them.

However, wbinfo returns some interesting things. We’re in a reasonably
sized AD forest and there seems to be some ID mashing going on. If I
do wbinfo –u it will sniff out the entire forest and return anything
its allowed to as well as the local domain, obviously this can be
filtered by using --domain=DOMAIN which sometimes works well, groups
also.

Things that don’t work:

wbinfo -i returns ‘could not get info for user’
wbinfo -r returns ‘could not get groups for user’
wbinfo -Y returns ‘could not convert sid’
wbinfo --user-sidinfo returns ‘couldn’t get info for user’
wbinfo --user-sids also returns failure.

Things that do:

wbinfo -S my-username-SID correctly returns my UID of 666
wbinfo -s my-username-SID correctly returns DOMAIN+Username
getent group
getent passwd

Wish I could remember what I changed, but at some point wbinfo -u
username DID work but returned a UID of 147, no idea where it got that
from as I even deleted the idmap cache files etc. Also if I browse to
a share and create a file it ends up with the UID/GID of a user in a
completely different domain!

Current smb.conf:

[global]

        workgroup = CAM
        realm = CAM.CW.LOCAL
        server string = test-samba server (CentOS 5)
        interfaces = 127.0.0.1, eth0
        bind interfaces only = Yes
        security = ADS
        map to guest = Bad User
        password server = 172.31.134.30
        log level = 100
        log file = /var/log/samba/%m.log
        printcap name = cups
        wins server = 172.31.134.30
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 5
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        idmap config CAM: range = 100-9999
        idmap config CAM: backend = ad
        idmap config CAM: schema_mode = rfc2307
        idmap config CAM: default = yes

[homes]
        comment = Home Directories
        read only = No
        create mask = 0664
        directory mask = 0775
        browseable = No

[docs]
        path = /usr/share/doc/samba3/htmldocs
        guest ok = Yes

Anyone? Kerberos seems to be acting ok too, otherwise SSH logins wouldn't work?

-- 
adrian/witchy
Owner of Binary Dinosaurs, the UK's biggest home computer collection?
www.binarydinosaurs.co.uk

More information about the samba mailing list