[Samba] Samba 3.6.0: unable to list Active Directoy users "WBC_ERR_DOMAIN_NOT_FOUND"

David Touzeau david at touzeau.eu
Fri Aug 19 06:44:23 MDT 2011 

Le vendredi 19 août 2011 à 06:51 -0500, John H Terpstra a écrit :
> On 08/19/2011 03:54 AM, David Touzeau wrote:
> > Le jeudi 18 août 2011 à 13:26 +0200, Benedikt Schindler a écrit :
> >
> >> Am 18.08.2011 06:07, schrieb John H Terpstra:
> >>> On 08/17/2011 02:05 PM, David Touzeau wrote:
> >>>> I think this new version is not really ready for production...
> >>>> There is so many strange things... Or misunderstanding whats going wrong
> >>>
> >>> I respect that some may be experiencing difficulties with deployment of
> >>> Samba 3.6.0.
> >>>
> >>> I have been using 3.6.0 in its various pre-release forms (and now the
> >>> stable release) for many months without a single problem.  I have
> >>> deployed it in some very complex as well as some simple configurations -
> >>> all without any issues.
> >>>
> >>> The purpose of this response is to point out that Samba 3.6.0 is perhaps
> >>> not as "not really ready" for production use readers of this list may
> >>> interpret from these reports.
> >>>
> >>> Cheers,
> >>> John T.
> >>>
> >>>>
> >>>> Le lundi 15 août 2011 à 14:07 -0700, Linda W a écrit :
> >>>>
> >>>>>
> >>>>>
> >>>>> ` Peacock,Josh wrote:
> >>>>>> I am also experiencing the same problems.  I am running 3.6 on AIX
> >>>>>> 6.1.  I do have a 3.5.8 installation running without problem (I
> >>>>>> understand some major changes have happened.)  I took the smb.conf
> >>>>>> from my 3.5.8 install and changed appropriately for 3.6 (At least as
> >>>>>> far as I catell).
> >>>>>>
> >>>>> ----
> >>>>> Yeah, I still have this error even after downgrading to 3.5.10 --
> >>>>> I think 3.6 corrupted my userdb or changed the format... I suppose
> >>>>> I need to allocate a new one and start from scratch to fix it...
> >>>>>
> >>>>> But lots of problems related to looking up the domain, the
> >>>>> PDC and some users.
> >>>>>
> >>>>> I did try to report it, but since I wasn't certain what was going on and
> >>>>> just had a bunch of random symptoms, I got ignored.
> >>>>>
> >>>>> But I did warn them that other users would likely have problems and
> >>>>> should
> >>>>> be warned...  That was ignored too..
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >> I had the same error until today. It works for me with base_rid = 0
> >>
> >> TRY:
> >>
> >>          idmap config MYDOMAIN : backend = rid
> >>          idmap config MYDOMAIN : range = 60000-50000000
> >>          idmap config MYDOMAIN : base_rid = 0
> >>
> >>
> >>
> >> --
> >> Benedikt
> >
> >
> > i have set
> > idmap config MYDOMAIN : backend = ad
> >
> > Is there any difference using
> >
> > idmap config MYDOMAIN : backend = rid
> >
> > instead
> >
> > idmap config MYDOMAIN : backend = ad
> >
> > When using Active Directory ?
> >
> >
> >
> >
> 
> Check the man pages (man idmap_rid) and (man idmap_ad):
> 
> The RID method generates the uid/gid from the RID. As a result all users 
> in Active Directory can access the Samba server.
> 
> The AD method requires the use of the RFC2307bis extensions to the 
> Active Directory schema and that you populate the uid and gid in with 
> valid values using the Active Directory Users and Group management tool.
> If you have not populated the RFC2307bis uid/gid values the user will 
> not be able to access the Samba server.
> 
> Using the AD method the systems administrator has control over which 
> users can and cannot access the Samba server/s.
> 
> - John T.

This is very strange
I have changed my settings according your example has follow

	security = ADS
	realm = MAISON.TOUZEAU.BIZ

	idmap config MAISON:backend = rid
	idmap config MAISON:read only = yes
	idmap config MAISON:range = 60000-50000000
	idmap config MAISON:base_rid = 0
	idmap config * : backend = tdb
	idmap config * : range =  1000000-1999999
	client use spnego = No
	client use spnego principal = No
	encrypt passwords = Yes
	client ntlmv2 auth = Yes
	client lanman auth = No
	winbind normalize names = Yes
	winbind separator = /
	winbind use default domain = No
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nested groups = Yes
	winbind nss info = rfc2307
	winbind offline logon = true
	winbind cache time = 5
	winbind refresh tickets = true
	kerberos method = system keytab
	allow trusted domains = Yes
	server signing = mandatory
	client signing = mandatory
	lm announce = No
	ntlm auth = No
	lanman auth = No
	preferred master = No

The winbindd allows to have correct informations

#wbinfo -t
checking the trust secret for domain MAISON via RPC calls succeeded

#wbinfo -n MAISON/Administrateur
S-1-5-21-3790408397-595478388-2982168515-500 SID_USER (1)

#wbinfo -s S-1-5-21-3790408397-595478388-2982168515-500
MAISON/Administrateur 1

#wbinfo -S S-1-5-21-3790408397-595478388-2982168515-500
60500

Bet getent did not see any Active directoy users 


Any tips on this ?

More information about the samba mailing list