[Samba] Can't get idmap connected to AD unix attribs

Nick Triantos nick at triantos.com
Tue Jul 10 18:57:23 MDT 2012 

Thanks Robert.

I've tried switching over to the AD back-end (which does sound like what I want), but I still receive only the errors:
   failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND

I restarted both winbind and smbd after changing the config. Is there some cache I have to flush, or some other config that needs to be changed beyond the settings in smb.conf?

thanks again!
-Nick

My updated smb.conf:

   workgroup = CORP
   security = ADS
   #password server = 192.168.77.251
   realm = CORP.MYCOMPANY.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   idmap config CORP : backend = ad
   idmap config CORP : default = yes
   idmap config CORP : schema_mode = rfc2307
   idmap config CORP : range = 800 - 99999


On Jul 10, 2012, at 7:27 AM, Robert Freeman-Day wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Nick,
> 
> I think what you may be looking for is the ad backend:
> 
> https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
> 
> Since you are using tdb in your config, it is using a local database
> and allocates UID/GIDs on the fly...first come, first served.  So a
> user may not get the same UID from one machine to the next.
> 
> Robert
> 
> On 07/10/2012 12:20 AM, Nick Triantos wrote:
>> Hi,
>> 
>> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and 
>> Winbind to map userids and groups to the unix attributes in an AD 
>> 2008 server. I can see that when I perform an ldapsearch, I'm able 
>> to read the attributes, and for one of my accounts, the id should 
>> be 1001. However, when I run 'wbinfo -i <username>', I get back 
>> something like 920.
>> 
>> At one point, I was setting the idmap range to start at 900, but 
>> I've since removed that from my config, and restarted winbindd and 
>> smbd. I've also tried to 'net cache flush'.
>> 
>> I also see wbinfo -i <someuser> usually returns: failed to call 
>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user 
>> <someuser>
>> 
>> The relevant parts of my smb.conf are below. I've tried patching 
>> this together from various tuts and help pages. Any guidance would 
>> be very helpful.
>> 
>> thanks! -Nick
>> 
>> [global] workgroup = CORP security = ADS password server = 
>> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains = 
>> yes winbind use default domain = yes winbind nested groups = YES 
>> idmap config CORP : backend = tdb idmap config CORP : default = yes
>> idmap config CORP : schema_mode = rfc2307 idmap config CORP : range
>> = 1000 - 9999 idmap config * : backend = tdb encrypt passwords =
>> true obey pam restrictions = yes client use spnego = yes client
>> ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2
>> unix password sync = yes winbind enum groups = yes winbind enum
>> users = yes winbind nss info = rfc2307
>> 
>> 
> 
> 
> - - --
> ________
> 
> Robert Freeman-Day
> 
> https://launchpad.net/~presgas
> GPG Public Key:
> http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
> 
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
> AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
> =yLz3
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/8O7UACgkQup357T5MfTaCgACdHU8bg9f9cJ9+xgH6GuBchjJ+
> 3iQAoLndWChQKGLDkeGGTRaCM00LwHKb
> =eagU
> -----END PGP SIGNATURE-----

More information about the samba mailing list