[Samba] WBC_ERR_DOMAIN_NOT_FOUND error with RFC2307

Rowland penny rpenny at samba.org
Thu Jul 4 20:49:03 UTC 2019 

On 04/07/2019 21:25, Ryan via samba wrote:
> I am still trying to configure Samba to authenticate users against
> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP
> server. Related to a previous recommendation, I found the idmap_rfc2307
> capability, which seems likely exactly what I what.
>
> Unfortunately, it does not seem to work. Users are not permitted to access
> shares for which they are in the group.
>
> Tests I found online of the idmapping using wbinfo, fail as follows.
>
> $>wbinfo -n rlicht2
> THE_SID SID_USER (1)
>
> $>net cache flush
>
> $>wbinfo -S THE_SID
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid THE_SID to uid
>
> I do not see any indication in the log files that the LDAP server is being
> contacted, though winbind startup shows that it is processing the idmap
> directives.
>
> And I have done the following:
>
> net idmap set secret 'MYDOMAIN' 'password'
>
> Here is the smb.conf file:
>
> [global]
> strict locking = no
> workgroup = MYDOMAIN
> server string = Samba Server Version %v
> disable netbios = yes
> interfaces = lo eth0
> log file = /var/log/samba/log.%m
> log level = 5
> max log size = 64
> security = ads
> realm = MYDOMAIN.FULL
> kerberos method = secrets and keytab
> load printers = no
> printcap name = /dev/null
> printing = bsd
> disable spoolss = yes
> ldap ssl = off
>
> idmap config * : backend = tdb
> idmap config * : range = 65536-4294967296
>
> idmap config MYDOMAIN : backend = rfc2307
> idmap config MYDOMAIN : range = 1000-65535
> idmap config MYDOMAIN : ldap_server = stand-alone
> idmap config MYDOMAIN : bind_path_user = ou=users,dc=myldap,dc=org
> idmap config MYDOMAIN : bind_path_group = ou=groups,dc=myldap,dc=org
> idmap config MYDOMAIN : user_cn = no
> idmap config MYDOMAIN : ldap_url = ldaps://ldap.myldap.org:636
> idmap config MYDOMAIN : ldap_user_dn = cn=samba,ou=agents,dc=myldap,dc=org
>
> [home]
> comment = Home Directories
> path = /home/%U
> browseable = no
> writable = yes
> create mask = 0600
> directory mask = 0700
> valid users = MYDOMAIN\%U
> preexec = ls /home/%U
>
> [share]
> path = /home/lab
> writable = yes
> valid users = @share
> force group = share
> create mask = 0660
> directory mask = 0770
> preexec = ls /home/share

Try changing 'security = ADS' to 'security = domain'

Read 'man idmap_ldap', your 'idmap config' lines don't seeem to be correct.

Rowland

More information about the samba mailing list