[Samba] Winbindd can't load Idmap OU with SID-uid mappings
Erwin Fritz
efritz at glja.com
Tue Apr 20 21:59:55 GMT 2004
I'm running Samba 3.0.2a on Solaris 9. My shop also runs Active Directory on W2K (SP4). In an attempt to build a single sign-on solution, I thought I'd get Samba to allow Windows 2000 users to telnet/rlogin/ftp to my UNIX boxes without requiring those users to have a UNIX account.
The Samba dox claim this is possible, because winbindd will map the AD account SID to a UNIX userid, and will store that mapping in the winbindd_idmap.tdb file.
This works just fine. AD users can map drives and can connect to the UNIX box through telnet, rlogin, or ftp. They do not need a UNIX account.
Problem solved? Not quite. I have many UNIX boxes, and because the Samba shares are NFS-mounted to these boxes, I have to ensure that the SID-uid mapping is consistent across all machines. Samba will do this by keeping the mapping in an OU created in the AD tree. I created that OU, and called it Idmap.
For the life of me, though, I can't get Samba to store the mapping in the OU. It continues to store it in the winbindd_idmap file.
My Solaris box is running Solaris 9, with patch 113476-13, MIT Kerberos 1.3.1, and OpenLDAP 2.2.5 (because Samba needs the LDAP stuff to compile).
Samba was configured with these options:
./configure --prefix=/opt/samba \
--with-syslog \
--with-utmp \
--with-codepagedir=/var/samba/code \
--with-configdir=/var/samba/conf \
--with-lockdir=/var/samba/lock \
--with-privatedir=/var/samba/private \
--with-swatdir=/var/samba/swat \
--with-logfilebase=/var/samba/log \
--datadir=/var/samba/share \
--localstatedir=/var/samba/var \
--sharedstatedir=/var/samba/com \
--sysconfdir=/var/samba/etc \
--with-acl-support \
--with-krb5=/opt/kerberos \
--with-winbind \
--with-ldap \
--with-ldapsam
The global portion of my smb.conf is:
[global]
workgroup = AD_DOMAIN
realm = INTERNAL_DOMAIN.COM
server string = Test server
security = ADS
password server = ad1.internal_domain.com ad2.internal_domain.com
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 2
disable netbios = Yes
name resolve order = host
load printers = No
os level = 0
lm announce = No
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap suffix = dc=internal_domain,dc=com
ldap idmap suffix = ou=Idmap,dc=internal_domain,dc=com
ldap admin dn = cn=Administrator,ou=Users,dc=internal_domain,dc=com
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/ksh
winbind separator = +
hosts allow = 198.161.66., 192.168.100.
wide links = No
I know the problem isn't with pam.conf or nsswitch.conf, since my AD users can connect to the Solaris box without any problems.
When I try to connect, I get this error message on the Samba server:
'failed to bind to server with dn= cn=Administrator,ou=Users,dc=internal_domain,dc=com Error: Can't contact LDAP server'
Well, I know the LDAP server works. Running both 'wbinfo -u' and 'getent passwd' shows the AD accounts.
Am I missing something obvious here?
Erwin Fritz
Network Administrator
Gilbert Laustsen Jung Associates Ltd.
More information about the samba
mailing list