[Samba] idmap with w2k3 active directory ldap supported?

Aaron Darling darling at cs.wisc.edu
Wed Jun 2 08:07:03 GMT 2004

Hi folks,
I'm trying to integrate a group of linux clients into a windows 2003
active directory system using winbind and an ldap idmap backend.

Whenever I start up winbindd it reports the following to log.winbindd:

[2004/06/02 01:41:45, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain GEL gel.local S-1-5-21-1287777321-1459595337-1044068293
[2004/06/02 02:39:56, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No such file or directory)

wbinfo -u correctly prints the list of domain users, but getent passwd
shows only local unix users.  Furthermore, in my log.winbindd I get a
statement like this for every AD user:

[2004/06/02 02:40:51, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid
[2004/06/02 02:40:51, 1] nsswitch/winbindd_user.c:winbindd_getpwent(563)
  could not lookup domain user darling

Do I need to create a special Idmap structure in my win2003 active
directory somehow or should winbindd create it automatically?  Nothing
containing the text idmap currently appears in my win2k3 ldap.

Also, another strange thing I've noticed is that I can't successfully
remove the machine account from the domain using net ads leave.

Any help getting this problem worked out would be greatly
appreciated--I've searched google and the mailing lists to no avail.

Aaron Darling

Details of my setup:
SuSE 9.1, kernel 2.6.4, Samba 3.0.2a, heimdal 0.6.1rc3, windows 2003 PDC

# /etc/nsswitch.conf

passwd: files winbind
shadow: files
group:  files winbind

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE
# Date: 2004-04-06
        workgroup = GEL
        interfaces =
#begin added by AED
        ldap admin dn = cn=Administrator,cn=Users,dc=gel,dc=local
#       ldap ssl = start tls
        ldap user suffix = ou=Pernalab_site_users,dc=gel,dc=local
#       ldap group suffix = cn=Users
        ldap machine suffix = cn=Computers
#       password server =
        realm = gel.local
        netbios name = mamba
        security = ADS
        idmap backend = ldap:ldap://
        ldap idmap suffix = ou=Idmap,dc=gel,dc=local
        idmap uid = 10000-20000
        idmap gid = 10000-20000
  # winbind params
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/?U
        template shell = /bin/bash
#       winbind use default domain = yes
        winbind enable local accounts = no

        wins server =
#end added by AED
        bind interfaces only = true
        printing = cups
        printcap name = cups
        printer admin = @ntadmin, root, administrator
        map to guest = Bad User

# /etc/krb5.conf
        clockskew = 300
        default_realm = GEL.LOCAL
        dns_lookup_realm = true
        dns_lookup_kdc = true

         = {
                kdc =
                kpasswd_server =
        GEL.LOCAL = {
                kdc =
                admin_server =
                default_domain = GEL.LOCAL

        .gel.local = GEL.LOCAL
        gel.local = GEL.LOCAL

        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

More information about the samba mailing list