[Samba] idmap_rid problem - winbindd_sid_to_uid: Could not get uid for sid

Erik Sperling Johansen erik at sperling.no
Sun May 15 12:34:22 GMT 2005 

In a ADS(Adv Serv 2003) setup with a few linux members, I'd like to achieve
consistent UIDs for domain users across these linux machines, and idmap_rid
seems to be exactly what I'm looking for. However, I cannot get winbind to
create uids or gids from SIDs at all. Any hints?

--Erik S. Johansen



ares samba # smbd -V
Version 3.0.10

ares samba # pwd
/var/cache/samba

ares samba # rm *.tdb

ares samba # kinit Administrator
Password for Administrator at OFFICE.AVENTURINE.GR:

ares samba # net join
[2005/05/15 14:43:35, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for ares already exists - modifying old account
Using short domain name -- AVENTURINE
Joined 'ARES' to realm 'OFFICE.AVENTURINE.GR'

ares samba # net ads testjoin
Join is OK

ares samba # /etc/init.d/samba start
 * samba -> start: smbd...                                                     
                                                                               
            [ ok ]
 * samba -> start: nmbd...                                                     
                                                                               
            [ ok ]
 * samba -> start: winbind...                                                  
                                                                               
            [ ok ]

ares samba # wbinfo -u | grep Administrator
Administrator

ares samba # wbinfo -n Administrator
S-1-5-21-1767999523-2916935442-200274121-500 User (1)

ares samba # wbinfo -s S-1-5-21-1767999523-2916935442-200274121-500
AVENTURINE+Administrator 1

ares samba # wbinfo -S S-1-5-21-1767999523-2916935442-200274121-500
Could not convert sid S-1-5-21-1767999523-2916935442-200274121-500 to uid

ares samba # tail -n 20 /var/log/samba/log.winbindd
[2005/05/15 14:44:30, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(355)
  refresh_sequence_number: AVENTURINE time ok
[2005/05/15 14:44:30, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(386)
  refresh_sequence_number: AVENTURINE seq number is now 1158030
[2005/05/15 14:44:30, 10] nsswitch/winbindd_cache.c:centry_expired(410)
  centry_expired: Key SN/S-1-5-21-1767999523-2916935442-200274121-500 for domain
AVENTURINE is good.
[2005/05/15 14:44:30, 10] nsswitch/winbindd_cache.c:wcache_fetch(489)
  wcache_fetch: returning entry SN/S-1-5-21-1767999523-2916935442-200274121-500
for domain AVENTURINE
[2005/05/15 14:44:30, 10] nsswitch/winbindd_cache.c:sid_to_name(1023)
  sid_to_name: [Cached] - cached name for domain AVENTURINE status Success
[2005/05/15 14:44:30, 10] sam/idmap_util.c:idmap_sid_to_uid(150)
  idmap_sid_to_uid: sid = [S-1-5-21-1767999523-2916935442-200274121-500]
[2005/05/15 14:44:30, 4] nsswitch/winbindd_sid.c:winbindd_sid_to_uid(222)
  Could not get uid for sid S-1-5-21-1767999523-2916935442-200274121-500
[2005/05/15 14:44:30, 10] nsswitch/winbindd.c:client_write(525)
  client_write: wrote 1300 bytes.
[2005/05/15 14:44:30, 10] nsswitch/winbindd.c:winbind_client_read(471)
  client_read: read 0 bytes. Need 1824 more for a full request.
[2005/05/15 14:44:30, 5] nsswitch/winbindd.c:winbind_client_read(478)
  read failed on sock 25, pid 17385: EOF

ares samba # cat /etc/samba/smb.conf
[global]

workgroup=AVENTURINE
realm=OFFICE.AVENTURINE.GR
netbios name=ARES
security=ADS
allow trusted domains=no
encrypt passwords = yes

password server=apollon.office.aventurine.gr
printcap name=cups
disable spoolss=yes

idmap backend=idmap_rid:AVENTURINE=5000-30000000
idmap uid = 5000-30000000
idmap gid = 5000-30000000
algorithmic rid base = 5000

winbind separator=+
winbind use default domain=yes
winbind nested groups=yes
winbind enum users=yes
winbind enum groups=yes

use sendfile=yes
printing=cups

add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

template homedir = /home/%U
template shell = /bin/bash
template primary group = "Domain Users"
log level = 10

#unix password sync=yes

pam password change=yes
username map = /etc/samba/smbusers
obey pam restrictions=yes
client use spnego=yes

#ldap idmap suffix = ou=Idmap,dc=office,dc=aventurine,dc=gr

[homes]
comment = Home Directories
read only = No
browseable = No


ares samba # cat /etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4
2002/11/18 19:39:22 azarah Exp $

passwd:      compat winbind
shadow:      compat winbind
group:       compat winbind

hosts:       files dns winbind
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

ares samba # cat /etc/krb5.conf
[libdefaults]
        ticket_lifetime = 600
        default_realm = OFFICE.AVENTURINE.GR
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
        debug = true

[realms]
        OFFICE.AVENTURINE.GR = {
        kdc = apollon.office.aventurine.gr:88
        }

[domain_realms]
        .apollon.office.aventurine.gr = OFFICE.AVENTURINE.GR

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

More information about the samba mailing list