[Samba] winbind nss info = sfu is not so much working
Jonathan C. Detert
detertj at msoe.edu
Thu Apr 27 16:56:30 GMT 2006
* Jonathan C. Detert <detertj at msoe.edu> [060427 11:39]:
> with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD
> by using winbind for authentication as well as for the source of nss info.
>
> When winbind is configured to use its own local id maps, everything
> works fine.
>
> But when i configure winbind to use 'ad' as the source of nss info,
> authentication fails, 'getent' commands return no results, and
> 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work
> correctly).
a couple notes to add:
a) the AD box i'm using is running Win2k3 with SFU schema extensions applied.
b) 'wbinfo -n detertj' returns the correct sid, regardless of whether
idmap backend is set to ad or not.
'wbinfo -S detertjsid' fails to convert the sid to a uid when idmap
backend is set to ad, but succeeds when idmap backend is NOT set.
c) the 'detertj' account does have the appropriate msad attributes, as
can be seen here:
ldapsearch -x -LLL -s sub -H ldap://xxxxxx.msoe.edu -D 'cn=ldap,ou=ccsd,ou=people,dc=msoe,dc=edu' -w 'xxxxxxxx' -b'ou=people,dc=msoe,dc=edu' "samaccountname=detertj" msSFU30UidNumber msSFU30GidNumber msSFU30HomeDirectory msSFU30LoginShell
dn: CN=detertj,OU=Administration,OU=People,DC=msoe,DC=edu
msSFU30UidNumber: 20225
msSFU30GidNumber: 21795
msSFU30LoginShell: /bin/bash
msSFU30HomeDirectory: /home/staff/detertj
> I am guessing that either there is something wrong or lacking in my config,
> or that some kind of caching is messing me up.
>
> Here is my pertinent smb.conf stuff when winbind is configed to use
> local id maps:
> --------------
> winbind enum groups = yes
> winbind enum users = yes
> winbind separator = +
> winbind nested groups = yes
> winbind use default domain = yes
>
> idmap gid = 10000-55000
> idmap uid = 10000-55000
>
> template homedir = /home/%D/%U
> template shell = /bin/bash
>
> And here is how smb.conf looks when winbind is configed to use AD for
> nss:
> --------------
> winbind enum groups = yes
> winbind enum users = yes
> winbind separator = +
> winbind nested groups = yes
> winbind nss info = sfu
> winbind use default domain = yes
>
> idmap backend = ad
>
> Can you see anything wrong/lacking in my config? Btw, I have also tried
> setting idmap backend to 'idmap_ad' as the smb.conf man page has it, but
> either way, as 'ad' or as 'idmap_ad', I get the same result.
>
> As to cache possibly messing me up, I do the following when switching
> from local tdb maps to using ad as the map:
> --------------
> /etc/init.d/winbind stop; /etc/init.d/samba stop
> cat /dev/null > /var/cache/samba/winbindd_cache.tdb
> mv /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/winbindd_idmap.tdb.orig
> /etc/init.d/samba start; /etc/init.d/winbind start
> Is there something else to consider re. caching?
>
> Thanks
> --
> Happy Landings,
>
> Jon Detert
> IT Systems Administrator, Milwaukee School of Engineering
> 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
--
Happy Landings,
Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
More information about the samba
mailing list