[Samba] AD integration: "getent passwd" can't see *new* users, but "wbinfo -u" can

Noah Dain noahdain at gmail.com
Mon Feb 12 06:17:59 GMT 2007

I have two different systems (on different networks) showing this
behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
via winbind, with nss using winbind.  At some point in time (which is
unknown to me), the samba server stopped seeing new users, groups,
machines which are added to AD.

I add a new user to AD, say "smbtest".  I then look for the user with
"wbinfo -u", and it shows up.  However, it does not show up with
"getent passwd" (same for groups, "getent group").  If I try to map a
share to a drive letter, it goes something like this:

C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password

System error 1326 has occurred.

Logon failure: unknown user name or bad password.

(The same results occur for existing shares, so it's not from lack of
a home directory)

Of particular interest is log.winbindd-idmap.  Whenever I try to
connect as the user smbtest to their home directory or another share,
this is logged here several times:

[2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
  rid_idmap_get_id_from_sid: no suitable range available for sid:

"wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
"smbtest" as expected.
"wbinfo -n smbtest" returns that sid.
Other users/sids work.

other stuff I've tried / observed:

"net ads testjoin" looks good.
kerberos looks good.
There are no local accounts within the idmap uid/gid range.
"/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
I've restarted samba and winbindd, and the whole machine went down for
a reboot, but I'm still getting the same behavior.

-- only config files below --

        workgroup = DOMAIN
        realm = DOMAIN
        server string = samba server
        interfaces = eth0
        bind interfaces only = Yes
        security = ADS
        allow trusted domains = No
        obey pam restrictions = Yes
        pam password change = Yes
        log level = 2 winbind:3 passdb:2 auth:2
        log file = /var/log/samba/%m.log
        socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        dns proxy = No
        wins server = DC1
        idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
        idmap uid = 1000-60000
        idmap gid = 1000-60000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = /
        winbind use default domain = Yes
        winbind nested groups = Yes
        hosts allow =, 127.
        hosts deny =

        comment = Home Directory
        path = /home/%U
        read only = No
        create mask = 0640
        directory mask = 0750
        browseable = No

/end smb.conf


passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files dns mdns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

/end nsswitch.conf

Noah Dain
"The beatings will continue, until moral improves" - the Management

More information about the samba mailing list