[Samba] 2003 R2 IDMAP Backend issues

Matthew Oberhansley d_thaiman at yahoo.com
Mon Jun 11 18:08:55 GMT 2007

Hello I am new to this post.  My current setup is

2003 R2 with Identity managment installed - I have
statically mapped Unique Unix attributes (UID and
GID)to each user.

Multiple CentOS 4.4 servers with Samba 3.0.25a-32

Everything works greats wbinfo -u -g -t, getent passwd

But when I access any shares I get this error message.
[2007/06/11 11:27:35, 1]
  Username DOMAIN\COMPUTER-NAME$ is invalid on this


        workgroup = DOMAIN
        realm = DOMAIN.NET
        server string = File Server
        security = ADS
        password server = *.*.98.3
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n
        use kerberos keytab = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        smb ports = 139
        socket options = TCP_NODELAY SO_RCVBUF=8192
        printcap name = cups
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = *.*.98.3
        idmap backend = ad
        template shell = /bin/nologin
        winbind cache time = 3600
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307

        comment = Group Shares
        path = /smb/public
        read only = No

If I take out idmap backend = ad and add the idmap uid
and gid = commands and let winbind map the accounts
the errors goes away, but I want the servers to get
all the UID and GID info from AD. Is this a kerberos
timing issue?  My DC and Samba servers are seperated
by a T-1 links that are not heavily used.

We won't tell. Get more on shows you hate to love 
(and love to hate): Yahoo! TV's Guilty Pleasures list.

More information about the samba mailing list