[Samba] Winbind integration with large AD on Solaris 10

Eric Diven eric.diven at edsiohio.com
Fri Oct 5 15:55:18 GMT 2007 

I'm having trouble getting Samba working on Solaris 10 with a large
active directory (35000 users, 5000 groups).  I've set this up
successfully in the past with winbind enum users = yes and winbind enum
users = yes in the smb.conf file.  Owing to the large number of users in
this application, I need to have these set to no.  Realistically, only a
couple dozen people and 3 groups actually need access to the share, and
it would be a waste of UIDs and a maintenance issue the admin doesn't
want to have to take on to eat up that many uids and gids for this.

System information:
Solaris 10 on SPARC
Samba 3.0.24 (avoids this issue:
https://bugzilla.samba.org/show_bug.cgi?id=4863, I tested, and this was
still an open issue in 3.0.25b, and the bug this is marked duplicate of
is still showing as reopened)

What works:

The system has been joined onto the domain
wbinfo -a DOM+username%password works consistently
wbinfo -u and -g both work, though sometimes intermittently.  It looks
like it might be timing out?

What else I see:

net idmap dump tdb_file shows no UID/SID mappings.  
getent group/passwd show no AD users or groups
I can't chown a file to a domain user (including the same one I can
authenticate with wbinfo -a)

Zeroth question:  Am I just doing it wrong?  I.e. do I need to manually
add users and groups if I'm not going to enumerate the whole list into
the unix side?  There doesn't seem to be a lot of documentation (at
least not that I've found) about setting up winbind without enumerating
all of the users and groups, so I'm not discounting this possibility.

First question:  If the problem isn't in the zeroth question, Is this a
nsswitch/winbind interaction issue?  It looks as though it might be
based on the above symptoms, though I'm suspicious that net idmap dump
doesn't show any mappings, including for users who have authenticated
directly with wbinfo -a

Second question:  Has anybody had similar problems with linux?  I'm
going to try setting up samba identically on a linux box this afternoon
to see if I can duplicate the problem.

Just to be clear, I can make the authentication work perfectly on a
smaller AD with enum users/groups = yes, and I've duplicated the problem
on the same smaller domain changing nothing in the configuration except
the enum users/groups = no.

Any help on this issue would be much appreciated.

~Eric

More information about the samba mailing list