[Samba] Problems with winbind, idmap and usrmgr.exe

Mike Brady mike.brady at devnull.net.nz
Wed Apr 23 07:45:50 GMT 2008

First of all apologies for replying to my own query, but I have run out
of things to try and really need to make some progress on this.

I have done a clean install and am now using the configuration file
below for my Samba PDC.  This has made no difference to the issue with
usrmgr.exe.  As before this is Samba 3.0.28a on Centos 5.1 x86_64 and
nsswitch is configured to use winbind.

        log level = 5
        workgroup = domb
        server string = Samba Server Version %v
        interfaces = lo, eth0
        passdb backend = tdbsam:/etc/samba/passdb.tdb
        username map = /etc/samba/smbusers
        log file = /var/log/samba/%m.log
        max log size = 50

        # Stuff that makes this machine a PDC.
        add user script = /usr/sbin/useradd "%u" -n -g domusers
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)"
-M -d /nohome -s /bin/false -g machines "%u"
        logon path = \\%L\Profiles\%U
        logon home = \\%L\%U\.profiles
        logon drive = H:
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        wins proxy = Yes
        wins support = Yes

        # Equivalent of old behaviour.
        idmap domains = ALLDOMAINS
        idmap config ALLDOMAINS:default = yes
        idmap config ALLDOMAINS:backend = tdb
        idmap config ALLDOMAINS:range   = 10000 - 50000

        idmap alloc backend = tdb
        idmap alloc config:range = 10000 - 50000

        winbind enum users = yes
        winbind enum groups = Yes
        winbind nested groups = yes
        hosts allow = 127., 192.168.42., 192.168.43.
        cups options = raw

        comment = Home Directories
        read only = No
        browseable = No

        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        browseable = No
        share modes = No
        read only = yes

        path = /var/lib/samba/profiles
        read only = no
        create mask = 0600
        directory mask = 0700

At this stage I believe there to be a problem with winbind as I have
also tried the following.

Creating a local group with "net -U root%xxxxxxx sam createlocalgroup
local1", which succeeds.

A portion of the output from "net groupmap list verbose" shows:
        SID       : S-1-5-21-2991776595-4262790192-2958925130-1004
        Unix gid  : 10053
        Unix group: local1
        Group type: Local Group
        Comment   :

Testing winbind with the following:
[root at dombpdc ~]# wbinfo -G 10053
[root at dombpdc ~]# wbinfo -s
Could not lookup sid S-1-5-21-2991776595-4262790192-2958925130-1004

Shouldn't both these commands work or am missing something?   I tried it
both with and without the quotes around the SID.


[root at dombpdc ~]# wbinfo -D .
Name              : DOMB
Alt_Name          :
SID               : S-1-5-21-2991776595-4262790192-2958925130
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : -1

[root at dombpdc ~]# wbinfo -u
Error looking up domain users

[root at dombpdc ~]# wbinfo -g
BUILTIN\server operators
BUILTIN\power users
BUILTIN\print operators
BUILTIN\account operators
BUILTIN\backup operators

These are only the local groups.  Shouldn't this list the domain groups
as well?

[root at dombpdc ~]# wbinfo --getdcname domb
Could not get dc name for domb

Which may well be the root of the problem?

I am happy to supply which ever logs are required, just let me know.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080423/79a89fc7/attachment.bin

More information about the samba mailing list