[Samba] Samba PDC, LDAP, IDMAP backend not working

Regis Niggemann regisn at techheads.com
Fri Dec 26 20:35:53 GMT 2008

Please help.  I've been searching for days, trying nearly everything I can find that seems relevant, but I can't get this working.

I am able to create users, login to Windows systems joined to the SAMBA domain as those users, but filesystem ACLs on Windows Domain Member Servers do not work which I suspect is due to my IDMAP OU is empty.

wbinfo -u returns "Error looking up domain users"

wbinfo -g returns:

wbinfo -t returns "checking the trust secret via RPC calls succeeded"

getent passwd
getent group

list all my local and domain users and groups respectively.

When running wbinfo -u my log.winbindd shows:
[2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn SID_TO_GID
[2008/12/26 12:24:52, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
  [23999]: sid to gid S-1-5-32-546
[2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(673)
[2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(676)
  calling find_domain_from_sid
[2008/12/26 12:24:52, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
  Retrieving response for pid 23794
[2008/12/26 12:24:52, 5] nsswitch/winbindd_async.c:lookupsid_recv(706)
  lookupsid returned an error
[2008/12/26 12:24:52, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274)
  sid2gid_lookupsid_recv: Could not convert get sid type for S-1-5-32-546
[2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PING
[2008/12/26 12:24:52, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [23999]: ping

smbldap-tools seem to function correctly
net commands seem to function correctly.

Any idea where the problem might be?

Thank you!

Ubuntu 8.04 LTS
Samba 3.0.28a
OpenLDAP 2.4.9

        unix charset = LOCALE
        workgroup = VOICECURVE
        server string = %h server (Samba, Ubuntu)
        map to guest = Bad User
        passdb backend = ldapsam
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
        log level = 3 passdb:5 auth:10 winbind:10
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        time server = Yes
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p -a "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon path = 
        domain logons = Yes
        os level = 35
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=admin,dc=voicecurve,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=voicecurve,dc=com
        ldap user suffix = ou=Users
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap domains = VOICECURVE
        idmap alloc backend = ldap
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap alloc config:range = 10000 - 10000000
        idmap alloc config:ldap_url = ldap://localhost/
        idmap alloc config:ldap_user_dn = cn=admin,dc=voicecurve,dc=com
        idmap alloc config:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com
        idmap config VOICECURVE:range = 10000 - 10000000
        idmap config VOICECURVE:ldap_url = ldap://localhost/
        idmap config VOICECURVE:ldap_user_dn = cn=admin,dc=voicecurve,dc=com
        idmap config VOICECURVE:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com
        idmap config VOICECURVE:backend = ldap
        idmap config VOICECURVE:default = yes
        ldapsam:editposix = yes
        ldapsam:trusted = yes

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

More information about the samba mailing list