[Samba] Winbind problem with more details.

Trimble, Ronald D Ronald.Trimble at unisys.com
Fri Feb 15 18:26:10 GMT 2008

That is a lot of good information... let me give it a shot on a test system to see what happens.

-----Original Message-----
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Friday, February 15, 2008 12:06 PM
To: Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.

Trimble, Ronald D wrote:
> Here you go...

I forgot to ask which version of samba your now running, but
assuming it is something around '3.0.25', then here is my
suggestion config. If it is an earlier version let me know.

> [global]
>         workgroup = NA
>         realm = NA.UIS.UNISYS.COM
>         netbios name = ustr-linux-1
>         server string = USTR-LINUX-1 Samba Server
>         encrypt passwords = yes
>         security = ADS
>         password server = 192.xx.xxx.xxx

I believe for an AD domain, if you set the password server
equal to the local domain name it will round-robin query
the closest domain controller. Test it out, it will eliminate
the single point of failure if it works in your environment.

>         passdb backend = smbpasswd

I tend to use tdb for my passwd backend, especially if the number
of users is large, tdb can speed lookups tremendously.

>         log level = 2 winbind:10 ads:10 auth:10
>         syslog = 0
>         log file = /var/log/samba/%m.log
> #       debug level = 10
>         max log size = 5000
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

I see no idmap entries here, and don't understand how winbind
is working at all without them, maybe some old compatibility feature...

I suggest, and of course I don't know your full topology, so it
will most definitely need adjusting:

          idmap domains = default NA
          idmap config default:default = yes
          idmap config NA:backend = rid
          idmap config NA:range = 16777216 - 33554431

Is that id range valid? I have never used anything over 999999, it
seems very oddly arbitrary, but I suppose you have a reason...

Normally I allocate a 100000 id range per domain, so NA would have
range 100000 - 199999, domain NA2 would have 200000 - 299999 and
so on, makes it easier to determine the RID if the base of the
range is on a power of ten and if you have multiple domains.

          idmap alloc backend = tdb
          idmap uid = 90000 - 99999
          idmap gid = 90000 - 99999

This section here is for local mappings, BUILTINs and such, I
set it as the default, but I'm sure other people will have
their preferences or recommendations.

>         winbind use default domain = no
>         winbind enum users = no
>         winbind enum groups = no
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         admin users = root, NA\TRIMBLRD, +"NA\EPS Admin"
>         nt acl support = yes
>         map acl inherit = yes

Notice I removed these lines:
>         winbind uid = 16777216-33554431
>         winbind gid = 16777216-33554431

This is old depreciated syntax, the syntax is now 'idmap uid',
and it applies to id domains not explicitly configured with
the 'id config' directive.


Let me know if that helps.


This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the samba mailing list