[Samba] idmap_ad and multiple domians

Christian McHugh christian.mchugh at nau.edu
Tue Feb 19 14:42:12 GMT 2008


Has anyone else gotten samba functioning with idmap_ad and multiple domains? 
In our environment we have a domain with two child domains. There is one child 
domain for students, and another for faculty staff. Our servers are joined to 
the student domain, but need to be able to enumerate users in the staff domain.

When attempting to lookup a user (wbinfo -i 'NAU\car3') that only exists in 
the staff domain, I see this in the log.winbindd-idmap:

[2008/02/19 07:34:25, 4] nsswitch/winbindd_dual.c:fork_domain_child(1054)
   child daemon request 48
[2008/02/19 07:34:25, 10] nsswitch/winbindd_dual.c:child_process_request(479)
   process_request: request fn DUAL_SID2UID
[2008/02/19 07:34:25, 3] nsswitch/winbindd_async.c:winbindd_dual_sid2uid(374)
   [ 8151]: sid to uid S-1-5-21-20713206-1263413069-421607344-5886
[2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(105)
   idmap_sid_to_uid: sid = [S-1-5-21-20713206-1263413069-421607344-5886]
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1115)
   Query backends to map sids->ids
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1140)
   SID S-1-5-21-20713206-1263413069-421607344-5886 is being handled by 
NAU-STUDENTS
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1161)
   Query ids from domain NAU-STUDENTS
[2008/02/19 07:34:25, 7] 
nsswitch/idmap_ad.c:ad_idmap_cached_connection_internal(77)
   Current tickets expire in 35983 seconds (at 1203467648, time is now 1203431665)
[2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(543)
   Filter: 
[(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00)))]
[2008/02/19 07:34:25, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64)
   Search for 
(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\F6\0E\3C\01\4D\27\4E\4B\B0\37\21\19\FE\16\00\00))) 
in <dc=STUDENTS,dc=FROOT,dc=NAU,dc=EDU> gave 0 replies
[2008/02/19 07:34:25, 10] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(553)
   No IDs found
[2008/02/19 07:34:25, 10] nsswitch/idmap.c:idmap_can_map(918)
   idmap backend for SID S-1-5-21-20713206-1263413069-421607344-5886 is READONLY!
[2008/02/19 07:34:25, 10] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258)
   Adding cache entry with key = 
IDMAP/SID/S-1-5-21-20713206-1263413069-421607344-5886; value = 
1203431785/IDMAP/NEGATIVE and timeout = Tue Feb 19 07:36:25 2008
    (120 seconds ahead)
[2008/02/19 07:34:25, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125)
   sid [S-1-5-21-20713206-1263413069-421607344-5886] not mapped to an uid [2,1,0]
[2008/02/19 07:34:25, 10] nsswitch/winbindd_cache.c:cache_store_response(2260)
   Storing response for pid 8153, len 3240
[2008/02/19 07:34:25, 10] lib/events.c:get_timed_events_timeout(295)
   timed_events_timeout: 277/780278
[2008/02/19 07:39:02, 10] lib/events.c:run_events(240)
   Running event "async_request_timeout" 2c6fd0
[2008/02/19 07:39:02, 0] 
nsswitch/winbindd_dual.c:async_request_timeout_handler(181)
   async_request_timeout_handler: child pid 8152 is not responding. Closing 
connection to it.
[2008/02/19 07:39:02, 10] lib/events.c:timed_event_destructor(66)
   Destroying timed event 2c6fd0 "async_request_timeout"
[2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:async_reply_recv(263)
   Could not receive async reply from child pid 8152
[2008/02/19 07:39:02, 5] nsswitch/winbindd_util.c:init_child_recv(425)
   Received child initialization response for domain NAU-STUDENTS
[2008/02/19 07:39:02, 3] nsswitch/winbindd_util.c:init_child_recv(428)
   Could not init child
[2008/02/19 07:39:02, 5] nsswitch/winbindd_dual.c:domain_init_recv(402)
   Domain init returned an error
[2008/02/19 07:39:02, 1] nsswitch/winbindd_util.c:trustdom_recv(235)
   Could not receive trustdoms


log.winbindd prints out:

[2008/02/19 07:34:25, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
   Retrieving response for pid 8153
[2008/02/19 07:34:25, 5] nsswitch/winbindd_async.c:winbindd_sid2uid_recv(347)
   sid2uid returned an error
[2008/02/19 07:34:25, 5] nsswitch/winbindd_user.c:getpwsid_sid2uid_recv(266)
   Could not query uid for user NAU\car3



Both the student and faculty domains have the rfc2307 attributes set, so I am 
unsure as to why I am only able to lookup users in the NAU-STUDENTS domain and 
not the NAU domain.

Any thoughts?

Thanks,
Christian


More information about the samba mailing list