[Samba] winbind/idmap/AD problem?

Sat Jul 19 15:13:01 GMT 2008

Have you tried to add "winbind" at the file nsswitch.conf for the fields
passwd, group and shadow?

So, if you have SFU at your DC, you don't need winbind to authenticate
users, you can configure the system for a LDAP binding.
Read the PDFs of this web, the last 2 are very interesting for your problem:
http://www.interopsystems.com/learning.htm

They work with 2003 R2 and Fedora, but it's the same, because R2 version has
the SFU integrated.

And by the way, a time ago I tried to make a LDAP binding with an Ubuntu
7.10, but it didn't work. May be with Hardy it's different.

Luck!
David Molina

On Fri, Jul 18, 2008 at 8:11 PM, Steve Rippl <rippls at woodlandschools.org>
wrote:

> Hi,
>
> I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got security =
> ads and idmap backend = ad (smb.conf is posted below). I'm using
> libnss-ldap and have ldap in nsswitch.conf (also posted below) and ldap
> connected to the AD server.  I have the drive mounted using acl and
> xattr_user options in fstab (acl is installed).  I can connect to the
> share, I see in the logs that it's picking up the uid and gid from SFU
> in AD, however, when I go into the explorer security tab (on the client)
> and try to add a user it fails.  I don't get an error message within
> windows (the user adding another user is the owner of the file/folder),
> the user just disappears from the list as it refreshes!  On the server
> I'm seeing a lot of this in log.winbindd-idmap
>
> [2008/07/18 09:32:59, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>  ADS uninitialized
>
> Now I don't know if this is related, but if I wbinfo -n wsd\\rippls I
> get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> different SID from before!
>
> I'm trying very hard this summer to make this work so I can retire our
> MS file server, so any help would be appreciated.  I tried this
> initially in Etch, but I that version wasn't handling the connection to
> AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
>
> Thanks!
>
>
> ====smb.conf=====
>
> [global]
>
>   workgroup = WSD
>   realm = woodland.wednet.edu
>   server string = %h server
>
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>
>   panic action = /usr/share/samba/panic-action %d
>
>   security = ads
>   encrypt passwords = true
>   passdb backend = tdbsam
>   obey pam restrictions = yes
>   invalid users = root
>
>   socket options = TCP_NODELAY
>
>   idmap backend = ad
>   winbind nss info = sfu
>   winbind nested groups = yes
>   winbind use default domain = yes
>
>
> [Student]
>   path = /srv/Student
>   read only = no
>   store dos attributes = yes
>   nt acl support = yes
>   map acl inherit = yes
>   inherit acls = yes
>   acl map full control = yes
>   dos filemode = yes
>
>
> =====nsswitch.conf=====
>
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
>
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>