[Samba] winbind/idmap/AD problem?

Steve Rippl rippls at woodlandschools.org
Wed Jul 23 17:02:56 GMT 2008


Thanks David, yes I have tried all these and nothing seems to be
working!

Here's where I'm at... libnss-ldap is working with my AD server, with
just 'files ldap' in nsswitch.conf a getent passwd returns local users
and users from AD, but they seem to be treated as local, ie they are
'admin' rather than 'wsd\admin'.  So, on a windows client I go to my
test share as a domain user, in the log I see that it picks up the
uid/gid from AD, but in the security tab the user is 'Unix User
\2009test' NOT 'wsd\2009test'.  If I try to add a user through this tab
they are wsd\username, and then I get 

[2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
  create_canon_ace_lists: unable to map SID
S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid.

in the log file when I hit apply.  I'm also still getting 

[2008/07/23 09:30:45, 1]
nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
  ADS uninitialized

in log.winbindd-idmap.

If I add winbind to the list in nsswitch it makes no difference, if I
have just 'file winbind' nothing works!  This is all with idmap backend
= ad, if I set it to tdb winbind does work correctly.

What do I have to do to configure idmap backend = ad correctly????  I've
now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried
winbind nss info = sfu and leaving it out.  Some people said use rfc2307
even though they claimed to be using SFU not R2, tried that and it
didn't make any difference (I'm using SFU 3.5).  David's references seem
to be using ldap to store idmap info rather than getting uid/gid info
from ad.   

Has someone out there got this working?  The Samba-3 Howto for this says
to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm
not getting connected users recognised as domain user?!!




> 
> Have you tried to add "winbind" at the file nsswitch.conf for the
> fields
> passwd, group and shadow?
> 
> So, if you have SFU at your DC, you don't need winbind to authenticate
> users, you can configure the system for a LDAP binding.
> Read the PDFs of this web, the last 2 are very interesting for your
> problem:
> http://www.interopsystems.com/learning.htm
> 
> They work with 2003 R2 and Fedora, but it's the same, because R2
> version has
> the SFU integrated.
> 
> And by the way, a time ago I tried to make a LDAP binding with an
> Ubuntu
> 7.10, but it didn't work. May be with Hardy it's different.
> 
> Luck!
> David Molina
> 
> 
> On Fri, 2008-07-18 at 11:11 -0700, Steve Rippl wrote:
> > Hi,
> >
> > I'm running 3.0.28a on Ubuntu 8.04 (their package).  I've got
> security =
> > ads and idmap backend = ad (smb.conf is posted below). I'm using
> > libnss-ldap and have ldap in nsswitch.conf (also posted below) and
> ldap
> > connected to the AD server.  I have the drive mounted using acl and
> > xattr_user options in fstab (acl is installed).  I can connect to
> the
> > share, I see in the logs that it's picking up the uid and gid from
> SFU
> > in AD, however, when I go into the explorer security tab (on the
> client)
> > and try to add a user it fails.  I don't get an error message within
> > windows (the user adding another user is the owner of the
> file/folder),
> > the user just disappears from the list as it refreshes!  On the
> server
> > I'm seeing a lot of this in log.winbindd-idmap
> >
> > [2008/07/18 09:32:59, 1]
> > nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
> >   ADS uninitialized
> >
> > Now I don't know if this is related, but if I wbinfo -n wsd\\rippls
> I
> > get a long SID number, if I do wbinfo -s [same SID number] I get wsd
> > \rippls.  However, if I do wbinfo -U [uid for same user] I get a
> > different SID from before!
> >
> > I'm trying very hard this summer to make this work so I can retire
> our
> > MS file server, so any help would be appreciated.  I tried this
> > initially in Etch, but I that version wasn't handling the connection
> to
> > AD for nss and winbind very well at all, hence I'm trying in Ubuntu.
> >
> > Thanks!
> >
> >
> > ====smb.conf=====
> >
> > [global]
> >
> >    workgroup = WSD
> >    realm = woodland.wednet.edu
> >    server string = %h server
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >    syslog = 0
> >
> >    panic action = /usr/share/samba/panic-action %d
> >
> >    security = ads
> >    encrypt passwords = true
> >    passdb backend = tdbsam
> >    obey pam restrictions = yes
> >    invalid users = root
> >
> >    socket options = TCP_NODELAY
> >
> >    idmap backend = ad
> >    winbind nss info = sfu
> >    winbind nested groups = yes
> >    winbind use default domain = yes
> >
> >
> > [Student]
> >    path = /srv/Student
> >    read only = no
> >    store dos attributes = yes
> >    nt acl support = yes
> >    map acl inherit = yes
> >    inherit acls = yes
> >    acl map full control = yes
> >    dos filemode = yes
> >
> >
> > =====nsswitch.conf=====
> >
> > passwd:         files ldap
> > group:          files ldap
> > shadow:         files ldap
> >
> > hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis
> >
> 
> 


More information about the samba mailing list