[Samba] winbind/idmap/AD problem?

Howard Wilkinson howard at cohtech.com
Wed Jul 23 17:22:32 GMT 2008

Steve Rippl wrote:
> Thanks David, yes I have tried all these and nothing seems to be
> working!
> Here's where I'm at... libnss-ldap is working with my AD server, with
> just 'files ldap' in nsswitch.conf a getent passwd returns local users
> and users from AD, but they seem to be treated as local, ie they are
> 'admin' rather than 'wsd\admin'.  So, on a windows client I go to my
> test share as a domain user, in the log I see that it picks up the
> uid/gid from AD, but in the security tab the user is 'Unix User
> \2009test' NOT 'wsd\2009test'.  If I try to add a user through this tab
> they are wsd\username, and then I get 
> [2008/07/23 09:30:45, 0] smbd/posix_acls.c:create_canon_ace_lists(1438)
>   create_canon_ace_lists: unable to map SID
> S-1-5-21-3668144929-636610183-3299198910-1120 to uid or gid.
> in the log file when I hit apply.  I'm also still getting 
> [2008/07/23 09:30:45, 1]
> nsswitch/idmap_ad.c:idmap_ad_unixids_to_sids(294)
>   ADS uninitialized
> in log.winbindd-idmap.
> If I add winbind to the list in nsswitch it makes no difference, if I
> have just 'file winbind' nothing works!  This is all with idmap backend
> = ad, if I set it to tdb winbind does work correctly.
> What do I have to do to configure idmap backend = ad correctly????  I've
> now complied 3.0.31 with --with-shared-modules=idmap_ad, I've tried
> winbind nss info = sfu and leaving it out.  Some people said use rfc2307
> even though they claimed to be using SFU not R2, tried that and it
> didn't make any difference (I'm using SFU 3.5).  David's references seem
> to be using ldap to store idmap info rather than getting uid/gid info
> from ad.   
> Has someone out there got this working?  The Samba-3 Howto for this says
> to just use 'files ldap' in nsswitch, but to reiterate, if I do that I'm
> not getting connected users recognised as domain user?!!
Have you put POSIX attributes onto the users in the active directory?

        idmap backend = ad:ldap://domain.fqdn
        winbind nss info = rfc2307

Should work. You also need
        use kerberos keytab = yes

More information about the samba mailing list