[Samba] winbind/idmap/AD problem?

Howard Wilkinson howard at cohtech.com
Thu Jul 24 08:32:35 GMT 2008

Steve Rippl wrote:
> On Wed, 2008-07-23 at 10:22 -0700, Howard Wilkinson wrote:
>> Have you put POSIX attributes onto the users in the active directory?
>>         idmap backend = ad:ldap://domain.fqdn
>>         winbind nss info = rfc2307
>> Should work. You also need
>>         use kerberos keytab = yes
>> Howard.
> Yep, I've got posix attributes for users in AD.  I added the keytab (net
> ads keytab create -P) and changed smb.conf to reflect the lines you have
> above (with my actual fqdn for the AD server), and now I get this in
> log.winbindd-idmap 
> [2008/07/23 15:33:25, 1] nsswitch/idmap.c:idmap_init(377)
>   Initializing idmap domains
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] lib/module.c:do_smb_load_module(64)
>   Module '/usr/local/samba/lib/idmap/ad.so' loaded
> [2008/07/23 15:33:25, 2] nsswitch/idmap.c:idmap_init(779)
>   idmap_init: Unable to get methods for alloc backend ad
The line above look suspicious! It looks as though your build does not 
do the dynamic linking properly! I would need to get to this release and 
build it locally to find out what is going wrong. Perhaps somebody else 
could tell us what is going on here.
> [2008/07/23 15:33:25, 2]
> nsswitch/idmap_ad.c:ad_idmap_cached_connection(152)
>   ad_idmap_cached_connection: Failed to obtain schema details!
> [2008/07/23 15:33:25, 1]
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(514)
>   ADS uninitialized
> [2008/07/23 15:33:25, 2]
> nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233)
>   ERROR: NTSTATUS = 0xc0000001
> I can wbinfo -a|n|s, that works, but getent is still not returning the
> user.  I copied libnss_winbind into /lib and ran ldconfig but it seems
> as though getent isn't using it?!
> Also, maybe I'm wrong but I though that to query ldap attributes in AD
> you had to bind with a valid user, how is the idmap backend doing that?

The way I do this is to use kerberos keytabs in my nss_ldap lookups. I 
take the machine keytab (or specially created ones) and add them to the 
nss_Ldap setup.

This needs at least nss_ldap 259 and my latest patches which I published 
about 2 weeks ago.

I have not yet tried the libnss-ldapd software as I need to write 
patches for that as well. My systems are all Fedora Linux (7,8,9 with 
some bleeding edge backports) so similar but not the same as yours.

However, I can confirm the pam_krb5, nss_ldap, samba combination can be 
made to work with an AD backend just about seamlessly. SO keep plugging 
away and you will get it to work.


More information about the samba mailing list