[Samba] Problem with ADS idmap backend

David Eisner deisner at gmail.com
Mon Mar 10 22:41:09 GMT 2008 

I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
domain whose PDC is a W2k3 server (Standard x64 R2 SP2).

Using wbinfo -u and wbinfo -g I can see domain users and groups from
the CentOS box, but getent (passwd|group) fails to display them.  The
nsswitch is setup correctly, as far as I can tell.  When I tail -f the
samba log file during a getent query, I see that winbindd is having
problems mapping the sid to the uid or gid ("sid2uid returned an
error").

Furthermore, wbinfo -n can find the SID for a user or group, but it
can't preform the inverse mapping.

In the following example, 'deisner' and 'unixusers' are a domain user
and group, respectively.

>From the CentOS box (with intentional SID obfuscation):

    $ wbinfo -u |grep deisner
    deisner
    $ wbinfo -n deisner
    S-1-5-21-**********6 User (1)
    $ wbinfo -S S-1-5-21-**********6
    Could not convert sid S-1-5-21-**********6 to uid
    $ wbinfo -g |grep unixusers
    unixusers
    $ wbinfo -n unixusers
    S-1-5-21-**********8 Domain Group (2)
    $ wbinfo -Y S-1-5-21-**********8
    Could not convert sid S-1-5-21-**********8 to gid

In the log file, I see this:
    [2008/03/10 18:37:58, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
      Retrieving response for pid 6274
    [2008/03/10 18:37:58, 5]
nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
      sid2gid returned an error
    [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
      Could not convert sid S-1-5-21-*8


I'm using the SFU schema.  In AD I have uids and gids assigned to the
user and group, in the Unix Attributes tab, with values in the range
I've specified for the idmap range.  Here is my smb.conf:


[global]
        workgroup = THEDOMAIN
        server string = Centos Samba Server
        hosts allow = xxx.y.  xxx.y.  127.  # obfuscated
        printcap name = CUPS
        load printers = yes
        cups options = raw
        log file = /usr/local/samba/var/log.smbd
        security = ads
        encrypt passwords = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = no
        unix charset = LOCALE
        netbios name = LDAP
        realm = THEDOMAIN.FOO.ORG
        use kerberos keytab = Yes
        idmap domains = THEDOMAIN
        idmap config THEDOMAIN:backend = ad
        idmap config THEDOMAIN:default = yes
        idmap config THEDOMAIN:schema_mode = sfu
        idmap config THEDOMAIN:range    = 10000 - 300000000
        log level = 1
        syslog = 0
        winbind use default domain = yes
        winbind nested groups = yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/windows/%D/%U
        template shell = /bin/bash
        allow trusted domains = no

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        read only = No
        valid users = %D\%U
        [printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

[voltest]
        admin users = THEDOMAIN\administrator
        comment = Volume Test
        path = /home/voltest
        public = no
        writable = yes
        store dos attributes = yes
        nt acl support = yes
        map acl inherit = yes


Running Wireshark on the W2k3 server, I can see the CentOS box making
the LsarLookupSids request and getting a response (though the content
is encrypted so I can't see the details).

Can anybody see anything obviously wrong?  Does anybody have this working?

Thanks!

-David

More information about the samba mailing list