[Samba] Problem with ADS idmap backend
Douglas VanLeuven
roamdad at sonic.net
Mon Mar 10 23:54:40 GMT 2008
David Eisner wrote:
> I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
> domain whose PDC is a W2k3 server (Standard x64 R2 SP2).
>
> Using wbinfo -u and wbinfo -g I can see domain users and groups from
> the CentOS box, but getent (passwd|group) fails to display them. The
> nsswitch is setup correctly, as far as I can tell. When I tail -f the
> samba log file during a getent query, I see that winbindd is having
> problems mapping the sid to the uid or gid ("sid2uid returned an
> error").
>
> Furthermore, wbinfo -n can find the SID for a user or group, but it
> can't preform the inverse mapping.
>
> In the following example, 'deisner' and 'unixusers' are a domain user
> and group, respectively.
>
>>From the CentOS box (with intentional SID obfuscation):
>
> $ wbinfo -u |grep deisner
> deisner
> $ wbinfo -n deisner
> S-1-5-21-**********6 User (1)
> $ wbinfo -S S-1-5-21-**********6
> Could not convert sid S-1-5-21-**********6 to uid
> $ wbinfo -g |grep unixusers
> unixusers
> $ wbinfo -n unixusers
> S-1-5-21-**********8 Domain Group (2)
> $ wbinfo -Y S-1-5-21-**********8
> Could not convert sid S-1-5-21-**********8 to gid
>
> In the log file, I see this:
> [2008/03/10 18:37:58, 10]
> nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
> Retrieving response for pid 6274
> [2008/03/10 18:37:58, 5]
> nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
> sid2gid returned an error
> [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
> Could not convert sid S-1-5-21-*8
>
>
> I'm using the SFU schema. In AD I have uids and gids assigned to the
> user and group, in the Unix Attributes tab, with values in the range
> I've specified for the idmap range. Here is my smb.conf:
>
>
> [global]
> workgroup = THEDOMAIN
> server string = Centos Samba Server
> hosts allow = xxx.y. xxx.y. 127. # obfuscated
> printcap name = CUPS
> load printers = yes
> cups options = raw
> log file = /usr/local/samba/var/log.smbd
> security = ads
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> unix charset = LOCALE
> netbios name = LDAP
> realm = THEDOMAIN.FOO.ORG
> use kerberos keytab = Yes
> idmap domains = THEDOMAIN
> idmap config THEDOMAIN:backend = ad
> idmap config THEDOMAIN:default = yes
> idmap config THEDOMAIN:schema_mode = sfu
> idmap config THEDOMAIN:range = 10000 - 300000000
> log level = 1
> syslog = 0
> winbind use default domain = yes
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/windows/%D/%U
> template shell = /bin/bash
> allow trusted domains = no
Try adding to global section:
winbind nss info = sfu
Right now you're defaulting to "template".
Regards, Doug
More information about the samba
mailing list