[Samba] Problem with ADS idmap backend

Douglas VanLeuven roamdad at sonic.net
Mon Mar 10 23:54:40 GMT 2008 

David Eisner wrote:
> I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
> domain whose PDC is a W2k3 server (Standard x64 R2 SP2).
> 
> Using wbinfo -u and wbinfo -g I can see domain users and groups from
> the CentOS box, but getent (passwd|group) fails to display them.  The
> nsswitch is setup correctly, as far as I can tell.  When I tail -f the
> samba log file during a getent query, I see that winbindd is having
> problems mapping the sid to the uid or gid ("sid2uid returned an
> error").
> 
> Furthermore, wbinfo -n can find the SID for a user or group, but it
> can't preform the inverse mapping.
> 
> In the following example, 'deisner' and 'unixusers' are a domain user
> and group, respectively.
> 
>>From the CentOS box (with intentional SID obfuscation):
> 
>     $ wbinfo -u |grep deisner
>     deisner
>     $ wbinfo -n deisner
>     S-1-5-21-**********6 User (1)
>     $ wbinfo -S S-1-5-21-**********6
>     Could not convert sid S-1-5-21-**********6 to uid
>     $ wbinfo -g |grep unixusers
>     unixusers
>     $ wbinfo -n unixusers
>     S-1-5-21-**********8 Domain Group (2)
>     $ wbinfo -Y S-1-5-21-**********8
>     Could not convert sid S-1-5-21-**********8 to gid
> 
> In the log file, I see this:
>     [2008/03/10 18:37:58, 10]
> nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
>       Retrieving response for pid 6274
>     [2008/03/10 18:37:58, 5]
> nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
>       sid2gid returned an error
>     [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
>       Could not convert sid S-1-5-21-*8
> 
> 
> I'm using the SFU schema.  In AD I have uids and gids assigned to the
> user and group, in the Unix Attributes tab, with values in the range
> I've specified for the idmap range.  Here is my smb.conf:
> 
> 
> [global]
>         workgroup = THEDOMAIN
>         server string = Centos Samba Server
>         hosts allow = xxx.y.  xxx.y.  127.  # obfuscated
>         printcap name = CUPS
>         load printers = yes
>         cups options = raw
>         log file = /usr/local/samba/var/log.smbd
>         security = ads
>         encrypt passwords = yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = no
>         unix charset = LOCALE
>         netbios name = LDAP
>         realm = THEDOMAIN.FOO.ORG
>         use kerberos keytab = Yes
>         idmap domains = THEDOMAIN
>         idmap config THEDOMAIN:backend = ad
>         idmap config THEDOMAIN:default = yes
>         idmap config THEDOMAIN:schema_mode = sfu
>         idmap config THEDOMAIN:range    = 10000 - 300000000
>         log level = 1
>         syslog = 0
>         winbind use default domain = yes
>         winbind nested groups = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/windows/%D/%U
>         template shell = /bin/bash
>         allow trusted domains = no

Try adding to global section:
winbind nss info = sfu

Right now you're defaulting to "template".

Regards, Doug

More information about the samba mailing list