[Samba] Problem with ADS idmap backend
Douglas VanLeuven
roamdad at sonic.net
Tue Mar 11 11:14:52 GMT 2008
David Eisner wrote:
> On Mon, Mar 10, 2008 at 7:54 PM, Douglas VanLeuven <roamdad at sonic.net> wrote:
>
>> Try adding to global section:
>> winbind nss info = sfu
>>
>> Right now you're defaulting to "template".
>
> Thanks for the tip. Unfortunately, after making the change and
> restarting winbindd, the problem persists. Are there any .tdb files
> I need to delete?
My winbind reinitializes to version 1 and clears it's cache on restart.
If you're running nscd, you have to restart that as well.
There's a pdf I refer to
http://www.samba.org/~idra/samba3_newidmap.pdf
Simo wrote that up.
The only thing I picked up from that paper is to add an allocation range
for samba's BUILTIN users and groups.
idmap alloc backend = tdb
idmap alloc config:range = 50000-50999
If you do that, you end up with a file called idmap_cache.tdb that would
have to be cleared manually.
I took a good look at the differences between our files and I'm not using
winbind use default domain = yes
winbind nested groups = yes
but I wouldn't think that would make a difference. The configuration
looks good.
I use opensuse and nsswitch.conf is
passwd: compat winbind
group: files winbind
It installed that way and I never changed it even though there is no
shadow entry. From what I've read, any shadow entry shouldn't have
winbind on it.
I thought the win 2k3 R2 server used the rfc2307 schema out of the box.
But if you were able to install SFU and modify the schema and the ldap
entries exist in the ad, it shouldn't have any effect.
Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion
idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and
sfu20. Once the status is OK, the remaining checks are skipped. If
rfc2307 is initializing OK ...
Don't have a w2k3 R2 to experiment. If I did, I'd put the sfu check
ahead of the rfc2307 check, recompile and see if it made a difference.
Probably just a foolish thought, though.
In case you don't have the source, I've included the function for you.
Regards, Doug
/* The SFU and RFC2307 NSS plugins share everything but the init
function which sets the intended schema model to use */
/************************************************************************
Initialize the plugins
***********************************************************************/
NTSTATUS idmap_ad_init(void)
{
static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
/* Always register the AD method first in order to get the
idmap_domain interface called */
if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
status_idmap_ad =
smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
"ad", &ad_methods);
if ( !NT_STATUS_IS_OK(status_idmap_ad) )
return status_idmap_ad;
}
if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
status_nss_rfc2307 =
smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"rfc2307",
&nss_rfc2307_methods );
if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
return status_nss_rfc2307;
}
if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
status_nss_sfu =
smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"sfu",
&nss_sfu_methods );
if ( !NT_STATUS_IS_OK(status_nss_sfu) )
return status_nss_sfu;
}
if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
status_nss_sfu20 =
smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"sfu20",
&nss_sfu20_methods );
if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
return status_nss_sfu20;
}
return NT_STATUS_OK;
}
More information about the samba
mailing list